Appendix D Working with Operational Attributes

Operational attributes are attributes that are stored in a directory and used to provide information to the directory server. For example, an access control instruction (ACI) is an operational attribute that helps the directory server manage access control.

Directory Editor does not generally provide access to operational attributes from its user interface, but you may find it useful to view and edit these attributes.
This appendix uses the following scenario to illustrate the procedure for adding operational attributes to a Directory Editor form.

If you want to add an ACI to the People OU that allows only HR Managers group members to change a person's manager, customize the organizationalUnit form to display the ACI, as follows:

Select Configure > Forms.

If necessary, scroll down the page and locate organizationalunit in the Name column. Click the Customize button in the Action column.

When the Forms page is displayed, click the New Field button.

The left side of the Forms page changes to Field Undefined as shown in the following figure:

Figure D-1 Specifying the New Field
Specifying a new field for the operational attribute.

On the Field Properties tab, provide the following information:

Name: Enter attributes[aci].value (which is how attributes are referenced in a form).

Title: Enter a title for the new field, which will be displayed in the form.
For example, type ACI:.

Type: Select Text from the menu to indicate that this will be a text field.

When the new text fields and checkboxes are displayed below the Type menu, enable the Multi-Valued check box in the Options row because there can be multiple ACIs for each entry.

Figure D-2 Completed Field Properties Tab

Select the Move Field tab, and move this field after Business Category.

Figure D-3 Completed Move Field Tab
Completed Move Field tab.

When you are finished, click OK.

Note that the new ACI field is now displayed below the business Category field on the Common Attributes tab.

Figure D-4 Updated Common Attributes Tab

Click Save to save the customized organizationalUnit form.


Note	You must be logged in as a Directory Administrator to edit many of the operational attributes. For this example, consider that you are logged in as cn=Directory Manager.

Select the Browse tab and click the People OU.

When the ou=People - Edit page is displayed, click an Add button

in the ACI list to add a new field to the list.

Figure D-5 Add a New ACI Field
Adding a new ACI text field to the list.

Enter the following text into the new ACI field:

(targetattr = "manager") (version 3.0;acl "Only HR can change your manager.";deny (write)(groupdn != "ldap:///cn=HR Managers,ou=groups,
dc=central,dc=sun,dc=com");)



Note	This format is directory-server dependent (it works on Sun ONE Directory Server only). This new ACI tells the directory that only HR Managers group members are allowed to change the Manager field for all users in the People OU.

Click Save to add the new ACI to the People OU.

Directory Editor decides which operational attributes to return for an entry, based upon which attributes are requested as form fields. If an operational attribute’s form field name is generated dynamically, you must add a blank field to the form so Directory Editor knows to load that field.

You must also add a blank field to the form so Directory Editor knows to load the operational attribute as follows:

Previous Contents Index Next
Sun Java System Directory Editor 1 2005Q1 Installation and Configuration Guide