This chapter describes attributes required or allowed by LDAP object classes for Calendar Server and Messaging Server. The attributes are listed alphabetically.
Objects and attributes used exclusively by Access Manager are covered in Chapter 4, Access Manager Classes and Attributes.
Objects and attributes used exclusively by iPlanet Delegated Administrator for Messaging are covered in Chapter 6, iPlanet Delegated Administrator Classes and Attributes (Schema 1).
Objects and attributes used by Communications Express are covered in Chapter 7, Communications Express Classes and Attributes
This chapter describes the following attributes:
Messaging Server 6.0, Calendar Server 6
cis
Adds a user to a dynamic group specified as an identifier in an ACL entry. Members of the group share the particular access rights defined in the ACL entry. The group is represented by a dynamic mailing list with a filter on the aclGroupAddr attribute.
aclGroupAddr: lee-staff@siroe.com
1.3.6.1.4.1.42.2.27.9.1.686
Messaging Server 5.0
cis
Specifies the administrator role for this administrator entry.
None provided.
2.16.840.1.113730.3.1.601
Messaging Server 5.0
dn
Used only in Schema 1 or in Schema 2 compatibility mode (with a DC Tree), not in Schema 2 native mode (no DC Tree).
Used by the Messaging Server to identify alias entries in the directory. Contains the distinguished name of the entry for which it is an alias. The domain attribute values are taken only from the referenced domain. So that routing will be identical between these domains.
aliasedObjectName: cn=jdoe,o=sesta.com
2.5.4.1
Messaging Server 5.0
cis, single-valued
groupOfUniqueNames, organization, organizationalUnit
Identifies the type of business in which the entry is engaged. This should be a broad generalization such as is made at the corporate division level.
businessCategory:Engineering
2.5.4.15
Messaging Server 5.0
cis, single-valued
Contains URI to user’s entire default calendar. For details see RFC 2739.
Varies according to the version of calendar server implemented. For details see RFC 2739.
1.2.840.113556.1.4.478
Messaging Server 5.0
cis, single-valued
URL to the user’s default busy time data. For details see RFC 2739.
Varies according to the version of calendar server implemented. For details see RFC 2739.
1.2.840.113556.1.4.479
Calendar Server
cis, single-valued
icsCalendarResource, icsCalendarUser, inetResource
For users, full name of person. For resources, a unique identifier. In either case, it may contain spaces and special characters. Abbreviation for commonName.
For a user: cn: John Doe.
For a resource: cn: Conference Room #3
or
commonName: John Doe
commonName: Conference Room #3
2.5.4.3
LDAP
cis
Contains the name of a country, using a two character code. Abbreviation for countryName.
The attribute friendlyCountryName is used to spell out the actual country name.
co:IE
or
countryName:IE
friendlyCountryName:Ireland
2.5.4.4
Spells out the name of the attribute, but is the same as cn.
Spells out the name of the attribute, but is the same as co.
Messaging Server 5.0
cis, single-valued
Text field to store a tag or identifier. Value has no operational impact.
dataSource:1.0
2.16.840.1.113730.3.1.779
Messaging Server 5.0
cis, single-valued
Date of birth of the pabPerson. Format is: YYYYMMDD.
dateOfBirth: 19740404(date of birth on April 6, 1974.)
2.16.840.1.113730.3.1.779
Messaging Server 5.0
cis, single-valued
The domain component of the domain alias entry.
dc=sesta
For example a domain alias entry DN might be:dn: dc=sesta, dc=fr, o=internet.
0.9.2342.19200300.100.1.25
LDAP
cis, multi-valued
icsCalendarDWPHost, icsCalendarResource, groupOfUniqueNames, inetOrgPerson, organization, organizationalUnit, pab, pabGroup, sunServiceComponent
Provides a human readable description of the object. For people and organizations, this often includes their role or work assignment.
description: Quality control inspector.
2.5.4.13
Messaging Server 5.0
cis, single-valued
This attribute is used only for LDAP Schema 1.
This attribute is used by the messaging server to override the default mailbox (MB) home. When present, this attribute specifies that compound user identifications (UID's) are used in this domain and this attribute specifies the separator. For instance, if + is the separator, the mailbox names in this domain are obtained by replacing the right most occurrence of + in the uid with @. To map an internal mailbox name to the UID, the right most occurrence of @ is replaced with a + in the mailbox name.
While substitution of an @ for the UID separator is sufficient to generate a mailbox name, this may not be the same as any of the user’s actual email addresses.
Format of internal mailbox names is uid@domain, where “domain” is DNS domain mapping to the namespace. The only exception to this rule is mailbox names for users in default domain where only the uid is used to construct internal mailbox names. See inetCanonicalDomainName on how the default value of domain name used can be overridden in specific cases.
The MTA option used to override this attribute’s value is LDAP_DOMAIN_ATTR_UID_SEPARATOR.
domainUIDSeparator: #
2.16.840.1.113730.3.1.702
Messaging Server 5.0
cis, single-valued
This attribute is used only for LDAP Schema 1.
Maximum number of user entries in a domain organization.
domOrgMaxUser: 500
2.16.840.1.113730.3.1.697
Messaging Server 5.0
cis, single-valued
Number of current user entries in a domain organization.
domOrgNumUsers: 345
2.16.840.1.113730.3.1.698
Calendar Server
tel, single-valued
icsCalendarResource, inetResource, organization, organizationalUnit
Fax telephone number for resources.
facsimileTelephoneNumber 1-800-555-1212
2.5.4.23
LDAP
cis
Identifies the entry’s given name, usually a person’s first name.
givenName: John
2.5.4.42
Calendar Server 6
cis, single-valued
Identifies the unique name used to create the group calendar. The groupid must be unique among all uid and groupid attributes in its relative namespace. All valid Calendar group entries must have a groupid attribute.
groupid:calendar1
1.3.6.1.4.1.42.2.27.9.1.784
Calendar Server
cis
Administrative calendar role that can be assigned to a group.
No example given.
2.16.840.1.113730.3.1.724
Calendar Server
cis, UTF 8 encoded
Alias associated with a resource. An alias can make a resource name easier for the end user to work with.
The resource named “halleyscomet” can be aliased as “Halley’s Comet”.
icsAlias: Halley’s Comet
2.16.840.1.113730.3.1.725
Calendar Server 6.0
cis, single-valued
icsCalendarDomain, icsCalendarUser
This attribute is used only if the icsStatus attribute is not set, or in other words, if icsStatus is set, this attribute is ignored.
Use this attribute to disallow calendar services to a user. As a default all users are allowed access with http, but if you specify this attribute as shown in the example, it disallows the user from receiving calendar access (user is disabled):
Any other setting, or absence of the attribute entirely, results in the user having access to http services (user is enabled).
icsAllowedServiceAccess:http
2.16.840.1.113730.3.1.726
Calendar Server
integer, single-valued
A numeric string used to hold bit fields, each corresponding to a set of rights. Each bit corresponds to a setting in the ics.conf file. After you have figured out the bit string settings you want, convert the bits to an integer.
If the property is set (1), the right is allowed. If the bit is not set (0), the right is not allowed.
If this attribute does not exist, the corresponding ics.conf default settings are used.
icsAllowRights defines the meaning of each bit position for bits 0-15:
Table 3–1 Bit Definitions and ics.conf Settings
Property Name and ics.conf Setting Name |
Bit |
Allows (1) or Disallows (0) |
---|---|---|
allowCalendarCreation service.wcap.allowcreatecalendars |
0 |
Creation of calendars |
allowCalendarDeletion service.wcap.allowdeletecalendars |
1 |
Deletion of calendars |
allowPublicWritableCalendars service.wcap.allowpublicwriteablecalendars |
2 |
Publicly writable calendars for users |
none |
3 |
Reserved. Defaults to 0 |
allowModifyUserPreferences service.admin.calmaster.wcap.allowgetmodifyuserprefs |
4 |
Domain Administrator allowed to change user preferences |
allowModifyPassword service.wcap.allowchangepassword |
5 |
Users allowed to change their password |
none |
6 |
Reserved. Defaults to 0 |
none |
7 |
Reserved. Defaults to 0 |
allowUserDoubleBook user.allow.doublebook |
8 |
Double booking of user calendars |
allowResourceDoubleBook resource.allow.doublebook |
9 |
Double booking of resource calendars |
allowSetCn service.wcap.allowsetprefs.cn |
10 |
User preference cn modified by set_userprefs command |
allowSetGivenName service.wcap.allowsetprefs.givenname |
11 |
User preference givenname modified by set_userprefs command |
allowSetGivenMail service.wcap.allowsetprefs.mail |
12 |
User preference mail modified by set_userprefs command |
allowSetPrefLang service.wcap.allowsetprefs.preferredlanguage |
13 |
User preference preferredlanguage modified by set_userprefs command |
allowSetSn service.wcap.allowsetprefs.sn |
14 |
User preference sn modified by set_userprefs command |
allowGroupDoubleBook group.allow.doublebook |
15 |
Double booking of group calendars |
none |
16-31 |
Reserved. Defaults to all 0 |
If you decide that you want to disallow the following bits:
publicly writable user calendars (bit 2),
double booking of resources (bit 9),
and modifying the given name (bit 11),
then your bit pattern would look like this:
”00000000000000000000101000000100’
which you would convert into the integer 2564 so that:
icsAllowRights: 2564
2.16.840.1.113730.3.1.727
Calendar Server
boolean (yes, no)
Specifies if anonymous users can write events in public calendars. The value comes from the ics.conf setting service.wcap.anonymousallowpubliccalendarwrite.
icsAnonymousAllowWrite: yes
2.16.840.1.113730.3.1.728
Calendar Server
ces
Calendar ID for anonymous users. The value is taken from the ics.conf setting calstore.anonymous.calid.
icsAnonymousCalendar: guest1
2.16.840.1.113730.3.1.729
Not implemented.
ces, UTF 8 encoded
Default calendar set for anonymous users.
No example given.
2.16.840.1.113730.3.1.730
Calendar Server
boolean (yes, no)
Specifies if anonymous login is allowed. Value is taken from the ics.conf file setting service.http.allowanonymousLogin.
icsAnonymousLogin: yes
2.16.840.1.113730.3.1.798
Not implemented.
ces, UTF 8 encoded
Reserved. Not implemented.
Default calendar set for anonymous users.
No example given.
2.16.840.1.113730.3.1.732
Calendar Server 6
cis, single-valued
icsCalendarGroup, icsCalendarResource
When a group receives an invitation, this attribute indicates whether the invitation is marked automatically as accepted. When enabled, the attribute causes the scheduled event to be marked as busy on the group calendar without any member taking any action.
For a Calendar resource, this attribute allows the resource to accept invitations automatically.
