Sun Java Communications Suite 5 Schema Reference

Attributes

This section describes the following Access Manager attributes:

associatedDomain

Origin

LDAP Schema 2

Syntax

dn, multi-valued

Object Classes

inetDomain,, sunManagedOrganization

Definition

Specifies the DNS domain name aliases used to lookup an organization entry.

Used when a domain subtree is being referenced by domain names in addition to the one specified in the attribute sunPreferredDomain.

Example

associatedDomain:qa.sesta.com

associatedDomain:eng.sesta.com

OID

Unassigned

inetGroupStatus

Origin

Access Manager

Syntax

cis, single-valued

Object Classes

iplanet-am-managed-group

Definition

This is a global status for groups and overrides the status found in inetMailGroupStatus. It holds the current status of the group: active, inactive, or deleted for all services. It is used by Access Manager to manage groups. Status changes can be made to a group’s status using the commcli interface, or by directly changing the LDAP entry for the group.

The following table lists the attribute’s values and their meanings:

Table 4–1 Status Attribute Values

Value  

Description  

active 

The group is active and its users may use services enabled by the overlay of service-specific object classes and the service state as indicated by the particular status attribute for that service. 

inactive 

Group is inactive. The group users may not use any services granted by service-specific object classes. This state overrides individual service status set using the service’s status attributes. 

deleted 

Group is marked as deleted. The group may remain in this state within the directory for some time (pending purging of deleted groups). Service requests for all groups marked as deleted will return permanent failures. 

A missing value implies status is active. An illegal value is treated as inactive.

Example

inetGroupStatus: active

OID

1.3.6.1.4.1.42.2.27.9.1.588

iplanet-am-group-subscribable

Origin

Access Manager

Syntax

boolean, single-valued

Object Classes

iplanet-am-managed-group

Definition

Specifies if users can subscribe to the group. Boolean value: true, false. Default setting is true.

If the value is true, the group can be seen, searched for and subscribed to by end users. If the value is false, the group can be seen and searched for but can not be subscribed to by end users.

Filtered groups can not be subscribed to; this attribute is ignored if found on a filtered group.

Example

iplanet-am-group-subscribable: true

OID

2.16.840.1.113730.3.1.1085

iplanet-am-modifiable-by

Origin

Access Manager

Syntax

dn, multi-valued

Object Classes

iplanet-am-managed-person

Definition

This attribute lists the role-dn of the administrator who has access rights to modify this user entry. By default, the value is set to the role-dn of the administrator who created the account.

Example

For native mode (with domain nodes on the organization tree):

iplanet-am-modifiable-by: cn:Top-level Admin Role, o=sesta.com

For compatibility mode (with domain nodes on the DC Tree):

iplanet-am-modifiable-by: cn=Top-level Admin Role, dc=sesta, dc=com

OID

2.16.840.1.113730.3.1.1094

iplanet-am-role-aci-description

Origin

Access Manager

Syntax

string, multi-valued

Object Classes

iplanet-am-managed-person

Definition

Description of the ACI that belongs to this role.

Example

No example given.

OID

2.16.840.1.113730.3.1.1081

iplanet-am-role-aci-list

Origin

Access Manager

Syntax

string, multi-valued

Object Classes

iplanet-am-managed-role

Definition

The set of ACI's associated with this role. The format is a DN:ACI pair, where the DN of the entry is specified with its ACI. When deleting a role, this attribute allows for the ACI's associated with this role to be located and cleaned up properly.

