Chapter 4   Operational Attributes, Special Attributes and Special Object Classes


This chapter describes operational attributes used by the directory server. Operational attributes may be available for use on every entry in the directory, regardless of whether they are defined for the object class of the entry. Operational attributes are only returned in an ldapsearch operation if specifically requested.This chapter also describes some special attributes and object classes, that are used by the server. When an object class inherits attributes from other object classes, the inherited attributes are shown in italics.

Operational Attributes

---

accountUnlockTime

Definition
This refers to the exact time after which the entry can be used for authentication.

This attribute is defined in iPlanet Directory Server.

Syntax
GeneralizedTime, single-valued

OID
2.16.840.1.113730.3.1.95

aci

Definition
Used by the directory server to evaluate what rights are granted or denied when it receives an LDAP request from a client.

This attribute is defined in iPlanet Directory Server.

Syntax
IA5String, multi-valued

OID
2.16.840.1.113730.3.1.55

altServer

Definition
The values of this attribute are URLs of other servers which may be contacted when this server becomes unavailable. If the server does not know of any other servers which could be used, this attribute is absent. You may cache this information in case your preferred LDAP server later becomes unavailable.

This attribute is defined in RFC 2252.

Syntax
IA5String, multi-valued.

OID
1.3.6.1.4.1.1466.101.120.6

attributeTypes

Definition
Multi-valued attribute that specifies the attribute types used within a subschema. Each value describes a single attribute.

This attribute is defined in RFC 2252.

Syntax
DirectoryString, multi-valued.

OID
2.5.21.5

copiedFrom

Definition
Used by read-only replica to recognize master data source. Contains a reference to the server that holds the master data. Note that this attribute is only used for legacy replication. It is not used for multi master replication.

This attribute is defined in iPlanet Directory Server.

Syntax
DirectoryString, single-valued.

OID
2.16.840.1.113730.3.1.613

copyingFrom

Definition
Used by read-only replica to recognize master data source while replication is in progess. Contains a reference to the server that holds the master data. Note that this attribute is only used for legacy replication. It is not used for multi master replication.

This attribute is defined in iPlanet Directory Server.

Syntax
DirectoryString, single-valued.

OID
2.16.840.1.113730.3.1.614

dITContentRules

Definition
Multi-valued attribute that defines the DIT content rules which are in force within a subschema. Each value defines one DIT content rule. Each value is tagged by the object identifier of the structural object class to which it pertains.

Note: iPlanet Directory Server does not support or use this attribute.

This attribute is defined in RFC 2252.

Syntax
DirectoryString, multi-valued.

OID
2.5.21.2

dITStructureRules

Definition
Multi-valued attribute that defines the DIT structure rules which are in force within a subschema. Each value defines one DIT structure rule.

Note: iPlanet Directory Server does not support or use this attribute.

This attribute is defined in RFC 2252.

Syntax
DirectoryString, multi-valued.

OID
2.5.21.1

ldapSyntaxes

Definition
This attribute identifies the syntaxes implemented, with each value corresponding to one syntax.

This attribute is defined in RFC 2252.

Syntax
DirectoryString, multi-valued.

OID
1.3.6.1.4.1.1466.101.120.16

matchingRules

Definition
Multi-valued attribute that defines the matching rules used within a subschema. Each value defines one matching rule.

This attribute is defined in RFC 2252.

Syntax
DirectoryString, multi-valued.

OID
2.5.21.4

matchingRuleUse

Definition
Used to indicate the attribute types to which a matching rule applies in a subschema.

This attribute is defined in RFC 2252.

Syntax
DirectoryString, multi-valued.

OID
2.5.21.8

nameForms

Definition
Multi-valued attribute that defines the name forms used in a subschema. Each value defines one name form.

Note: iPlanet Directory Server does not support or use this attribute.

This attribute is defined in RFC 2252.

Syntax
DirectoryString, multi-valued.

OID
2.5.21.7

namingContexts

Definition
Corresponds to a naming context the server is mastering or shadowing. When the directory server does not master any information (for example, it is an LDAP gateway to a public X.500 directory), this attribute is absent. When the directory server believes it contains the entire directory, the attribute has a single value, and that value is the empty string (indicating the null DN of the root).This attribute permits a client contacting a server to choose suitable base objects for searching.

This attribute is defined in RFC 2252.

Syntax
DN, multi-valued.

OID
1.3.6.1.4.1.1466.101.120.5

nsds5replconflict

Definition
This attribute is a conflict marker attribute. It is included on entries that have a change conflict that cannot be resolved automatically by the replication process.

This attribute is defined in iPlanet Directory Server.

Syntax
DirectoryString, multi-valued.

OID
2.16.840.1.113730.3.1.973

nsRole

Definition
This attribute is a computed attribute that is not stored with the entry itself. It identifies which roles an entry belongs to.

This attribute is defined in iPlanet Directory Server.

Syntax
DN, multi-valued.