The icsAutoaccept attribute can have a value of 1, which allows automatic acceptance of invitations, or 0, which prohibits automatic acceptance.
For a group calendar, the default value is 0 (prohibit automatic acceptance of events). For a Calendar resource, the default value is 1 (allow automatic acceptance of events).
icsAutoaccept:0
icsAutoaccept:1
1.3.6.1.4.1.42.2.27.9.1.788
Calendar Server
ces, single-valued
icsCalendarResource, icsCalendarGroup, icsCalendarUser
The calendar ID (calid) of the default calendar for a user, group, or resource. Required attribute. It is a policy of Calendar Server to construct calids based on the user's uid or the group's groupid, since it is guaranteed to be unique.
icsCalendar: jdoe
2.16.840.1.113730.3.1.731
Calendar Server
ces, multi-valued
Calendars owned by this user. At least one instance of this attribute must exist for each user and must be set with the user's default calendar value. Multiple instances of this attribute can be used to specify other calendars the user owns.
icsCalendarOwned:jdoe@sesta.com:Project
icsCalendarOwned:jdoe@sesta.com:icsCalendarOwned
icsCalendarOwned:jdoe@sesta.com:BaseballSchedule
icsCalendarOwned:jdoe@sesta.com:Holidays
1.3.6.1.4.1.42.2.27.9.1.6
Not implemented.
integer, single-valued
Not currently defined.
Reserved, not implemented.
No example given.
2.16.840.1.113730.3.1.800
Not implemented.
cis, UTF 8 encoded
Reserved, not implemented.
Resource contact name.
icsContact: John Doe jdoe@sesta.com
2.16.840.1.113730.3.1.733
Calendar Server
cis, single-valued
Default access control string applied to the user’s default calendar. For more information about access control, see “Access Control Entries” in the Sun Java System Calendar Server Programmer’s Manual. If this attribute is not present, the value is taken from the ics.conf file setting calstore.calendar.default.acl.
Granting the user both free-busy and scheduling permission for calendar components.
icsDefaultAccess:@sesta.com^c^sf^g
2.16.840.1.113730.3.1.734
Calendar Server 6
cis, single-valued
icsCalendarGroup, icsCalendarResource
Default access control string (ACL) applied to a group calendar or calendar resource. For more information about access control, see “Access Control Entries” in the Sun Java System Calendar Server Developer’s Guide. If this attribute is not present, the value is taken from the ics.conf file settings group.default.acl for groups or resource.default.acl for resources.
Granting the group calendar both free-busy and scheduling permission for calendar components.
icsDefaultacl:@sesta.com^c^sf^g
1.3.6.1.4.1.42.2.27.9.1.786
Calendar Server
ces, single-valued
User preference for what calendars to display at login. User’s can specify any of their calendar sets (groups they have created) to be displayed at login instead of a single calendar.
icsDefaultSet: MyCalendarGroup
2.16.840.1.113730.3.1.735
Not implemented.
cis, single-valued (see mgrpAllowedDomain)
What domains are allowed. The value has the following format:
service-list:client-list
where service-list is a blank- or comma-separated list of one or more service names or wild cards, and client-list is a blank- or comma-separated list of one or more host names or addresses, patterns or wild cards.
The following are the explicit wild cards recognized by the system:
ALL |
Always matches |
LOCAL |
Matches any host whose name does not contain a dot character. |
UNKNOWN |
Matches any host whose name or address are unknown. Use this with care. |
KNOWN |
Matches any host whose name and address are known. Use with care. |
DNSSPOOFER |
Matches any host whose name does not match its address. |
There is one operator that can be used in the service-list and the client-list:
EXCEPT |
Matches anything that matches list 1 unless it matches anything in list 2. The expected form: list1 EXCEPT list2. List1 and list2 are comma-separated. |
You can use patterns to distinguish clients by the network address that they can connect to. For example: service@host_pattern:client-list.
The default value comes from service.http.domainallowed in the ics.conf file.
Allow local access to anyone in the sesta.com domain.
icsDomainAllowed: ALL:sesta.com
2.16.840.1.113730.3.1.736
Calendar Server
cis, multi-valued, ASCII
For cross-domain searching, each external domain to be searched must be listed using this attribute.
icsDomainNames: sesta.com
icsDomainNames: siroe.com
1.3.6.1.4.1.42.2.27.9.1.3
Calendar Server
cis, single-valued (see mgrpDisallowedDomain)
What domains are not allowed. The value has the following format:
service-list:client-list
where service-list is a blank- or comma-separated list of one or more service names or wild cards, and client-list is a blank- or comma-separated list of one or more host names or addresses, patterns or wild cards.
The following are the explicit wild cards recognized by the system:
ALL |
Always matches |
LOCAL |
Matches any host whose name does not contain a dot character. |
UNKNOWN |
Matches any host whose name or address are unknown. Use this with care. |
KNOWN |
Matches host whose name and address are known. Use with care. |
DNSSPOOFER |
Matches any host whose name does not match its address. |
There is one operator that can be used in the service-list and the client-list:
EXCEPT |
Matches anything that matches list 1 unless it matches anything in list 2. The expected form: list1 EXCEPT list2. List1 and list2 are comma-separated. |
The value comes from ics.conf setting service.http.domainnotallowed.
If you want to allow access to all but a selected few hosts, you can explicitly deny access as in the following example:
Deny access to anyone at the company22.com domain.
icsDomainNotAllowed: ALL:company22.com
In this instance, you would not need to have any specific icsDomainAllowed attributes.
If you want to implement a no-access default, a single instance of this attribute will do it. This denies all service to all hosts, unless they are specifically permitted access by icsDomainAllowed attributes.
icsDomainNotAllowed: ALL:ALL
The following example shows how to deny access to any unknown users.
icsDomainNotAllowed: ALL:UNKNOWN@ALL
2.16.840.1.113730.3.1.737
Calendar Server 6
cis, single-valued
icsCalendarGroup, icsCalendarResource
Indicates whether a group allows double-booking of events in the group's calendar. When enabled, double-booking allows two events to be scheduled and displayed on the calendar at the same time.
For a Calendar resource, this attribute allows the resource to be booked for two events at the same time.
The icsDoublebooking attribute can have a value of 1, which allows double-booking, or 0, which prohibits double-booking.
For a group calendar, the default value is 1 (allow double-booking). For a Calendar resource, the default value is 0 (prohibit double-booking).
icsDoublebooking:1
icsDoublebooking:0
1.3.6.1.4.1.42.2.27.9.1.787
Calendar Server 5.1.1
cis, multi-valued
The list of all possible back end hosts used for calendars found in this domain. This attribute is required if the calendar installation is using the Database Wire Protocol (DWP).
icsDWPBackEndHosts: machine1
icsDWPBackEndHosts: machine2
1.3.6.1.4.1.42.2.27.9.1.5
Calendar Server.1
cis, single-valued, ASCII
icsCalendarDWPHost, icsCalendarGroup, icsCalendarResource, icsCalendarUser
Stores a DWP host name so that the calendar ID can be resolved to the Database Wire Protocol (DWP) server that stores the calendar and its data. When the calendar database is distributed across several back end servers, the attribute value is the DNS name of the back-end server hosting the user, group, or resource. Each user’s, group's, or resource's entire calendar will be on a single back—end server. Required if using the Calendar Lookup Database (CLD).
This attribute is required if the Calendar installation is using DWP to distribute calendar data across back end calendar data servers. If DWP is not being used, every user’s calendar will be found on the same host as the calendar server. If an installation initially does not use DWP, but later switches to it, the calendar server will fill in this value based on the default DWP host name found in the domain entry. If there is no value or such entry (calendar server is not in hosted domain mode) then the value will be picked up from the ics.conf configuration file.
icsDWPHost:calserv1
1.3.6.1.4.1.42.2.27.9.1.1
Calendar Server 5.1.1
cis, multi-valued
Extensions for calendar. Reserved.
No example given.
2.16.840.1.113730.3.1.738
Calendar Server
cis, multi- valued
Preferences for calendar domains can be set using the properties found in icsExtendedDomainPrefs. Each attribute value is a property-value pair.
The format is
icsExtendedDomainPrefs:property=value
The icsExtendedDomainPrefs attribute is multi-valued, but each attribute:property pair can be used only once. For example, use icsExtendedDomainPrefs:domainAccess=value only once.
The default settings for these properties are found in the domain server’s ics.conf file. In the absence of this attribute, the ics.conf settings will be used.
Table 3–2 Domain Preferences
icsExtendedDomainPrefs: createLowerCase=yes
icsExtendedDomainPrefs: domainAccess=@@d^a^slfrwd^g;anonymous^a^r^g;@^a^s^g
In this example, any external domain matching the access rights shown above can search this domain.
2.16.840.1.113730.3.1.739
Origin
Calendar Server
cis
Extensions for calendar group preferences. Reserved.
No example given.
2.16.840.1.113730.3.1.740
Not implemented.
cis
Not yet assigned.
Reserved, not implemented.
No example given.