Example

For native mode (with domain nodes on the organization tree):

iplanet-am-role-aci-list: o=sesta.com,
   o=basedn:aci: 
   (target="ldap:///o=sesta.com,o=basedn")
   (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,o=sesta.com,o=basedn)
   (nsroledn=cn=Top-level Help Desk Admin Role,o=sesta.com,o=basedn))))
   (targetattr != "nsroledn")
   (version 3.0; acl "Organization Admin access allow";
    allow (all) roledn = "ldap:///cn=myrole,o=sesta.com,o=basedn";)

For compatibility mode (with domain nodes on a DC Tree):

iplanet-am-role-aci-list: dc=sesta,dc=com:aci: 
   (target="ldap:///dc=sesta,dc=com")
   (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,dc=sesta,dc=com)
   (nsroledn=cn=Top-level Help Desk Admin Role,dc=sesta,dc=com))))
   (targetattr != "nsroledn")
   (version 3.0; acl "Organization Admin access allow"; 
    allow (all) roledn = "ldap:///cn=myrole,dc=sesta,dc=com";)

OID

2.16.840.1.113730.3.1.1082

iplanet-am-role-any-options

Origin

Access Manager

Syntax

string, multi-valued

Object Classes

iplanet-am-managed-role

Definition

Not currently used.

Example

No example given.

OID

2.16.840.1.113730.3.1.1084

iplanet-am-role-description

Origin

Access Manager

Syntax

cis, multi-valued

Object Classes

iplanet-am-managed-role

Definition

An optional description of the role being defined.

Example

iplanet-am-role-description: Top Level Admin Role

OID

2.16.840.1.113730.3.1.1080

iplanet-am-role-managed-container-dn

Origin

Access Manager

Syntax

dn, multi-valued

Object Classes

iplanet-am-managed-role

Definition

Defines the container this role resides in.

Example

For example, if the role being defined administers the domain organization east:

iplanet-am-role-managed-container-dn: ou=east,o=sesta.com,o=basedn

OID

2.16.840.1.113730.3.1.977

iplanet-am-role-service-options

Origin

Access Manager

Syntax

string, multi-valued

Object Classes

iplanet-am-managed-role

Definition

Not currently used.

Example

No example given.

OID

2.16.840.1.113730.3.1.1083

iplanet-am-role-type

Origin

Access Manager

Syntax

string, multi-valued

Object Classes

iplanet-am-managed-role

Definition

Defines the type of role. There are three values, as shown in the following table:

Role Value  

Role Names  

Top Level Administration Role 

General Administration Role 

User Role 

Even though this attribute is defined as multi-valued string, it is implemented in Messaging Server as if it were a single-valued integer.

Example

iplanet-am-role-type: 1

OID

2.16.840.1.113730.3.1.1079

iplanet-am-service-status

This attribute is aliased to sunRegisteredServiceName. Use that attribute instead.

iplanet-am-static-group-dn

Origin

Access Manager

Syntax

dn, multi-valued

Object Classes

iplanet-am-managed-group

Definition

Defines the DNs for the static groups this user belongs to.

Example

For native mode (with domain nodes on the organization tree):

iplanet-am-static-group-dn: cn=mygroup, ou=groups, o=sesta.com

For compatibility mode (with domain nodes on the DC Tree):

iplanet-am-static-group-dn: cn=mygroup, ou=groups, dc=sesta, dc=com

OID

2.16.840.1.113730.3.1.1094

iplanet-am-user-account-life

Origin

Access Manager

Syntax

date string, single-valued

Object Classes

iplanet-am-user-service

Definition

Specifies the account expiration date in the following format:

yyyy/mm/dd hh:mm:ss

where the first mm is for month, dd is for day, yyyy for full year (for example, 2005), hh is for the time stamp hour, the final mm is for the timestamp minutes, and ss is for the timestamp seconds.

If this attribute is present, the authentication service will disallow login if the current date has passed the specified account expiration date.

Example

iplanet-am-user-account-life: 2040/12/31 23:59:59

OID

2.16.840.1.113730.3.1.976

iplanet-am-user-admin-start-dn

Origin

Access Manager

Syntax

dn, single-valued

Object Classes

iplanet-am-user-service

Definition

Specifies the starting point node (DN) displayed in the starting view of the IS Console when this administrator logs in.

Example

iplanet-am-user-admin-start-dn:
   ou=people,o=sesta.com,o=basedn

OID

2.16.840.1.113730.3.1.1072

iplanet-am-user-alias-list

Origin

Access Manager

Syntax

string, single-valued

Object Classes

iplanet-am-user-service

Definition

Defines a list of aliases for the user.