OID
2.16.840.1.113730.3.1.574

nsRoleDN

Definition
This attribute contains the distinguished name of each managed role to which the entry belongs. Membership of a managed role is conferred upon an entry by adding the role's DN to the entry's nsRoleDN attribute.

This attribute is not to be confused with the generated nsRole attribute that contains the DN of all roles to which the entry belongs, as computed by the Directory Server. Use nsRoleDN to set managed role membership, and use nsRole to read all roles.

For example:

dn: cn=staff,ou=People,dc=siroe,dc=com
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsSimpleRoleDefinition
objectclass: nsManagedRoleDefinition

dn: uid=bjensen,ou=People,dc=siroe,dc=com
objectclass: top
objectclass: person
sn: Jensen
cn: Babs Jensen
uid: bjensen
nsroledn: cn=staff,ou=People,dc=siroe,dc=com

A nested role specifies containment of one or more roles of any type. In that case, nsRoleDN defines the DN of the contained roles.

For example:

dn: cn=everybody,o=iPlanet,o=airius.com
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsComplexRoleDefinition
objectclass: nsNestedRoleDefinition
nsroledn: cn=manager,ou=People,dc=siroe,dc=com
nsroledn: cn=staff,ou=People,dc=siroe,dc=com

This attribute is defined in iPlanet Directory Server.

Syntax
DN, multi-valued.

OID
2.16.840.1.113730.3.1.575

numSubordinates

Description
Indicates how many immediate subordinates an entry has.

For example, numSubordinates=0 in a leaf entry.

This attribute is defined in numSubordinates Internet Draft.

Syntax
INTEGER, single-valued.

OID
1.3.1.1.4.1.453.16.2.103

objectClasses

Definition
Multi-valued attribute that defines the object classes used in a subschema. Each value defines one object class.

This attribute is defined in RFC 2252.

Syntax
DirectoryString, multi-valued.

OID
2.5.21.6

passwordAllowChangeTime

Definition
Used to specify the exact time after which the user is allowed to change their password.

This attribute is defined in iPlanet Directory Server.

Syntax
GeneralizedTime, single-valued.

OID
2.16.840.1.113730.3.1.214

passwordExpirationTime

Definition
Used to specify the exact time after which the user's password expires.

This attribute is defined in iPlanet Directory Server.

Syntax
GeneralizedTime, single-valued.

OID
2.16.840.1.113730.3.1.91

passwordExpWarned

Definition
Used to indicate that a password expiration warning has been sent to the user.

This attribute is defined in iPlanet Directory Server.

Syntax
DirectoryString, single-valued.

OID
2.16.840.1.113730.3.1.92

passwordHistory

Definition
Contains the history of the user's previous passwords.

This attribute is defined in iPlanet Directory Server.

Syntax
Binary, multi-valued.

OID
2.16.840.1.113730.3.1.96

passwordRetryCount

Definition
Used to count the number of consecutive failed attempts at entering the correct password.

This attribute is defined in iPlanet Directory Server.

Syntax
INTEGER, single-valued.

OID
2.16.840.1.113730.3.1.93

retryCountResetTime

Definition
Specifies the exact time after which the passwordRetryCount is reset.

This attribute is defined in iPlanet Directory Server.

Syntax
GeneralizedTime, single-valued.

OID
2.16.840.1.113730.3.1.94

subschemaSubentry

Definition
DN of the entry that contains schema information for this entry. This attribute is present for every entry in the directory.

For example:

subschemaSubentry: cn=schema

This attribute is defined in RFC 2252.

Syntax
DN, single-valued.

OID
2.5.18.10

supportedControl

Definition
The values of this attribute are the object identifiers (OIDs) that identify the controls supported by the server. When the server does not support controls, this attribute is absent.

This attribute is defined in RFC 2252.

Syntax
DirectoryString, multi-valued.

OID
1.3.6.1.4.1.1466.101.120.13

supportedExtension

Definition
The values of this attribute are the object identifiers (OIDs) that identify the supported extended operations supported by the server. When the server does not support extensions, this attribute is absent.

This attribute is defined in RFC 2252.

Syntax
DirectoryString, multi-valued.

OID
1.3.6.1.4.1.1466.101.120.7

supportedLDAPVersion

Definition
Identifies the versions of the LDAP protocol implemented by the server.

This attribute is defined in RFC 2252.

Syntax
INTEGER, multi-valued.

OID
1.3.6.1.4.1.1466.101.120.15

supportedSASLMechanisms

Definition
Identifies the names of supported SASL mechanisms supported by the server. When the server does not support SASL attributes, this attribute is absent.

This attribute is defined in RFC 2252.

Syntax
DirectoryString, multi-valued.

OID
1.3.6.1.4.1.1466.101.120.14

Special Object Classes

---

changeLogEntry

Definition
Used to represent changes made to the directory server. You can configure iPlanet Directory Server 5.1 to maintain a change log that is compatible with the change log implemented in Directory Server 4.1, 4.1, 4.11, 4.12, and 4.13 by enabling the retro change log plug-in. Each entry in the change log has the object class changeLogEntry.