2.16.840.1.113730.3.1.741
Calendar Server
cis, multi-valued
Extensions for calendar user preferences. The attribute value is a property-value pair. The following are the properties and their values
Table 3–3 Extended User Preferences
Properties |
Values |
Description |
---|---|---|
ceAllCalendarTZIDS |
a standard time zone |
Time zone TZID for this calendar. |
ceClock |
12, 24 |
Defines whether a 12 or 24 hour clock is used. |
ceColorSet |
pref_group1 pref_group2 pref_group3 pref_group4 pref_group7 |
Defines which of the five UI color schemes to use. |
ceDateOrder |
M/D/Y D/M/Y Y/M/D |
Determines the display order of the three date elements: month (M), day (D), and year (Y) . |
ceDateSeparator |
Any single printable character. For example: / or - |
The single character used to delimit displayed date elements. For example, a date can be delimited with a /, such as 12/22/2002, or with a -, such as 12–22–2002. |
ceDayHead |
0–23 |
Start time hour (expressed as one of 24 hours in a day) for displaying calendar information. |
ceDayTail |
0–23 |
End time hour (expressed as one of 24 hours in a day) for displaying calendar information. |
ceDefaultAgenda |
unused |
Not currently implemented. |
ceDefaultAlarmEmail |
email addresses separated by white space |
Email Addresses event alarms sent to. |
ceDefaultAlarmStart |
P[unit count][unit type] |
Amount of time before the event an alarm should be sent. Where unit count is any numeric value, and unit type is either M (minutes), H (hours), or D (days). For example: P10M |
ceDefaultTZID |
one of standard time zones For a list of time zones, see Standard Time Zones. |
Time zone to use when a calendar does not have one assigned to it. |
ceDefaultView |
dayview weekview monthview yearview groupview |
View to be presented at log in. If this parameter is not present, overview is used as the default. |
ceExludeSatSun |
boolean (0, 1) |
Calendars don’t display if the value is set to 1. Default is the value set to 0. |
ceFontFace |
One of these values: 1) Times New Roman, Times, serif 2) Courier New, Courier, noon 3) PrimaSans BT, Verdana, sans-serif |
Three choices of font face to be used in the user interface. |
ceFontSizeDelta |
pref_font_size_group_2 (normal) pref_font_size_group_1 (larger) pref_font_size_group_3 (smaller) |
Defines three font sizes for the user interface. In the interface they are defined as:normal, larger, smaller. |
ceGroupInviteAll |
boolean (0, 1) |
When creating an invitation while viewing a group, invite all calendars in the group when the value is set to 1; default is 1. |
ceInterval |
PT0H15M PT0H30M PT1H0M PT2H0M PT4H0M |
Defines the time interval to be used when displaying calendar information. Intervals are: 15 min., 30 min., 1 hour, 2 hours, 4 hours. |
ceNotifyEmail |
any valid RFC 822 email address |
Email address notifications are mailed to when the calendar receives an invitation to an event. |
ceNotifyEnable |
0, 1 |
Enables/disables email notifications being sent when the calendar receives an invitation to an event.0 = do not sent notifications1 = send notifications |
ceSingleCalendarTZID |
any valid time zone For a list of valid time zones, see Standard Time Zones. |
Lists the time zone assigned to this calendar. If the parameter is not sent, the default time zone is used. For example: America/Los_Angeles |
ceToolImage |
0, 1 |
Toggle for the user interface display of icon images on the toolbar. 0 = do not display icons,1 = display icons (default) |
ceToolText |
0, 1 |
Toggle for the user interface display of icon text on the toolbar.0 = do not display text with the icon1 = display text with the icon (default) |
Regarding ceToolImage and ceToolText: the user interface only allows three possibilities for the toolbar: icons and text (attributes values 1, 1), icons only (attributes values 1, 0), and text only (attributes values 0, 1). It does not allow the user to turn off both icons and text (attributes values 0, 0).
icsextendeduserprefs: ceClock=12 icsextendeduserprefs: ceColorSet=pref_group_1 icsextendeduserprefs: ceDateOrder=D/M/Y icsextendeduserprefs: ceDateSeparator=/ icsextendeduserprefs: ceDayHead=10 icsextendeduserprefs: ceDayTail=17 icsextendeduserprefs: ceDefaultAlarmEmail=jdoe@sesta.com icsextendeduserprefs: ceDefaultAlarmStart=P30H icsextendeduserprefs: ceDefaultTZID=America/New_York icsextendeduserprefs: ceDefaultView=groupview icsextendeduserprefs: ceFontFace=PrimaSans BT,Verdana,sans-serif icsextendeduserprefs: ceFontSizeDelta=pref_font_size_group_3 icsextendeduserprefs: ceInterval=PT2H0M icsextendeduserprefs: ceNotifyEmail=jdoe@sesta.com icsextendeduserprefs: ceNotifyEnable=0 icsextendeduserprefs: ceSingleCalendarTZID=America/Los_Angeles icsextendeduserprefs: ceToolText=1 icsextendeduserprefs: ceToolImage=1
2.16.840.1.113730.3.1.742
Calendar Server
cis, single-valued
First day of the week to be displayed on user’s calendar.
Range of values: 1–7, with the values assigned as follows:
1 = Sunday
2 = Monday
3= Tuesday
4 = Wednesday
5 = Thursday
6 = Friday
7 = Saturday
icsFirstDay: 1
2.16.840.1.113730.3.1.743
Not implemented.
ces, single-valued
Not yet assigned.
Reserved, not implemented.
No example given.
2.16.840.1.113730.3.1.744
Not implemented.
cis single-valued
Latitude; longitude
Not yet identified.
Reserved, not implemented.
Geographical location of user or resource.
This class exists only for compliance with the RFC spec and is not used.
2.16.840.1.113730.3.1.745
Calendar Server
ces
The valid calendar ID's for mandatory subscribed calendars for all users in a domain.
icsMandatorySubscribed: ConfRm1@sesta.com:meetings
2.16.840.1.113730.3.1.746
Calendar Server
cis
The mandatory default view for all calendars in a domain. Views are: overview, day, week, month, year, comparison.
icsMandatoryView: overview
2.16.840.1.113730.3.1.747
Not implemented.
cis, single-valued, ASCII
icsCalendarResource, icsCalendarUser
Reserved. not implemented.
The name of the partition that holds a calendar database. There is no default value.
icsPartition: partition1
1.3.6.1.4.1.42.2.27.9.1.4
Not implemented.
cis, single-valued
Not yet defined.
Reserved, not implemented.
Specifies the preferred host for this calendar. This attribute is used by clients to retrieve the front-end-host server name.
No example given.
2.16.840.1.113730.3.1.749
Not implemented.
integer, single-valued
Not yet specified.
Reserved, not implemented.
No example given.
2.16.840.1.113730.3.1.748
Calendar Server
integer, single-valued
Maximum number of instances created for events and todos with infinite recurrence. The value is taken from the ics.conf setting calstore.recurrence.bound.
icsRecurrenceBound: 60
2.16.840.1.113730.3.1.750
Calendar Server
cis, single-valued
An ISO 8601 date/time string specifying the maximum date for events and todos with infinite recurrence.
icsRecurrenceDate: 20300365T115959Z
2.16.840.1.113730.3.1.751
Calendar Server.1
ces, multi-valued, UTF 8
Stores regular expressions used to divide the LDAP database between servers.
icsRegularExpressions: A–F,G–L,M–T,U–Z
A–F, G–L, M–T, U–Z are possible values for instances of this attribute and describe a database divided alphabetically between four servers.
1.3.6.1.4.1.42.2.27.9.1.2
Calendar Server 6
dn, multivalued
icsCalendarGroup, icsCalendarResource
Identifies the distinguished names (DNs) of co-owners of a group Calendar or Calendar resource. Like the primary owner, the users identified with icsSecondaryowners have administrative privileges over the Calendar group or Calendar resource entry.
The co-owners must be Calendar users in the same domain as the group or resource. That is, Calendar service must be assigned to the co-owners as well as to the Calendar group or resource.
icsSecondaryowners:cn=John Smith,o=Sesta,c=US
1.3.6.1.4.1.42.2.27.9.1.785
Calendar Server
integer, single-valued
Number of seconds of inactivity before a user session is timed out. Read from ics.conf setting service.http.idletimeout.
icsSessionTimeout: 600
2.16.840.1.113730.3.1.752
Calendar Server
cis, multi-valued
icsAnonymousSet, icsCalendarUser,icsDefaultAnonymousSet
Defines one group of calendars. End users create these groups for various tasks. Each group is represented by one icsSet attribute, that is, for every group the user creates there will be one icsSet attribute. For example, if the user has three groups defined, there will be three icsSet attributes.
The value for this attribute is a six-part string, with each part separated by a dollar sign ($).
The following table shows the six parts of this attribute’s value:
Table 3–4 Six Parts of the Attribute Value
Part |
Required? |
Description |
---|---|---|
name |
Required |
The display name of this group. |
calendars |
Required |
A semi-colon-separated list of calendar ID's (calid) that comprise this group. |
tzmode |
Required |
Three possible values: default, inherit, specify. The value that tells where the time zone for this group comes from. default– take user’s default time zoneinherit– take the time zone of the first calendar in the groupspecify– take the time zone from the tz value that follows. |
tz |
Not Required, unless zmode = specify |
A valid time zone for this group. For a list of acceptable values, see Standard Time Zones. Value is optional unless tzmode = specify, then it is required. |
mergeInDayView |
Required |
A boolean (TRUE/FALSE). The value tells whether to display this group in the Day view (TRUE) or the Comparison view (FALSE) |
description |
Not Required |
Character string. Optional description of the calendar. |
The value of this attribute should all be on one line or if you wish to break a line, start the next line with a single space or tab.
icsSet: name=GroupName$calendars=calid1;calid2;calid3$ tzmode=specify$tz=America/Los_Angeles$mergeInDayView=FALSE$ description=Example group of calendars.
2.16.840.1.113730.3.1.753
Calendar Server
ces, single-valued
The alternate location of all client HTML files. A directory path that is relative to the installed client HTML files. The default value comes from the ics.conf setting service.http.uidir.path.
icsSourceHtml lists the values for this attribute.
Table 3–5 Alternate Locations for Client HTML files.
Parameters |
Value |
Definition |
---|---|---|
sourceUrl |
directory |
Directory relative to executable, where all URL references to files are stored. |
uiDirPath |
directory |
Directory containing the default client. If only WCAP access is allowed, value is ““. |
calHostname |
hostname |
HTTP host for retrieving HTML documents. |
icsSourceHtml: calHostname=calhost1
2.16.840.1.113730.3.1.754
Calendar Server
cis, single-valued
icsCalendarDomain, icsCalendarDWPHost, icsCalendarGroup, icsCalendarResource, icsCalendarUser
If this attribute is used with icsCalendarDomain, the attribute must be set when assigning calendar services to a domain. The attribute describes the status of this domain’s calendar service with one of the values specified in icsStatus.
If the attribute is set for a user (icsCalendarUser), group (icsCalendarGroup), or resource (icsCalendarResource), the value of icsStatus affects the availability of the calendar for that individual entry.
See Table 3–6, below, for definitions of the attribute's values.
If this attribute is not set, the icsAllowedServiceAccess attribute is checked. If present and the value of that attribute is http, then calendar services are disabled for the user or group (the user or group status is inactive). If icsAllowedServiceAccess has any other value, or if both attributes are missing, then the default user or group status is active.
Calendar services evaluate the following status attributes in order:inetDomainStatus, icsStatus (for icsCalendarDomain), either inetResourceStatus or inetUserStatus, and icsStatus (for icsCalendarResource, icsCalendarUser, or icsCalendarGroup).
The rule is: the first of these attributes that is set to something other than active takes precedence over all the others.
When this attribute is set for a domain, the following status values apply to all users, groups, and resources in the domain.
When this attribute is set for a user, group, or resource, the following status values apply only to that individual entry.