Example

User jdoe could have an alias of jd, johnd, or jd123456.

iplanet-am-user-alias-list: jd
iplanet-am-user-alias-list: johnd
iplanet-am-user-alias-list: jd123456

OID

1.3.6.1.4.1.42.2.27.9.1.59

iplanet-am-user-auth-config

Origin

Access Manager

Syntax

string, single-valued

Object Classes

iplanet-am-user-service

Definition

Specifies the user authentication configuration method in an XML string. There is no default value.

Example

<AttributeValuePair\><Value\>
   com.sun.identity.authentication.modules.ldap.LDAP REQUIRED
</Value\></AttributeValuePair\>

OID

1.3.6.1.4.1.42.2.27.9.1.58

iplanet-am-user-auth-modules

Origin

Access Manager

Syntax

string, multi-valued

Object Classes

iplanet-am-user-service

Definition

Not currently used.

Example

No example given.

OID

2.16.840.1.113730.3.1.1071

iplanet-am-user-failure-url

Origin

Access Manager

Syntax

string, single-valued

Object Classes

iplanet-am-user-service

Definition

Defines the routing taken (URL user is redirected to) if the login fails. Any valid URL can be used.

Example

No example given.

OID

1.3.6.1.4.1.42.2.27.9.1.71

iplanet-am-user-federation-info

Origin

Access Manager

Syntax

string, single-valued

Object Classes

iplanet-am-user-service

Definition

For Access Manager internal use only. Do not use.

Specifies the user account’s Federation specific information. This is managed internally by Access Manager’s Federation Management module to store user account’s Federation related information, and should not be modified outside of that module.

Example

No example given.

OID

1.3.6.1.4.1.42.2.27.9.1.74

iplanet-am-user-federation-info-key

Origin

Access Manager

Syntax

string, single-valued

Object Classes

iplanet-am-user-service

Definition

For Access Manager internal use only. Do not use.

Specifies the user account’s Federation information key. This is managed internally by Access Manager’s Federation Management module to store the user account’s Federation information key, and should not be modified outside of that module.

Example

No example given.

OID

1.3.6.1.4.1.42.2.27.9.1.73

iplanet-am-user-login-status

Origin

Access Manager

Syntax

string, single-valued

Object Classes

iplanet-am-user-service

Definition

Specifies the user status. It takes two values:

Example

No example given.

OID

2.16.840.1.113730.3.1.1074

iplanet-am-user-password-reset-force-reset

Origin

Access Manager

Syntax

boolean, single-valued

Object Classes

iplanet-am-user-service

Definition

Not currently used.

Specifies whether password will be forced to be reset. Values: true, false. Defaults to false.

Example

No example given.

OID

1.3.6.1.4.1.42.2.27.9.1.591

iplanet-am-user-password-reset-options

Origin

Access Manager

Syntax

string, single-valued

Object Classes

iplanet-am-user-service

Definition

Used internally by Access Manager’s password reset module. Do not use. Any values assigned to this attribute will be ignored.

Example

No example given.

OID

1.3.6.1.4.1.42.2.27.9.1.589

iplanet-am-user-password-reset-passwordChanged

Origin

Access Manager

Syntax

string, single-valued

Object Classes

iplanet-am-user-service

Definition

Not used.

Example

No example given.

OID

1.3.6.1.4.1.42.2.27.9.1.592

iplanet-am-user-password-reset-question-answer

Origin

Access Manager

Syntax

string, single-valued

Object Classes

iplanet-am-user-service

Definition

Password question and answer used to prompt user who has forgotten their password. The format is question answer.

Example

iplanet-am-user-password-reset-question-answer:
 favorite restaurant Outback

OID

1.3.6.1.4.1.42.2.27.9.1.590

iplanet-am-user-service-status

Origin

Access Manager

Syntax

dn, single-valued

Object Classes

iplanet-am-user-service

Definition

Specifies the status of the user for various services.

