JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Fusion Middleware Glossary for Oracle Unified Directory 11g Release 1 (11.1.1)
search filter icon
search icon

Document Information

1.  Glossary


abandon operation

abstract object class

Abstract Syntax Notation One

access control

access control instruction (ACI)

access control rule

access log

account expiration

account lockout

account status notification

account usability control


add operation


AND search filter

anonymous bind


approximate index

approximate search filter


assertion value


attribute description

attribute option

attribute syntax

attribute type

attribute usage

attribute value

attribute value assertion

audit log


authentication ID

authentication password syntax


authorization ID

authorization identity control

auxiliary object class



back end


base64 encoding

Basic Encoding Rules

Basic Encoding Rules Overview

The BER Type

The BER Length

The BER Value

BER Encoding Examples


Berkeley DB Java Edition

binary copy

bind operation


cancel extended operation



certificate mapper



cn=Directory Manager

collective attribute

Common Development and Distribution License

compare operation

connection handler

connection ID


CRAM-MD5 SASL mechanism

crypt algorithm



database cache

debug log

delete operation

deprecated password storage scheme

dereference policy

DIGEST-MD5 SASL mechanism

directory information tree

directory manager

directory server

directory server agent

Directory Services Markup Language

distinguished name



DIT content rule

DIT structure rule



DSA-specific entry



DSML gateway


dynamic group



entry cache

entry change notification control


entry ID


equality index

equality search filter

error log


extended operation

extensible match index

extensible match search filter



failover algorithm

false filter


generalized time

get effective rights control

global index

global index catalog

greater than or equal to search filter


GSSAPI SASL mechanism


ID list

id2entry database

identity mapper

idle account lockout

in-core restart


index entry limit

intermediate response

Internet Draft


Java Management Extensions



key manager provider


last login time

lastmod plug-in

LDAP assertion control

ldapcompare command

LDAP Data Interchange Format

ldapdelete command

LDAP false filter

LDAP intermediate response

LDAP message

LDAP modify DN operation

LDAP modify operation

ldapmodify command

LDAP no-op control

LDAP post-read control

LDAP pre-read control

LDAP result


LDAP search filter

ldapsearch command

LDAP true filter

LDAP Subentry


LDIF export

LDIF import

leaf entry

less than or equal to search filter

lexico algorithm

Lightweight Directory Access Protocol

load balancing

lookthrough limit


MakeLDIF command

manage DSA IT control

matched DN

matched values control

matching rule

matching rule use



message ID


modification type

modify DN operation

modify operation

monitor entry


name form

naming context

network group

non-leaf entry

normalized value

notice of disconnection unsolicited notification

NOT search filter

numeric algorithm


object class

object class type

object identifier

operation ID

operational attribute

ordering index

OR search filter




password expiration

password generator

Password Modify extended operation

password policy

password policy control

password reset

password storage scheme

password validator

persistent search control

PLAIN SASL mechanism


presence index

presence search filter


proportional algorithm

protocol data unit

protocol op

proxied authorization control


quality of protection


real attributes only control

referential integrity


relative distinguished name



replication repair control

request for comments



result code

root DN

root DSE




saturation algorithm

saturation alert

saturation threshold


schema checking

search attributes

search base DN

search filter

search operation

search result done

search result entry

search result reference

search scope

Secure Hash Algorithm

Secure Sockets Layer

server-side sort control

simple authentication

Simple Authentication and Security Layer

simple paged results control

size limit

smart referral

StartTLS extended operation

static group

structural object class


subschema subentry

substring assertion

substring index

substring search filter


subtree delete control

supported control

supported extension

supported feature




time limit


Transport Security Layer

true filter

trust manager provider

typesOnly flag


unbind operation

unindexed search

UNIX crypt algorithm

unsolicited notification


user attribute


virtual attribute

virtual attributes only control

virtual directory

virtual list view control

virtual static group

VLV index


"Who Am I?" extended operation

work queue

worker thread


workflow element

writability mode




In a proxy distribution deployment, the data is split into smaller chunks of data, each of which is known as a partition. A partition of data is typically stored on a separate remote LDAP server, or on a set of replicated remote LDAP servers to ensure high availability.


A password is a secret value that may be used to provide proof of identity in some authentication mechanisms. In particular, a password is used in simple authentication, as well as the CRAM-MD5, DIGEST-MD5 , and PLAIN SASL mechanisms.

The security that a password provides is based entirely on the fact that only the password's owner knows what the password is. If someone else learns a user's password through some means, then that third party can impersonate that user and may be able to perform any operation available to that user.