Table 3–6 Calendar Status Values
Status |
Definition |
---|---|
active |
The user, group, or resource, or all users, groups, and resources in this domain, have access to calendar services. |
inactive |
Calendar services are blocked for this user, group, or resource, or for any users, groups, or resources in this domain, until the status is changed to active again. Calendars remain in the database and the LDAP entry remains. |
deleted |
This user, group, or resource entry is marked for deletion. Calendar service is blocked for the user, group, or resource, or for any users, groups, or resources in this domain. It is marked for deletion. Calendars will be removed from the database and the LDAP attributes that control the calendar’s service will be removed. Specifically, the entry is a candidate for cleanup by the csclean utility. After csclean removes the calendar, it sets the value of icsStatus to removed. All the entries remain in the directory, but object classes having to do only with calendars for these users, resources and domains will be removed. For example, icsCalendarUser, icsCalendarResource, icsCalendarDomain will be removed. In addition all attributes with the ics prefix will be removed. For resources, it means that the resources associated with this object are to be removed from the calendar system, but the entry remains in the directory. For domains, all calendars associated with all the users and resources within that domain are to be removed. |
removed |
Indicates that the resource (calendar) associated with this entry has been removed. In addition, the entry itself is marked to be purged from the LDAP directory. If icsStatus is set at the domain level, all entries with calendar service in the domain are set to be removed. All calendar service is blocked for the entry (or entries). This setting allows the Delegated Administrator commadmin domain purge command to remove the entry (or entries) from the LDAP directory. |
icsStatus: active
2.16.840.1.113730.3.1.755
Calendar Server
ces, multi-valued
List of calendars to which this user is subscribed. This includes all the calendars that the user owns, as well as any calendars owned by others to which the owner subscribes.
The value of this attribute is the calendar ID and optionally, the calendar name, with a dollar sign ($) between them, when present.
icsSubscribed: jdoe$MyHomeCalendaricsSubscribed: jsmith
2.16.840.1.113730.3.1.756
Calendar Server
cis
icsCalendarResource, icsCalendarGroup, icsCalendarUser
The default time zone for this user, group, or resource calendar. Specifically, a valid time zone from the list found in Standard Time Zones. The value is taken from the ics.conf setting calstore.default.timezoneID.
For a user, a time zone can be assigned explicitly through the user preferences attribute (see icsExtendedUserPrefs), which overrides the domain-level default.
icsTimezone: America/Chicago
2.16.840.1.113730.3.1.757
Messaging Server 5.0
cis, single-valued
For Messaging Server, this attribute specifies the canonical domain name used to map a user entry to the correct organization entry when more than one organization entry exists.
The mail processes use information stored in the organization entry to locate a user's mailbox in the message store. If a user has multiple identities in different domains (associated with the different organization entries), the mail processes need to determine which organization entry to use to find the correct mailbox. The inetCanonicalDomainName attribute points to this canonical organization. If inetCanonicalDomainName were not used, a user with multiple user IDs (in multiple domains) would have a different mailbox for each domain.
Typically, the value of inetCanonicalDomainName is a fully qualified domain name, although this is not an absolute requirement.
The inetCanonicalDomainName attribute is used in LDAP Schema 2 and LDAP Schema 1. For an explanation of Schema 1 and Schema 2 LDAP structures, see the Sun Java Communications Suite Deployment Planning Guide and Sun Java Communications Suite Schema Migration Guide.
In Schema 2, the directory can have two types of organization nodes: base and index. Base nodes appear at the root of the directory tree and contain the organization's data (users and groups).
Typically, index nodes for the organization are created if a deployment involves more than one logical grouping of the same physical data. An index node can appear anywhere in the directory.
Moreover, some LDAP administrators need to create a directory structure in which one organization node is placed above another, and the user data exists below both organization nodes. (You might have to do this to maintain the structure of a legacy user directory or to merge an existing user domain with a recently acquired domain.)
If the directory contains multiple index nodes for the organization or nested organization nodes, a user entry can “belong” logically to more than one organization node. An application such as Messaging Server must determine which organization is the canonical one in order to resolve a domain search and correctly identify the user's mailbox.
In this situation, you must decorate all the non-canonical organization entries with the inetCanonicalDomainName attribute, which specifies the domain name of the organization's base node. Its value must be the same as that of the sunPreferredDomain attribute in the organization's base node.
If the inetCanonicalDomainName attribute is missing and there are multiple organization nodes referring to the organization's base node, the mail processes could possibly use the wrong domain name when trying to open users’ mailboxes.
Note that it serves no purpose to decorate the canonical domain entry itself with the inetCanonicalDomainName attribute. If you do, it must have the same value as sunPreferredDomain.
If you want multiple domains to have the same attribute settings, you should not create multiple organization nodes. Instead, add associatedDomain to the organization's base node to specify the DNS domain name aliases. (Add one instance of associatedDomain for each domain name alias.) If the organization's base node is not the canonical domain, then it must contain the sunPreferredDomain attribute.
In Schema 1, the inetCanonicalDomainName attribute is used for the same purpose as in Schema 2, but it is used with DC nodes in the DC tree.
This attribute is used when more than one DC node in a DC tree refers to the same base node of a user/group tree for a particular domain in the Organization tree. (There can be only one canonical domain name for a domain's user/group base node in the Organization tree, but there can be many DC nodes referring to the same user/group base node.)
In Schema 1, this attribute is not necessary if there is only one DC node referring to a domain's user/group base node. If the attribute is missing, the DC node entry is taken for the canonical domain name.
If this attribute is missing and there are multiple DC nodes referring to the same user/group base node, the mail processes could possibly use the wrong domain name when trying to open users’ mailboxes.
Using multiple domain nodes to point to the same user/group base node allows you to have different attribute settings (for example, to achieve different routing) for each one. If you want to be sure the two domains have the same attribute settings (for example, to ensure that they are routed identically), use aliasedObjectName on the duplicate node instead.
Suppose the directory contains a base node, o=sesta, to store a corporation's user data. In addition, there is an index node, o=sesta2, which points to an overlapping subset of users. In this example, sesta.com is the canonical domain name.
To identify the actual organization node, you must decorate the non-canonical organization entry (the index node) with the value of the canonical organization node, inetCanonicalDomainName:sesta.com:
dn:o=sesta,o=rootsuffix sunPreferredDomain:sesta.com
dn:o=sesta2,o=sesta,o=rootsuffix inetDomainBaseDN:o=sesta,o=rootsuffix inetCanonicalDomainName:sesta.com
Assume the two organization nodes, o=sesta and o=sesta2, are decorated as shown in Example 1. The user jdoe logs in to Messaging Server with the following user ID:
jdoe@sesta2.com
In this example, there can be only one LDAP entry for the user jdoe.
In this case, Messaging Server performs one or more lookups to determine jdoe's canonical user ID, which consists of the user's uid followed by @ and the user's canonical domain name.
Messaging Server looks up the value of the inetCanonicalDomainName attribute in the sesta2 organization entry. It then replaces the original domain name in the login ID, sesta2, with the canonical domain name, sesta.
Using the canonical user ID, Messaging Server opens jdoe's correct mailbox, which displays all of jdoe's messages, including messages sent to jdoe@sesta2.com, to jdoe@sesta.com, and to any other domain or alias domain associated with jdoe.
Assume the same directory tree layout as is shown in Example 1, but now inetCanonicalDomainName is not used. The user jdoe logs in to Messaging Server with the following user ID:
jdoe@sesta2.com
As in Example 2 (shown above), there can be only one LDAP entry for the user jdoe.
In this case, Messaging Server performs the same lookups it performs in Example 2.
However, because the sesta2 organization entry does not contain the inetCanonicalDomainName attribute, Messaging Server uses the user ID <uid>@sesta2.com to determine which mailbox to open. A second mailbox associated with the sesta2 domain is created (or, if it already exists, opened).
In this mailbox, the user jdoe sees only messages sent to the sesta2 domain; jdoe has no access to any other messages. All other messages are contained in the mailbox associated with the canonical domain.
In a Schema 1 scenario, if two DC Tree nodes exist, dc=sesta and dc=sesta2, both referring to the user/group base node o=sesta, then you must specify the canonical domain name as follows:
dn:dc=sesta,dc=com,o=internet inetDomainBaseDN:o=sesta.com
dn:dc=sesta2,dc=com,o=internet inetDomainBaseDN: o=sesta.com inetCanonicalDomainName:sesta.com
2.16.840.1.113730.3.1.701
Messaging Server 5.0
cis, multi-valued
(Organization tree domain) Specifies the name of the Class of Service (CoS) template supplying values for attributes in the user entry. The RDN of the CoS template is the value of this attribute. Attribute values provided by the template and any override rules are specified in the CoS definition. CoS definitions are created by using the object class cosDefinition. The value of attribute cosSpecifier in CoS definition entry is set to inetCoS. Create CoS definitions and templates in the container ou=CoS in the subtree for that domain.
inetCoS: HallofFame
2.16.840.1.113730.3.1.706
Messaging Server 5.0
dn, single-valued
inetDomain, sunManagedOrganization
In Schema 2, this attribute decorates index nodes configured to support multiple logical groupings that point to the same physical data. In Schema 1, the attribute decorates domain nodes on the DC Tree when in compatibility mode.
Schema 2
When your deployment comprises multiple logical groupings pointing to the same physical data, the directory may be configured to contain index nodes. Each index node must include the attribute inetDomainBaseDN; the attribute's value must point to the physical node under which the physical data is contained. The physical node must be decorated with the sunManagedOrganization object class.
Schema 1
The two domains, the alias and the referenced domain, can have different attribute values, such that routing will differ between the two. If you want to ensure routing is the same, the attribute values of both domains must be identical.
DN of the organization’s subtree where all user/group entries are stored. This attribute points to a valid Organization subtree DN. Messaging Server components using the RFC 2247 search (compatibility mode) must resolve this DN in order to search for user and group entries that correspond to the hosted organization.
inetDomainBaseDN: o=sesta.com,o=siroe-isp.com
2.16.840.1.113730.3.1.690
Messaging Server 5.0
cis, multi-valued
Reserved.
No example given.
2.16.840.1.113730.3.1.700
Messaging Server 5.0
cis, single-valued
LDAP search filter to use in search templates when performing a native mode search. The compatibility mode RFC 2247 algorithm search requires this attribute, but ignores its value.
Used during authentication to map login name in that domain to an LDAP entry.
The following variables can be used in constructing the filter:
%U–Name part of the login name (that is, everything before the login separator stored in the servers configuration)
%V–Domain part of the login string
%o–Original login ID entered by the user
If this attribute is missing, it is equivalent to:
(&(objectclass=inetOrgPerson)(uid=%U))
Namespaces where users are provisioned with compound uids, such as uid=john_siroe.com, where john is the userID and siroe.com is the domain, would use a search filter of uid=%U_%V. This maps a login string of john@siroe.com (where @ is the login separator for the service) into a search request by the service for an entry’s namespace of siroe.com, where uid=john_siroe.com.
An alternate example of using this attribute would be for sites wanting to log people in based on their employee identification. Assuming the attribute empID in user entries stores employee identifications, the search filter would be:
(&(objectclass=inetOrgPerson)(empID=%U)).