Example

No example given.

OID

2.16.840.1.113730.3.1.1073

iplanet-am-user-success-url

Origin

Access Manager

Syntax

dn, single-valued

Object Classes

iplanet-am-user-service

Definition

Defines the routing taken (URL the user is directed) if the login succeeds. Any valid URL can be used.

Example

No example given.

OID

1.3.6.1.4.1.42.2.27.9.1.71

preferredLocale

Origin

Directory Server

Syntax

cis, single-valued

Object Classes

iPlanetPreferences

Definition

Used by Access Manager to store user preference for locale. The values accepted by this attribute are described in the Sun Java System Access Manager Administration Guide, chapter 18. Some additional information on locales is located in the Sun Java System Directory Server Reference Manual.

Example

preferredLocale:en-US

OID

2.16.840.1.113730.3.1.39

preferredTimeZone

Origin

Directory Server

Syntax

cis, single-valued

Object Classes

iPlanetPreferences

Definition

Used by Access Manager to store user preference for time zone. Supported time zone names can be found in the appendix under Standard Time Zones.

Example

preferredTimeZone: America/Los Angeles

OID

Unassigned

sunAdditionalTemplates

Origin

Messaging Server 6.0, Calendar Server 6.0

Syntax

cis, multi-valued

Object Classes

inetDomain, sunManagedOrganization

Definition

Specifies relative DN (RDN) sequences, that is DN's that are relative to the organization entry. Values identify entries in the configuration templates part of the ou=services tree below this organization. These are additional templates beyond those specified in the global configuration templates. These are used to specify operations private to an organization.

This attribute must appear in the top entry for this organization.

Example

No example given.

OID

1.3.6.1.4.1.42.2.27.9.1.76

sunKeyValue

Origin

Messaging Server 6.0, Calendar Server 6.0

Syntax

cis, multi-valued

Object Classes

sunServiceComponent

Definition

Each value is a “key=value” pair, where the key is the name of the XML element. table lists the keys for search templates.

Table 4–2 Search Template Keys

Key  

Description  

attrs

Attribute to retrieve from LDAP entry. 

rfc2247Flag

Boolean (ture, false) that tells applications to use the RFC 2247 algorithm for constructing the DN of the LDAP entry, instead of performing an LDAP search using the filter specified in the inetDomainSearchFilter attribute.

baseDN

If rfc2247Flag is set to true, and if this key is present, then it must be appended to the algorithmically constructed DN in order to get the DN of the target entry.

For more information on templates and the native and compatibility mode LDAP data models, see Chapter 1, Overview.

Example

The following sunKeyValue attributes appear in the default search template for the native mode LDAP data model:

sunKeyValue:attrs=objectclasssunKeyValue:
   attrs=ousunKeyValue:attrs=inetDomainStatus

The following sunKeyValue attributes appear in the default search template for compatibility mode (uses the RFC 2247 algorithm for constructing the search DN):

sunKeyValue:attrs=objectclasssunKeyValue: 
   attrs=ousunKeyValue:attrs=inetDomainStatussunKeyValue:
   rfc2247=truesunKeyValue: baseDN=o=internet

OID

1.3.6.1.4.1.42.2.27.9.1.83

sunNameSpaceUniqueAttrs

Origin

Messaging Server 6.0, Calendar Server 6.0

Syntax

cis, multi-valued

Object Classes

sunNameSpace

Definition

Stores the name of an attribute required to be unique across all entries in the subtree.

This attribute allows namespace uniqueness to be enforced. For further explanation of namespaces, see the Sun Java Enterprise System Installation Guide and the object class description for sunNameSpace.

Example

sunNameSpaceUniqueAttrs:uid
sunNameSpaceUniqueAttrs:c

OID

1.3.6.1.4.1.42.2.27.9.1.85

sunOrganizationAlias

Origin

Access Manager

Syntax

cis, single-valued

Object Classes

userPresenceProfile

Definition

Access Manager uses this attribute for authentication. It holds the fully qualified host name for the server the user is logging into.