The Directory Server provides a number of password policy features that can be used to help ensure that passwords are not discovered by third-party individuals (for example, helping to ensure that users aren't allowed to use weak passwords, providing protection against brute-force attacks, requiring authentication attempts and password changes from being performed in a secure manner), but nevertheless passwords are often considered weaker forms of protection than other kinds of identification like certificate.

password expiration

Password expiration is an element of the Directory Server password policy that can be used to limit the length of time that a user can continue to use the same password. If password expiration is enabled, once a user changes his or her password, they can use it for a length of time specified as the maximum password age. As the password expiration time draws near, the user may receive warning messages in the form of control in the bind response. Once the password has expired, the user will no longer be allowed to authentication.

Once the user's password has expired, it may be necessary for an administrator to password reset before the account may be used. Alternately, if the password policy is configured appropriately, the user may also be able to change their own expired password using the Password Modify extended operation.

password generator

A password generator is a piece of logic that may be used to generate a password for a user as part of a Password Modify extended operation. It will be used if the password modify request does not include a new password.

Password Modify extended operation

The Password Modify extended operation is a type of extended operation that may be used to change or reset user passwords. It is defined in RFC 3062 and both the request and response operations have an OID of

The value for the password modify request is:

PasswdModifyRequestValue ::= SEQUENCE {
     userIdentity    [0]  OCTET STRING OPTIONAL
     oldPasswd       [1]  OCTET STRING OPTIONAL
     newPasswd       [2]  OCTET STRING OPTIONAL }

The value for the password modify response is:

PasswdModifyResponseValue ::= SEQUENCE {
     genPasswd       [0]     OCTET STRING OPTIONAL }

password policy

The Directory Server password policy provides a mechanism for controlling how passwords will be stored and maintained in the server, and how users will be allowed to authenticate.

Elements of the password policy include:

password policy control

The password policy request control is a type of LDAP control that can be used to request information about the current password policy state for a user entry. It is defined in draft-sisbehera-ldap-password-policy. Both the request and response controls have an OID of The request control does not have a value. The response control value is encoded as follows:

PasswordPolicyResponseValue ::= SEQUENCE {
     warning [0] CHOICE {
          timeBeforeExpiration [0] INTEGER (0 .. maxInt),
          graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL,
     error   [1] ENUMERATED {
          passwordExpired             (0),
          accountLocked               (1),
          changeAfterReset            (2),
          passwordModNotAllowed       (3),
          mustSupplyOldPassword       (4),
          insufficientPasswordQuality (5),
          passwordTooShort            (6),
          passwordTooYoung            (7),
          passwordInHistory           (8) } OPTIONAL }

For an example of using this control in a search request, see To Search Using the Password Policy Control in Oracle Fusion Middleware Administration Guide for Oracle Unified Directory.

password reset

A password reset is the act of a server administrator changing a user's password. A password reset is a password change that is performed by any user other than the one that owns the account.

password storage scheme

A password storage scheme provides a mechanism for encoding user passwords for storage in the server. In most cases, the password is encoded in a manner that prevents users from determining what the clear-text password is, while still allowing the server to determine whether the user-supplied password is correct. Password storage schemes currently available for use include:


The password will be encoded using triple DES. Triple DES is a variation of the Data Encryption Standard (DES) that is three times slower than its predecessor but provides stronger reliability. The algorithm uses three 64-bit keys for a combined key length of 192 bits. The data is encrypted with the first key, decrypted with the second key, and then re-encrypted with the third key. You must ensure that all three keys, the first and the second key, or the second and the third keys are not identical.


The Advanced Encryption Standard uses a symmetric block cipher that processes data blocks of 128 bits, using cipher keys with lengths of 128 (AES-128), 192 (AES-192), and 256 (AES-256) bits and is based on the Rijndael algorithm


The password will be base64–encoded, which provides a very weak form of protection and should only be used for cases in which clients require this storage scheme.


The password will be encoded using the BlowFish Algorithm with a 128 bits key length.


The password will be stored in clear-text. It will not provide any protection at all, so this should only be used for cases in which clients require this storage scheme.


The password will be encoded using the UNIX crypt algorithm. This is a one-way algorithm, but it is considered weak by current standards and should generally only be used for clients which require this storage scheme.


The password will be encoded using an unsalted version of the MD5 message digest algorithm. This is relatively secure, although a salted hash is preferred, and one of the SHA variants are considered stronger than MD5.


The password will be encoded using RC4, a stream cipher using a variable key-size stream cipher with byte-oriented operations. The algorithm is based on the use of a random permutation.


The password will be encoded using a salted version of the MD5 message digest algorithm.


The password will be encoded using an unsalted version of the SHA-1 Secure Hash Algorithm. The salted variant of this algorithm is preferred.