This attribute must return a unique match for valid users within the inetDomainBaseDN subtree.
inetDomainSearchFilter: uid=%U
2.16.840.1.113730.3.1.699
Messaging Server 5.0
cis, single-valued
Applications using a DC Tree as their entry point (RFC 2247 compliant compatibility mode LDAP data model) may choose to respect application specific status attributes, but must consume and respect this attribute on the affiliated physical node (Organization Tree). In other words, for compatibility mode, both the DC Tree and the Organization Tree contain this attribute and if the two attribute’s values differ, the one on the Organization Tree will take precedence.
Specifies the global status of a domain for all services. The intent of this attribute is to allow the administrator to temporarily suspend and then reactivate access, or to permanently remove access, by the domain and all its users to all the services enabled for that domain.
This attribute takes one of three values. Supported values are:
Table 3–7 Status Attribute Values
Value |
Description |
---|---|
active |
Domain is active and users in the domain may use services enabled by the overlay of service-specific object classes and the service state as indicated by the particular status attribute for that service. |
inactive |
Domain is inactive. The account may not use any services granted by service-specific object classes. This state overrides individual service status set using the service’s status attributes. |
deleted |
Domain is marked as deleted. The account may remain in this state within the directory for some time (pending purging of deleted users). Service requests for all users in a domain marked as deleted will return permanent failures. |
A missing value implies status is active. An illegal value is treated as inactive.
There are four status attributes that mail services look at and which are evaluated in this order: inetDomainStatus, mailDomainStatus, inetUserStatus, and mailUserStatus. The rule is: the first of these attributes that is set to something other than active takes precedence over all the others.
Similarly, this attribute is used for calendar services when evaluating status. The status attributes used are: inetDomainStatus, icsStatus (of icsCalendarDomain), either inetResourceStatus or inetUserStatus, and icsStatus (of either icsCalendarResource or icsCalendarUser).
In addition, in compatibility mode, when this attribute decorates both the DC Tree and the Organization Tree, both attributes should agree. Administrators are responsible for keeping the two synchronized. If the two attributes do not have the same value, Messaging Server will use the value found in the Organization Tree, while some other legacy application might be using the DC Tree attribute only. This could cause unpredictable results.
For more information on native and compatibility mode LDAP schemes, see the Sun Java Enterprise System Installation Guide.
inetDomainStatus: active
2.16.840.1.113730.3.1.691
Messaging Server 5.0
cis, single-valued
Current status of a mail group.
The following table lists the possible status values and gives a description of each:
active |
Messages are delivered to the members of the mailing list. |
inactive |
Messages sent to the mailing list result in a transient failure. |
disabled |
Mailing list is disabled. Messages sent to the mailing list result in a permanent failure returned to the sending MTA with text specified by the ERROR_TEXT_DISABLED_GROUP MTA option. If option is not set, the message "group disabled; cannot receive new mail" will be used. |
deleted |
Mailing list can be purged from the directory. Messages sent to the group return a permanent failure. |
A missing value implies status is active. An illegal value is treated as inactive.
There are four status attributes that interact with each other: inetDomainStatus, mailDomainStatus, inetGroupStatus, and inetMailGroupStatus. These are considered in the order just given. The first one with a status of active takes precedence over the setting of all the others.
The MTA option LDAP_GROUP_STATUS can be used to specify a different attribute to be used for group status.
inetMailGroupStatus:active
2.16.840.1.113730.3.1.786
Calendar Server
cis, single-valued
This is a global status for resources. It holds the current status of the resource: active, inactive, or deleted for all services. It is used by Access Manager to manage resources. Status changes can be made to a resource’s status using the commcli interface, or by directly changing the LDAP entry for the group.
The following table lists the attribute’s values and their meanings:
Table 3–8 Status Attribute Values
Value |
Description |
---|---|
active |
The resource is active and it may be used in services enabled by the overlay of service-specific object classes and the service state as indicated by the particular status attribute for that service. |
inactive |
Resource is inactive. The resource may not be used in any services granted by service-specific object classes. This state overrides individual service status set using the service’s status attributes. |
deleted |
Resource is marked as deleted. The resource may remain in this state within the directory for some time (pending purging of deleted resources). Service requests for all resources marked as deleted will return permanent failures. |
There are several status attributes that are evaluated to determine status. They are evaluated in this order: inetDomainStatus, icsStatus (for icsCalendarDomain), inetResourceStatus, icsStatus (for icsCalendarResource). These are considered in the order just given. The first one with a status of active takes precedence over the setting of all the others.
inetResourceStatus: active
2.16.840.1.113730.3.1.758
Messaging Server 5.0
cis, multi-valued
A unique account ID used for billing purposes.
inetSubscriberAccountId: A3560B0
2.16.840.1.113730.3.1.694
Messaging Server 5.0
cis, single-valued
Attribute for storing the challenge phrase used to identify the subscriber. Used in conjunction with the inetSubscriberResponse.
inetSubscriberChallenge=Mother’s Maiden Name
2.16.840.1.113730.3.1.695
Messaging Server 5.0
cis, single-valued
Attribute for storing the response to the challenge phrase.
inetSubscriberResponse=Mamasita
2.16.840.1.113730.3.1.696
Messaging Server 5.0, deprecated in Messaging Server 6.0
cis, single-valued
This attribute is deprecated for the user class inetUser starting in Messaging Server 6.0 and is likely to be removed from the object class in future versions of the schema.
User’s primary URL for publishing Web content. This is an informational attribute and may be used in phonebook-type applications. It is not intended to have any operational impact.
inetUserHttpURL: http://www.siroe.com/theotis
2.16.840.1.113730.3.1.693
Messaging Server 5.0, Calendar Server 5.1.1
cis, single-valued
Specifies the status of a user’s account with regard to global server access. This attribute enables the administrator to temporarily suspend, reactivate, or permanently remove access to all services for a user account.
The following table lists the values for this attribute:
Table 3–9 Status Attribute Values
A missing value implies status is active. An illegal value is treated as inactive.
There are four status attributes that mail services look at and which are evaluated in this order: inetDomainStatus, mailDomainStatus, inetUserStatus, and mailUserStatus. The rule is: the first of these attributes that is set to something other than active takes precedence over all the others.
For calendar services, the attributes evaluated are: inetDomainStatus, icsStatus (for icsCalendarDomain), inetUserStatus, icsStatus (for icsCalendarUser).
When this attribute applies to a static group, defined using the inetUser object class, inactivating (disabling) the group only applies to the group itself and not the users in the group.
To disable the users of a group, create a dynamic group by assigning roles to the users, and then disable the role (which disables all users assigned to that role). For more information about roles, see the Sun Java System Directory Server Administrator’s Guide.
The MTA option LDAP_USER_STATUS can be used to specify a different attribute to be used for user status.
inetUserStatus=inactive
2.16.840.1.113730.3.1.692
Messaging Server 5.0, Calendar Server
cis, single-valued (RFC 822 address)
inetLocalMailRecipient, icsCalendarResource, icsCalendarUser, icsCalendarGroup
Identifies the primary email address for a user, Calendar group, or Calendar resource. This is the email address retrieved and displayed by white-pages lookup applications.
This attribute and mailAlternateAddress, are the default attributes used for reverse searches.
mail=jdoe@sesta.com
0.9.2342.19200300.100.1.3
Messaging Server 5.0
cis, single-valued
Attribute tells the MMP if the users in this domain have to be preauthenticated. Permitted values are yes or no.
mailAccessProxyPreAuth=yes
2.16.840.1.113730.3.1.769
Messaging Server 5.0
cis, single-valued
This attribute tells the Messaging Multiplexor how to reconstruct the login string when replaying the login sequence with the back-end mail server. A missing attribute implies that the message access proxies construct the replay string based on the login name used by the client, the domain of the client, and the login separator used for this service. The mailAccessProxyReplay attribute overrides this default behavior when the message access proxy has a different back-end server than Communications Suite.
The syntax is that of a login string, with the following substitutions:
%U: Login name. That is, the name part of the login string, if it is a {name, domain} compound.
%V: Domain part of the login string.
%[attr]: The value of the LDAP user attribute.
If the client logs in as hugo and the domain associated with the server IP address used is yoyo.com, and mailAccessProxyReplay=%U@%V, the replayed login string is hugo@yoyo.com.
If the client logs in as hugo, and the domain associated with the server IP address used is yoyo.com, and mailAccessProxyReplay=%[surname]@%V, the replayed login string is the value of the surname attribute of the client.
If the client logs in as hugo+yoyo.com, and the login separator for the service used is +, and mailAccessProxyReplay=%U@%V, the replayed login string is hugo@yoyo.com.
If the client logs in as hugo, and the domain associated with the server IP address used is yoyo.com, and mailAccessProxyReplay is not defined, and the login separator for the service used is +, the replayed login string is hugo+yoyo.com.
2.16.840.1.113730.3.1.763
Messaging Server 5.0
cis, single-valued
Specifies the administrative role assigned to the members of the group. The only legal value for this attribute is storeAdmin. The object class that contains this attribute inetMailAdministrator is overlaid on a group entry to grant members of a group administrative privileges over part of the mail server. Currently the only privilege group members inherit are rights to perform proxy authentication for any user in the domain. These rights extend over users in the same domain as where the group is defined. To grant such privileges the attribute mailAdminRole must be set to the value storeAdmin.
mailAdminRole: storeAdmin
2.16.840.1.113730.3.1.780
Messaging Server 5.0
cis, single-valued
Stores access filters (rules). If no rules are specified, then user is allowed access to all services from all clients. Rules are separated by a dollar sign ($). The rules are evaluated in this manner:
Access is granted if the client information matches an allow filter for that service.
Access is denied if the client information matches a deny filter for that service.
If no match is made with any allow or deny filters, access is granted, except in the case where there are allow filters but no deny filters. In this case, a lack of match means access is denied.
Note the effect of the preceding rule:
If no rule is specified for mailAllowedServiceAccess, users are allowed access to all services from all clients.
If an allow filter is explicitly specified for any service, users are denied access to all other services that are not specified.
For example, suppose you want to enable S/MIME for a domain. If you do not specify any allow filters or deny filters for mailAllowedServiceAccess, S/MIME is enabled.
Now suppose you specify an allow filter for the pop service. In this case, S/MIME is disabled until you also specify an allow filter for the smime service.
For a full explanation of access filters and an alternate way to control access through the administration console or the config utility, see “Configuring Client Access to POP, IMAP, and HTTP Services” in the Sun Java System Messaging Server 6.3 Administration Guide.
"+" or "-"service_list":"client_list
+ (allow filter) means the services in the service list are being granted to the client list.
- (deny filter) means the services are being denied to the client list.
service_list is a comma separated list of services to which access is being granted or denied.