This object class is defined in Changelog Internet Draft.

Superior Class
top

OID
2.16.840.1.113730.3.2.1

Required Attributes

objectClass	Defines the object classes for the entry.
changeNumber	Number assigned arbitrarily to the changelog.
changeTime	The time at which a change took place.
changeType	The type of change performed on an entry.
targetDn	The distinguished name of an entry added, modified or deleted on a supplier server.

Allowed Attributes

changes	Changes made to the directory server.
deleteOldRdn	A flag that defines whether the old Relative Distinguished Name (RDN) of the entry should be kept as a distinguished attribute of the entry, or should be deleted.
newRdn	New RDN of an entry that is the target of a modRDN or modDN operation.
newSuperior	Name of the entry that becomes the immediate superior of the existing entry, when processing a modDN operation.

passwordObject

Definition
Stores password information for a user in the directory.

This object class is defined in iPlanet Directory Server.

Superior Class
top

OID
2.16.840.1.113730.3.2.12

Required Attributes

objectClass

Defines the object classes for the entry.

Allowed Attributes

accountUnlockTime	Refers to the amount of time that must pass after an account lockout before the user can bind to the directory again.
passwordAllowChangeTime	Used to specify the length of time that must pass before the user is allowed to change their password.
passwordExpirationTime	Used to specify the length of time that passes before the user's password expires.
passwordExpWarned	Used to indicate that a password expiration warning has been sent to the user.
passwordHistory	Contains the history of the user's previous passwords.
passwordRetryCount	Used to count the number of consecutive failed attempts at entering the correct password.
retryCountResetTime	Specifies the length of time that passes before the passwordRetryCount is reset.

subschema

Definition
An auxilary object class subentry used to administer the subschema for the subschema administrative area. It holds the operational attributes representing the policy parameters used to express the subschema.

This object class is defined in RFC 2252.

Superior Class
top

OID
2.5.20.1

Required Attributes

objectClass

Defines the object classes for the entry.

Allowed Attributes

attributeTypes	Attribute types used within a subschema.
dITContentRules	Defines the DIT content rules which are in force within a subschema.
dITStructureRules	Defines the DIT structure rules which are in force within a subschema.
matchingRules	Defines the matching rules used within a subschema
matchingRuleUse	Indicates the attribute types to which a matching rule applies in a subschema.
nameForms	Defines the name forms used in a subschema.
objectClasses	Defines the object classes used in a subschema.

Special Attributes

---

changes

Description
For add and modify operations, contains the changes made to the entry, in LDIF format.

This attribute is defined in Changelog Internet Draft.

Syntax
Binary, multi-valued.

OID
2.16.840.1.113730.3.1.8

changeLog

Description
The distinguished name of the entry which contains the set of entries comprising the servers changelog.

This attribute is defined in Changelog Internet Draft.

Syntax
DN, multi-valued.

OID
2.16.840.1.113730.3.1.35

changeNumber

Description
This single-valued attribute is always present. It contains an integer which uniquely identifies each change made to a directory entry. This number is related to the order in which the change occurred. The higher the number, the later the change.

This attribute is defined in Changelog Internet Draft.

Syntax
INTEGER, multi-valued.

OID
2.16.840.1.113730.3.1.5

changeTime

Description
Defines a time, in a YYMMDDHHMMSS format, when the entry was added.

This attribute is defined in iPlanet Directory Server.

Syntax
DirectoryString, multi-valued.

OID
2.16.840.1.113730.3.1.77

changeType

Description
Specifies the type of LDAP operation. This attribute can have one of the following values: add, delete, modify, or modrdn.

For example:

changeType: modify

This attribute is defined in Changelog Internet Draft.

Syntax
DirectoryString, multi-valued.

OID
2.16.840.1.113730.3.1.7

deleteOldRdn

Description
In the case of modrdn operations, specifies whether the old RDN was deleted.

This attribute is defined in Changelog Internet Draft.

Syntax
Boolean, multi-valued.

OID
2.16.840.1.113730.3.1.10

newRdn

Description
In the case of modrdn operations, specifies the new RDN of the entry.

This attribute is defined in Changelog Internet Draft.

Syntax
DN, multi-valued.

OID
2.16.840.1.113730.3.1.9

newSuperior

Description
In the case of modrdn operations, specifies the newSuperior attribute of the entry.

This attribute is defined in Changelog Internet Draft.

Syntax
DN, multi-valued.

OID
2.16.840.1.113730.3.1.11

targetDn

Description
Contains the DN of the entry that was affected by the LDAP operation. In the case of a modrdn operation, the targetDn attribute contains the DN of the entry before it was modified or moved.

This attribute is defined in Changelog Internet Draft.

Syntax
DN, multi-valued.

OID
2.16.840.1.113730.3.1.6