The password will be encoded using a salted version of the SHA-1 Secure Hash Algorithm. This is the default password storage scheme used by the directory server


The password will be encoded using a salted 256-bit version of the SHA-2 Secure Hash Algorithm.


The password will be encoded using a salted 384-bit version of the SHA-2 Secure Hash Algorithm.


The password will be encoded using a salted 512-bit version of the SHA-2 Secure Hash Algorithm.

Note that the directory server also supports the use of the authentication password syntax.

password validator

A password validator is a component of the directory server password policy that is used to determine whether a proposed password is acceptable for use. The directory server provides an extensible API for developing custom password validators, but it does come with a number of different types of password validators, including:

persistent search control

The persistent search control is a type of LDAP control that may be used for clients to be notified of changes to entries that match the criteria from the associated LDAP search operation. The persistent search control is described in draft-ietf-ldapext-psearchand has an OID of 2.16.840.1.113730.3.4.3. It is defined as follows:

PersistentSearch ::= SEQUENCE {
     changeTypes INTEGER,
     changesOnly BOOLEAN,
     returnECs BOOLEAN

Search result entries returned as part of this search may optionally include the entry change notification control to describe the way in which the entry changed. For an example of using this control in a search, see To Search Using the Persistent Search Control in Oracle Fusion Middleware Administration Guide for Oracle Unified Directory.

PLAIN SASL mechanism

The PLAIN Simple Authentication and Security Layer mechanism provides a way for clients to authentication to the Directory Server with a username and password. In general, it is very similar to simple authentication, with the exception that the client can identify itself with a username rather than a distinguished name. It also provides the ability for the client to specify an alternate authorization ID.

Like simple authentication, the PLAIN SASL mechanism does not provide any form of protection for the user password, so it may be advisable to only use this authentication method over secure communication channels like those provided by Secure Sockets Layer or StartTLS.


A plug-in is a piece of code that can be used to interject some custom logic into the way that the Directory Server performs its processing. The directory server supports a number of different types of plug-ins, including:

presence index

A presence index is a type of index that is used to keep track of the entries that have at least one value for a specified attribute. There is only a single presence index key per attribute, and its ID list contains the entry IDs for all entries that contain the specified attribute.

presence search filter

A presence search filter is a type of search filter that can be used to identify entries that have at least one value for a specified attribute. The string representation of an LDAP presence filter comprises an opening parenthesis followed by the attribute name, an equal sign, an asterisk, and the closing parenthesis. For example, an equality filter of (aci=*)will match any entry containing at least one value for the aci attribute.


The directory server provides a privilege subsystem, which can be used to define capabilities that will be granted to users. The privilege subsystem works in conjunction with the access control implementation in the process of determining whether a user will be allowed to perform a certain operation.

Some of the privileges defined in the directory server include:


Allows the user to bypass access control evaluation


Allows the user to modify access control rule defined in the server.


Allows the user to have read access to the server configuration


Allows the user to have write access to the server configuration


Allows the user to request that the server shut down


Allows the user to request that the server perform an in-core restart


Allows the user to request an operation with a different authorization ID


Allows the user to request an unindexed search


Allows the user to password reset for other users


Allows the user to update the server schema

See Chapter 6, Directory Server Root Users and the Privilege Subsystem, in Oracle Fusion Middleware Architecture Reference for Oracle Unified Directory for more information on the privilege subsystem.

proportional algorithm

A proxy load balancing algorithm in which client requests are distributed to a set of replicated remote LDAP servers. How many requests are sent to each remote LDAP server is determined by the weight set.

protocol data unit

A protocol data unit (PDU) is a single complete element of network communication. For LDAP, the PDU is the message.

protocol op

The protocol op is the element in the message that contains the heart of the request or response. That is, it indicates what type of message it is. There are several different kinds of protocol op elements, including:

proxied authorization control

The proxied authorization control is a type of control that can be used to request that the associated operation be performed under the authorization of another user.

There are actually two different forms of the proxied authorization control, both of which are request controls that may be attached to an add operation, compare operation, delete operation, modify operation, modify DN operation, or search operation operation.

The proxied authorization v1 control is defined in early versions of draft-weltman-ldapv3-proxy. It has an OID of 2.16.840.1.113730.3.4.12 and the control value should be encoded as:

proxyAuthValue::= SEQUENCE {
      proxyDN LDAPDN 

The proxied authorization v2 control is defined in RFC 4370. It has an OID of 2.16.840.1.113730.3.4.18 and the value is a string containing the desired authorization ID.

For an example of using this control in a search request, see To Search Using the Proxied Authorization Control in Oracle Fusion Middleware Administration Guide for Oracle Unified Directory.