Legal service names are: imap, imaps, pop, pops, smtp, smtps, http, and smime. Note that the MMP supports imap, imaps, pop, pops, and smtp, and smime. The back-end supports imap, pop, smtp, http, and smime.
client_list is a comma separated list of clients (domains) to which access is being granted or denied.
Wild cards can be substituted for the client list (domains). The following table shows the legal wild cards and gives a description of each:
Table 3–10 Wild cards
Wild cards |
Description |
---|---|
ALL, * |
The universal wild card. Matches all names. |
DNSSPOOFER |
Matches any host whose DNS name does not match its own IP address. |
KNOWN |
Matches any host whose name and address are known. Use with care. |
LOCAL |
Matches any local host (one whose name does not contain a dot character). If your installation uses only canonical names, even local host names will contain dots and thus will not match this wild card. |
UNKNOWN |
Matches any host whose name or address are unknown. Use this with care. |
The following wild cards can be used for the service list: *, ALL.
The access control system supports a single operator, EXCEPT. You can use the EXCEPT operator to create exceptions to the patterns found in a rule’s service list and client list. EXCEPT clauses can be nested. If there are multiple EXCEPT clauses in a rule, they are evaluated right to left.
The EXCEPT format is:
list1 EXCEPT list2
where list1 is a comma separated list of services and list2 is a comma separated lists of clients.
This example shows a single rule with multiple services and a single wild card for the client list.
mailAllowedServiceAccess: +imap,pop,http:*
This example shows multiple rules, but each rule is simplified to have only one service name and uses wild cards for the client list. (This is the most commonly used method of specifying access control in LDIF files.)
mailAllowedServiceAccess: +imap:ALL$+pop:ALL$+http:ALL
An example of how to disallow all services for a user is:
mailAllowedServiceAccess: -imap:*$-pop:*$-http:*
An example of a rule with an EXCEPT operator is:
mailAllowedServiceAccess: -ALL:ALL EXCEPT server1.sesta.com
This example denies access to all services for all clients except those on the host machine server1.sesta.com.
The following example shows how to restrict user access to SSL-encrypted POP and IMAP access only:
mailAllowedServiceAccess: +imaps,pops:*$+imap,pop:MMP IP address
In the preceding example, note that the back-end servers do not recognize the pops and imaps service names, so it is necessary to grant the MMP IP address(es) pop and imap service access. Otherwise, connections for that user between the MMP and the back-end servers will be rejected.
2.16.840.1.113730.3.1.777
Messaging Server 5.0
cis, multi-valued
inetLocalMailRecipient, pabPerson
Alternate RFC 822 email address of this recipient. If the MTA receives mail with a “to” header with this email address, it rewrites the header with the value of the mail attribute and routes the email to that inbox. The reverse-pointing addresses are rewritten from the value of any of a user's mailAlternateAddress attributes to the value of the user's mail attribute. (That is, the MTA will rewrite the following headers, if they match this attribute, to the value of the user's mail attribute.)
The mailEquivalentAddress attribute works similarly to route the email, but does not rewrite the header.
The local part of the address may be omitted to designate a user/group as the catchall address. A catchall domain address is an address that will receive mail to a specified domain if the MTA does not find an exact user address match with that domain.
This attribute, along with mail, are the default attributes used for reverse searches.
mailAlternateAddress: jdoe@sesta.com
To specify a mail catchall address:
mailAlternateAddress: @sesta.com
2.16.840.1.113730.3.1.13
Messaging Server 5.2
cis, multi-valued
The string values given by this and other opt in attributes are collected and passed to the filtering agent being used (for instance, Brightmail).
For Brightmail spam and virus checking, the interpretation of these strings is specified in the Brightmail configuration file. Brightmail uses the information from this attribute for its processing.
There are two Brightmail values:
spam– When a spam message is found by the anti-UBE service, take the action specified in a system wide configuration option.
virus - When a virus in a message is detected by the anti-UBE service, take the action specified in a system wide configuration option.
SpamAssasin, another filtering agent, does not use the actual value of the attribute; it can be set to anything.
While another attribute can be named in the option.dat setting for LDAP_OPTIN, it is not recommended. (For more information on Brightmail, see the Messaging Server Administration Guide.)
To use this attribute to specify per user opt in values, set the following in the option.dat file:
LDAP_OPTIN=mailAntiUBEService
To use the attribute to specify domain level opt in values, set the following in the option.dat file:
LDAP_DOMAIN_ATTR_OPTIN=mailAntiUBEService
mailAntiUBEService: virus mailAntiUBEService: spam
Unknown
Messaging Server 5.0 (for reply mode), Messaging Server 5.2 patch 1 (for echo mode)
cis, single-valued
Specifies the autoreply mode for user mail account. This is one of several autoreply attributes used when autoreply is an active mail delivery option. The two modes for autoreply are:
echo– Echo the original message with the added mailAutoReplyText or mailAutoReplyTextInternal to the original sender. This occurs only once a week per sender.
If you want the message to be echoed for each message from every sender regardless of how recently a previous reply was sent, set the mailAutoReplyTimeOut to 0, which will cause the reply message to be sent every time.
reply– Send a fixed reply, contained in attributes mailAutoReplyText or mailAutoReplyTextInternal, to the original sender.
mailAutoReplyMode: reply
2.16.840.1.113730.3.1.14
Messaging Server 5.0
cis, single-valued
Subject text of autoreply response. $SUBJECT can be used to insert the subject of the original message into the response.
mailAutoreplySubject: I am on vacation
2.16.840.1.113730.3.1.772
Messaging Server 5.0
cis, single-valued
Autoreply text sent to all senders except users in the recipient’s domain. If not specified, external users receive no auto response.
mailAutoreplyText: Please contact me later.
2.16.840.1.113730.3.1.15
Messaging Server 5.0
cis, single-valued
Autoreply text sent to senders from the recipients domain. If not specified, then internal uses get the mail autoreply text message.
mailAutoreplyTextInternal: Please contact me later.
2.16.840.1.113730.3.1.773
Messaging Server 5.0
integer, single-valued
Duration, in hours, for successive autoreply responses to any given mail sender. If the value is set to 0 for mailAutoReplyMode: echo then a response is sent back every time a message is received. Autoreply responses are sent out only if the recipient is listed in the “to” or “cc:” of the original message.
mailAutoreplyTimeout: 48
2.16.840.1.113730.3.1.771
Messaging Server 5.0
integer, single-valued
A positive integer value indicating the number of attachments the Messenger Express user can send per message in this domain. A value of -1 means no limit on attachments.
mailClientAttachmentQuota: 12
2.16.840.1.113730.3.1.768
Messaging Server 5.2
cis, multi-valued (ASCII string)
inetMailGroup, inetMailUser
Method of specifying unique conversion behavior for a user or group entry. A message sent to this user or group will match any conversion file entries that require the specified value of the tag. (Any string value can be associated with this attribute.)
Tag-specific conversion actions are specified in the MTA configuration.
The MTA option used to override this attribute is LDAP_CONVERSION_TAG.
No example given.
Unknown
Messaging Server 5.2
cis, single-valued (ASCII string)
inetMailGroup, inetMailUser
Controls whether or not address expansion of the current user or group entry is performed immediately (value is “No”), or deferred (value is “Yes”).
A different attribute (other than mailDeferProcessing) can be designated for this purpose in the MTA option LDAP_REPROCESS.
Deferral takes place if the value is “Yes” and the current source channel isn’t the reprocess channel. Deferral is accomplished by directing the user or group’s address to the reprocess channel. That is, the expansion of the alias is aborted and the original address (user@domain) is queued to the reprocess channel.
If this attribute does not exist, the setting of the deferred processing flag associated with delivery options processing is checked. If it is set, processing is deferred.
If it is not set, the default for users is to process immediately (as if the value of this attribute were “No”).
The default for groups (such as mailing lists) is controlled by the MTA option DEFER_GROUP_PROCESSING, which defaults to 1 (yes).
Getting duplicate copies of messages can happen. For example, if a user sends an email to both addresseeA, and groupA that contains addresseeA, and DEFER_GROUP_PROCESSING=1 and this attribute is No, then the message immediately duplicates, such that addresseeA gets two copies, one that came directly, and one that took the deferred expansion hop through the reprocess channel for groupA to get expanded.
While disabling deferred group expansion would eliminate the duplicate, that’s not a good idea if you have a lot of large groups. Using expandlimit 1 can potentially cause unnecessary overhead on general, non-group, multi-recipient messages.
To minimize the effect of this situation, the following two solutions are best practices:
For installations with only a few small groups, setting the default DEFER_GROUP_PROCESSING=1, and this attribute to No, gives you duplicates but also gives you two major benefits:
You don’t have to bother running the reprocess channel, which makes a bit less overhead and a bit faster delivery.
The potential for eliminating duplicate addresses is increased.
If your installation has many small groups and only a few large groups, then set DEFER_GROUP_PROCESSING=0, and this attribute to Yes for the few large groups.
The default for mail users:
mailDeferProcessing: No
The default for mailing lists:
mailDeferProcessing:Yes
Unknown
Messaging Server 5.0
ces, single-valued
Fully qualified local path of file to which all messages sent to the mailing list are appended. Used in conjunction with mailDeliveryOption: file.
The MTA option used to override this attribute’s value is LDAP_PROGRAM_FILE.
mailDeliveryFileURL: /home/dreamteam/mail_archive
2.16.840.1.113730.3.1.787
Messaging Server 5.0
cis, multi-valued
Specifies delivery options for the mail recipient. One or more values are permitted on a user or group entry, supporting multiple delivery paths for inbound messages. Values will apply differently depending on whether the attribute is used in inetMailGroup or inetMailUser.
Note, that the mailUserStatus attribute is processed before this attribute. If mailUserStatus is set to hold, an internal flag is set so that when mailDeliveryOption is processed, the mailUserStatus hold overrides whatever delivery options are specified with mailDeliveryOption.
For users, delivery addresses are generated for each valid delivery option value.
Valid values are:
For users only (inetMailUser):
autoreply– Specifies autoreply is turned on for the user. Messages on which the recipient is listed in the “To:” or “Cc:” header fields of the message are sent to the autoreply channel where an autoreply message is generated and sent to the original sender.
hold– A recipient is temporarily halted from receiving messages. Note that unlike mailUserStatus, hold for this attribute does not disallow POP, IMAP and WebMail access. For this attribute, hold only halts delivery to the recipient’s mailbox, but access is still allowed.
mailbox– Deliver messages to the user’s IMAP/POP store.
native or unix– Deliver messages to the user’s /var/mail store INBOX. The store is in Berkeley mailbox format. Messaging Server does not support /var/mail access. Users must use UNIX tools to access mail from the /var/mail store.
For groups only (inetMailGroup):
file– Messages are appended to the file specified in the attribute mailDeliveryFileURL.
members– Messages are sent to members of the mailing list. If missing, the default is assumed to be members.
members_offline– To defer processing for this group, set the attribute to this value, and set the option.dat file option DEFER_GROUP_PROCESSING to zero (0).