The format is: server.domain.

Example

sunOrganizationAlias: seaside.siroe.com

OID

Unassigned

sunOverrideTemplates

Origin

Messaging Server 6.0, Calendar Server 6.0

Syntax

cis, multi-valued

Object Classes

inetDomain,sunManagedOrganization

Definition

Specifies relative DN (RDN) sequences, that is DN's that are relative to the organization entry. Values identify entries in the configuration templates part of the ou=services tree below this organization. These templates override global configuration templates for searches and other operations within this organization.

This attribute must appear in the top entry for this organization.

Example

No example given.

OID

1.3.6.1.4.1.42.2.27.9.1.77

sunPreferredDomain

Origin

Messaging Server 6.0, Calendar Server 6.0

Syntax

cis, single-valued

Object Classes

iplanet-am-managed-org-unit, sunManagedOrganization

Definition

Specifies the DNS domain name used to lookup an organization entry when a unique matching organization is required.

When a value for this is available, provisioners should set it so as to enable applications to look up organizations using a domain name.

The domain name value of this attribute must be unique across all organizations in the directory, including the domains named in associatedDomain.

This attribute is for use with Schema 2 native mode LDAP directories only; it must not be used in DC Tree nodes.

Example

sunPreferredDomain:sesta.com

OID

2.16.840.1.113730.3.1.1086

sunPreferredOrganization

Origin

Messaging Server 6.0, Calendar Server 6.0

Syntax

cis, single-valued

Object Classes

iplanet-am-managed-org-unit, sunManagedOrganization

Definition

Specifies the DNS name used to lookup an organization entry when a unique matching organization is required.

When a value for this is available, provisioners should set it so as to enable applications to look up organizations using the organization’s name.

This attribute is for use with Schema 2 native mode LDAP directories only; it must not be used in DC Tree nodes.

Example

sunPreferredOrganization:sesta.com

OID

1.3.6.1.4.1.42.2.27.9.1.75

sunRegisteredServiceName

Origin

Access Manager

Syntax

string, multi-valued

Object Classes

iplanet-am-managed-org-unit, sunManagedOrganization

Definition

Defines the set of names of the registered services. The following services are defined for Messaging Server and Calendar Server:

Service Name  

Description  

DomainMailService 

Mail service definition for domains. 

DomainCalendarService 

Calendar service definition for domains. 

UserMailService 

Mail service definition for users. 

UserCalendarService 

Calendar service definition for users. 

GroupMailService 

Mail service definition for groups. 

For informational purposes: The following services are used by Access Manager for authentication with SSO (Single Sign-On). These services must be registered to the root suffix node. This step is done by Access Manager as part of its installation process. The services are:

Any one can create a new service and load it into Access Manager. For information on how to do this, see the Access Manager documentation at:

http://docs.sun.com/

Example

sunRegisterdServiceName: DomainMailService

OID

1.3.6.1.4.1.42.2.27.9.1.593

sunServiceId

Origin

Messaging Server 6.0, Calendar Server 6.0

Syntax

cis, single-valued

Object Classes

sunServiceComponent

Definition

The kind of template being created. For search templates, the value is StuctureUmsObjects. (At this time search templates are the only publicly defined template.)

Example

sunServiceId:StructureUmsObjects

OID

1.3.6.1.4.1.42.2.27.9.1.79

sunSmsPriority

Origin

Access Manager

Syntax

cis, single-valued

Object Classes

sunServiceComponent

Definition

Stores the priority of the service with respect to its siblings.

Example

sunSmsPriority:

OID

1.3.6.1.4.1.42.2.27.9.1.81

sunXmlKeyValue

Origin

Access Manager

Syntax

cis, single-valued

Object Classes

sunServiceComponent

Definition

Not currently used.

Example

No example given.

OID

1.3.6.1.4.1.42.2.27.9.1.84