Both users and groups:
These values are handled the same for both users and groups.
program– Messages are delivered to a program, which is on the approved list of programs (specified in MTA’s configuration). The name of the program is specified in the attribute mailProgramdeliveryInfo.
forward– Specifies that messages will be forwarded. The forwarding address is specified in the attribute mailForwardingAddress. Note that when this value is set, mailForwardingAddress must be set to keep the mail system in sync.
The MTA option DELIVERY_OPTIONS, found in the msg-svr-base/config/option.dat file, defines how each of the previously listed values will be processed.
The MTA option used to override this attribute’s value is LDAP_DELIVERY_OPTION.
mailDeliveryOption: mailbox
2.16.840.1.113730.3.1.16
Messaging Server 5.0
cis, single-valued
Stores access filters (rules). If no rules are specified, then domain is allowed access to all services from all clients. Rules are separated by a dollar sign ($). The rules are evaluated in this manner:
Access is granted if the client information matches an allow filter for that service.
Access is denied if the client information matches a deny filter for that service.
If no match is made with any allow or deny filters, access is granted, except in the case where there are allow filters but no deny filters. In this case, a lack of match means access is denied.
Note the effect of the preceding rule:
If no rule is specified for mailAllowedServiceAccess, users are allowed access to all services from all clients.
If an allow filter is explicitly specified for any service, users are denied access to all other services that are not specified.
For example, suppose you want to enable S/MIME for a domain. If you do not specify any allow filters or deny filters for mailAllowedServiceAccess, S/MIME is enabled.
Now suppose you specify an allow filter for the pop service. In this case, S/MIME is disabled until you also specify an allow filter for the smime service.
For a full explanation of access filters and an alternate way to control access through the administration console or the config utility, see “Configuring Client Access to POP, IMAP, and HTTP Services” in the Messaging Server Administration Guide.
+ or - <service_list\>":"<client_list\>
+ (allow filter) means the service list services are being granted to the client list.
- (deny filter) means the services are being denied to the client list.
service_list is a comma separated list of services to which access is being granted or denied.
Legal service names are: imap, imaps, pop, pops, smtp, smtps, http, and smime. Note that the MMP supports imap, imaps, pop, pops, and smtp, and smime. The back-end supports imap, pop, smtp, http, and smime.
client_list is a comma separated list of clients (domains) to which access is being granted or denied.
Wild cards can be substituted for the client list (domains). The following table shows the allowed wild cards and describes each of them:
Table 3–11 Wild Cards
Wild cards |
Meanings |
---|---|
ALL, * |
The universal wild card. Matches all names. |
DNSSPOOFER |
Matches any host whose DNS name does not match its own IP address. |
KNOWN |
Matches any host whose name and address are known. Use with care. |
LOCAL |
Matches any local host (one whose name does not contain a dot character). If your installation uses only canonical names, even local host names will contain dots and thus will not match this wild card. |
UNKNOWN |
Matches any host whose name or address are unknown. Use this with care. |
The following wild cards can be used for the service list: *, ALL.
The access control system supports a single operator, EXCEPT. You can use the EXCEPT operator to create exceptions to the patterns found in a rule’s service list and client list. EXCEPT clauses can be nested. If there are multiple EXCEPT clauses in a rule, they are evaluated right to left.
The EXCEPT format is:
list 1 EXCEPT list 2
A list is a comma separated list of services or clients.
This example shows a single rule with multiple services and a single wild card for the client list.
mailDomainAllowedServiceAccess: +imap,pop,http:*
This example shows multiple rules, but each rule is simplified to have only one service name and uses wild cards for the client list.
mailDomainAllowedServiceAccess: +imap:ALL$+pop:ALL$+http:ALL
The second example is probably the most commonly used in Messaging Server LDIF files.
An example of a rule with an EXCEPT operator is:
mailDomainAllowedServiceAccess: -ALL:ALL EXCEPT server1.sesta.com
This example denies access to all services for all clients except those on the host machine server1.sesta.com.
2.16.840.1.113730.3.1.764
Messaging Server 5.2
cis, single-valued (RFC 822 mailbox)
Specifies an address to be substituted for any address in the domain that doesn’t match any user or group in the domain.
The MTA option used to override this attribute’s value is LDAP_DOMAIN_ATTR_CATCHALL_ADDRESS.
No example given.
Unknown
Messaging Server 5.2
cis, multi-valued (ASCII string)
Method of specifying unique conversion behavior for any user in the domain. A message sent to a user in this domain will match any conversion file entries that require the specified value of the tag. (Any string value can be associated with this attribute.)
Tag-specific conversion actions are specified in the MTA configuration.
The MTA option used to override this attribute’s value is LDAP_DOMAIN_ATTR_CONVERSION_TAG.
No example given.
Unknown
Messaging Server 5.0
integer, single-valued
Disk quota, in bytes, for all users in the domain. If domain quota enforcement is activated, then domains exceeding this quota stop receiving more messages until the domain messages no longer exceed the quota. Domain quota enforcement is activated using the command imquotacheck -f -d <domain\>.
Valid numeric values for mailDomainDiskQuota are
pos_num[G|M|K] or -1 or -2.
where pos_num is a positive number up to a maximum of 4294966272
and G (gigabytes), M (megabytes), and K (kilobytes) are the valid units of measurement.
You can specify the full quota value as a positive number by itself (for example, 20000000) or use a unit of measurement (for example, 20M).
The maximum mailDomainDiskQuota value is 4096G.
Specifying a mailDomainDiskQuota value of 0 will mean that no mail will be delivered.
You can also use the values shown in the following table.
Table 3–12 mailDomainDiskQuota Values
Value |
Meaning |
---|---|
-1 |
No limit on space usage allowed. |
-2 |
Use system default quota. |
To specify a quota of 4 gigabytes:
mailDomainDiskQuota: 4G
To specify the system default quota, do not add mailDomainDiskQuota to the LDAP entry. Or you can use the following value:
mailDomainDiskQuota: -2
2.16.840.1.113730.3.1.766
Messaging Server 5.2
integer, single-valued
mailDomain
Imposes a size limit in units of MTA blocks on all messages sent to addresses in this domain. This limit doesn’t apply to messages sent by users from this domain.
The value of this attribute is overridden by the value of mailMsgMaxBlocks, if set.
The MTA option used to override this attribute’s value is LDAP_DOMAIN_ATTR_BLOCKLIMIT.
No example given.
Unknown
Messaging Server 5.0
integer, single-valued
Quota of number of messages permitted for all users in this domain. If domain quota enforcement is activated, then the domain exceeding this quota will stop receiving more messages until the messages no longer exceed the quota. Domain quota enforcement is activated using the command imquotacheck -f -d <domain\>.
mailDomainMsgQuota: 2000000
2.16.840.1.113730.3.1.767
Messaging Server 5.2
cis, single-valued (RFC 822 mailbox)
This value is used as the header From: address in DSN's reporting problems associated with recipient addresses in the domain. It is also used when reporting problems to users within the domain regarding errors associated with non-local addresses.
If this attribute is not set, the reporting address will default to postmaster@domain.
The MTA option used to override this attribute’s value is LDAP_DOMAIN_ATTR_REPORT_ADDRESS.
No example given.
Unknown
Messaging Server 5.2
cis, single-valued (RFC 3028 sieve filter)
SIEVE filters are not supported by iPlanet Delegated Administrator.
SIEVE filter for all users in the domain. There are two possible forms for the value of this attribute: a single value that contains the complete sieve script (RFC 3028 compliant), and multiple values, with each value containing a piece of the sieve script (not RFC 3028 compliant).
A script has the following form:
require ["fileinto", "reject"]; # $Rule Info: Order=(1-infinity, or 0 for disabled) Template=(template-name) Name=(rule name) if header :is "Sender" "owner-ietf-mta-filters@imc.org" { fileinto "filter"; # move to "filter" folder } if header :is "Subject" "SPAM!" { delete }
Multiple SIEVE scripts per user can be stored in LDAP. To enable the user interface to handle several smaller rules scripts, rather than one script containing all the domain’s rules, this attribute takes multiple values (that is, multiple rules). The server looks at every rule in mailSieveRuleSource.
To provide ordering and possible user interface editing information, there is an optional SIEVE comment line in each rule. This line has the following format:
# $Rule Info: Order=(1-infinity, or 0 for disabled)
All rules that have a Rule Info line will be processed first by the Messaging Server. If Order=0, then this rule is not used in the SIEVE evaluation. Otherwise, the rules are processed in the order provided (1 having highest priority). To accommodate SIEVE rules that might not have been entered using the Rule Info extension, any other rules found are run by the server, in order received from LDAP after all rules with corresponding order values have been processed.
The MTA option that overrides this attribute’s value is LDAP_DOMAIN_ATTR_FILTER.
The following example is correctly formed, but Messaging Server ignores discard and reject text, and does not send a reject or discard reply message.
mailSieveRuleSource: require ["fileinto", "reject", "redirect", "discard"] if header :contains "Subject" "New Rules Suggestion {redirect "rules@sesta.com" # Forward message} if header :contains "Sender" "porn.com" {discard text: Your message has been rejected. Please remove this address from your mailing list. # Reject message, send reply message.} if size :over 1M {reject text: Please do not send large attachments. Put your file on a server and send the URL.Thank you. # Discard message, send reply message.} if header :contains "Sender" "domainadminstrator@sesta.com {fileinto complaints.refs # File message}
Unknown
Messaging Server 5.0
cis, single-valued
Current status of the mail domain. Can be one of the following values: active, inactive, deleted, hold, or overquota. This attribute is the mail service domain status. Missing value implies status is active. An illegal value is treated as inactive.
The following table lists the status values:
Table 3–13 Status Values
There are four status attributes that mail services look at and which are evaluated in this order: inetDomainStatus, mailDomainStatus, inetUserStatus, and mailUserStatus. The rule is: the first of these attributes that is set to something other than active takes precedence over all the others.
The MTA option that overrides this attribute’s values is LDAP_DOMAIN_ATTR_STATUS. The LDAP_DOMAIN_ATTR_STATUS option does not affect the message store or Delegated Administrator commadmin utility, which only recognize and use the current value of mailDomainStatus.
mailDomainStatus: active
2.16.840.1.113730.3.1.770
Messaging Server 6.0
cis, single-valued
Welcome message sent to new users added to this domain. The message must contain a header and a message body. The message header must contain at least a subject line. The header and body are separated by a blank line. Enter the mail-domain welcome message on a single line. You must use a $ (dollar sign) to represent a new line. To indicate a blank line, use $$ (two dollar signs).
You can use the following variables in the mail-domain welcome message:
[ID] The userid (message store user ID).
[URL] The url location specified with the configutil parameter, gen.accounturl. You can configure this parameter to point the user to, for example, the url of the administrative interface where the user can customize the client configuration.
The following example would be entered on a single line, even though it appears on this page on multiple lines:
mailDomainWelcomeMessage: From: postmaster@siroe.com$Subject: Welcome!$$ Dear [ID],$Welcome to the mail system.$To customize your email preferences, please go to the following url:$$[URL]$$-postmaster@siroe.com |
When the user anne logs in for the first time, the following sample mail-domain welcome message would be displayed (depending on the url configuration):
From: postmaster@siroe.com Subject: Welcome! To: anne@siroe.com Date: Tue, 7 Nov 2006 10:10:04 -0800 MIME-Version 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Dear anne, Welcome to the mail system. To customize your email preferences, please go to the following url: http://anne@west.siroe.com:8080/bin/user/admin/bin/enduser -postmaster@siroe.com |
2.16.840.1.113730.3.1.765
Messaging Server 5.2
cis, multi-valued (RFC 822 addr-spec)
inetMailGroup, inetMailUser
Equivalent to mailAlternateAddress in regard to mail routing, except with this attribute, the header doesn’t get rewritten.
Note that mailEquivalentAddress is searched for when the system is deciding where to deliver messages, but it is not one of the attributes searched for when doing REVERSE_URL address reversal.
This attribute works only for direct LDAP mode, not with the deprecated imsimta dirsync option.
mailEquivalentAddress: jdoe@sesta.com
mailEquvalentAddress: @sesta.com (catchall domain address)
Unknown
Messaging Server 6.2
cis, single-valued
This attribute specifies the name of a public folder.
mailFolderName: Announcements
Unknown
Messaging Server 5.0
cis, multi-valued
This attribute stores one or more forwarding addresses for inbound messages. Addresses are specified in RFC 822 format. Messages are forwarded to the listed address when mailDeliveryOption: forward is set.
Note that both mailDeiveryOption and this attribute must be set in order to keep the mail system in sync.
mailForwardingAddress: kokomo@sesta.com
2.16.840.1.113730.3.1.17
Messaging Server 5.0
cis, single-valued
For a user or group entry, the fully qualified host name of the MTA that is the final destination of messages sent to this recipient. To be deemed local, the user entry must have this attribute, and it must match either the local.hostname configutil attribute, or one of the names specified by the local.imta.hostnamealiases configutil attribute. Otherwise, a new source routed address is generated in the form: @mailhost:user@domain and will be processed through the rewrite rules.
If a user entry does not have this attribute, the generated address will use the mailRoutingSmartHost hostname associated with the domain @smarthost:user@domain. If the domain has no mailRoutingSmartHost attribute, the address is discarded and a 5xx error is reported.
If a group entry does not have this attribute, the group is processed locally.
The MTA option that overrides this attribute’s value is LDAP_MAILHOST.
mailHost: mail.siroe.com
2.16.840.1.113730.3.1.18
Messaging Server 5.0
cis, single-valued
Specifies the message store partition name for the user. The mapping between the partition name and the file system location of the store is kept in the message store configuration. If not specified, the default store partition specified in the server configuration is used.
mailMessageStore: secondary
2.16.840.1.113730.3.1.19
Messaging Server 5.2
integer, single-valued
inetMailGroup, inetMailUser
The size in units of MTA blocks of the largest message that can be sent to this user or group. The limit doesn’t apply to messages sent by the user.
If this attribute is set, it overrides the value of mailDomainMsgMaxBlocks.
The MTA option that overrides the attribute’s value is LDAP_BLOCKLIMIT.
No example given.
Unknown
Messaging Server 5.0
integer, single-valued
Maximum number of messages permitted for a user is set with mailMsgQuota. This is a cumulative count for all folders in the store.
This attribute also can specify the number of messages allowed for a particular folder or message type.
Although mailMsgQuota is a single-valued attribute, you can use it to specify multiple quota values. You can set individual quota values for specific folders and message types. For details, see Specifying Quotas for Folders and Message Types.
If the mailMsgQuota attribute is missing, the system default quota is used. This is defined by the configutil parameter store.defaultmessagequota.
During server configuration, quota enforcement must be turned on for mailMsgQuota to take effect. Both soft and hard quotas can be set. (See the Sun Java System Messaging Server 6.3 Administration Guide.)
The MTA option override is LDAP_MESSAGE_QUOTA.
To specify a mailMsgQuota value for the user's entire mailbox tree, use the following format:
mailMsgQuota: msgquota |
where
msgquota is the number of messages.
Valid values for msgquota are up to a maximum of 4294966272. Specifying a msgquota value of 0 will mean that no mail will be delivered. You can also use the values shown in the following table:
Table 3–14 MsgQuota Values
Value |
Meaning |
---|---|
-1 |
No limit on number of messages allowed |
-2 |
Use system default quota |
To enable the quotas for individual folders or specific message types, you must run the configutil command with the parameters store.quotafolder.enable and store.typequota.enable.
To enable and configure message types, you also must enable the configutil parameter store.messagetype.enable and configure other configutil parameters.
Guidelines for Specifying Multiple Quota Values
You can specify the following mailMsgQuota values for a user's mailbox tree:
Quota values for specific folders in the user's mailbox
Quota values for specific message types such as voice mail or text messages. A message type quota applies to messages of that type in all folders in the user's mailbox.
A default quota value that applies to all folders and message types in the user's mailbox that are not explicitly assigned quotas.
The following guidelines apply when you assign multiple quota values for a user:
Quotas do not overlap. For example, when there is a quota for a particular message type or folder, messages of that type or messages in that folder are not counted toward the default quota. Each message counts toward one and only one quota.
The total quota for the whole user mailbox equals the sum of the values of all the quotas specified by default, type, and folder.
Message type quotas take precedence over folder quotas. For example, suppose one quota is specified for a user's memos folder and another quota is specified for voice messages. Now suppose the user stores eight voice messages in the memos folder. The eight messages are counted toward the voice-mail quota and excluded from the memos folder quota.
Formatting Quota Values for Folders and Message Types
To specify mailMsgQuota values for folders or message types, use the following format:
mailMsgQuota: {msgquota}[;{name}%{msgquota}]... |
where
{msgquota} is the number of messages. For a description of the valid numeric values, see msgquota Values.
{name} is the name of the folder or message type.
The semicolon (“;” ) is a separator that separates multiple quota values.
The percent sign (“%”) associates a folder or message-type name with the quota value that follows it.
Additional Formatting Guidelines for Quota Values
The first {msgquota} in the syntax shown above–that is, the first quota value entered after the mailMsgQuota attribute—does not have a name. This value represents the default quota for all folders in the user's mailbox that are not explicitly assigned quotas. The default value applies to all the unnamed folders combined, not individual folders.
A message-type name starts with a pound sign (“#”).
A folder name does not start with a pound sign (“#”).
The “%” and “#” signs are not allowed in folder names or message-type names.
To specify a quota of 2,000 messages:
mailMsgQuota: 2000
To specify the system default quota, do not add mailMsgQuota to the LDAP entry. Or you can use the following value:
mailMsgQuota: -2
To specify a default quota of 2,000 messages for all user folders not explicitly assigned a quota; a voice-message quota of 100 messages; and a quota for the Archive folder of 4,000 messages:
mailMsgQuota: 2000;#voice%100;Archive%4000
In the preceding example, the 2,000–message default quota includes messages in all user folders except the Archive folder; it also excludes voice messages. The 100–message voice-mail quota includes voice messages in all user folders, including the Archive folder. The 4,000–message Archive-folder quota includes messages in the Archive folder and its subfolders; it includes messages of all types except voice messages.
2.16.840.1.113730.3.1.774
Messaging Server 5.0
ces, multi-valued
Specifies one or more programs used for program delivery. These programs have to be on the approved list of programs that the messaging server is permitted to execute for a domain. The attribute value specifies a reference to a program. That reference is resolved from the approved list of programs. The resolved reference also provides the program parameters and execution permissions. Used in conjunction with the mailDeliveryOption: program.
The value of this attribute should be used as the value for the method name (-m value) when running imsimta program.
The program approval process is documented further in the Sun Java System Messaging Server 6.3 Administration Guide.
The MTA option used to name a different attribute for this function is LDAP_PROGRAM_INFO.
mailProgramDeliveryInfo: procmail
2.16.840.1.113730.3.1.20
Messaging Server 6.2
cis, multi-valued
Specifies the access control rights granted for this public folder. Each value of this attribute consists of two parts separated by a space. The two parts are: an identifier, as specified in RFC 2086, and a list of access rights, mod_rights, as shown in the following table:
Table 3–15 Access Rights for a Public Folder
Allowed Characters |
Name |
Actions Permitted |
---|---|---|
l |
lookup |
Mailbox is visible to LIST/LSUB commands. |
r |
read |
SELECT the mailbox, perform CHECK, FETCH, PARTIAL, SEARCH, COPY from mailbox. |
s |
seen |
Keep seen/unseen information across sessions. (STORE SEEN flag) |
w |
write |
STORE flags other than SEEN and DELETED. |
i |
insert |
Perform APPEND, COPY into mailbox. |
p |
post |
Send mail to submission address for mailbox (not enforced by IMAP 4 itself). |
c |
create |
CREATE new sub-maiboxes in any implementation-defined hierarchy. |
d |
delete |
STORE DELETED flag, perform EXPUNGE. |
a |
administer |
Perform SETACL. |
Messaging Server’s IMAP ACL implementation also defines the following new identifier:
anyone@domain
where domain is a valid domain.
If the attribute is missing, the default rights specified in the mailPublicFolderDefaultRights attribute from the mailDomain object class will be applied. If mailDomain does not contain this attribute, the following default ACL is set when a public folder is first created:
anyone@domain lrs
where domain is a valid domain.
Group identifiers start with the prefix “group=”. Do not put the group identifier prefix on a userid. The message store’s user creation code checks for this.
mailPublicFolderDefaultRights: anyone@sesta.com lrs mailPublicFolderDefaultRights: group: sales@sesta.com lrs mailPublicFolderDefaultRights: john@sesta.com lrswid
Unknown
Messaging Server 5.0
integer, single-valued
Specifies, in bytes, the amount of disk space allowed for the user’s mailbox.
This attribute also can specify the amount of disk space allowed for a particular folder or message type.
Although mailQuota is a single-valued attribute, you can use it to specify multiple quota values. You can set individual quota values for specific folders and message types. For details, see Specifying Quotas for Folders and Message Types.
For a description of the numeric values for specifying quotas, see quota Values.
If the mailQuota attribute is not specified, the system default quota is used. The system default is specified in the server configuration parameter store.defaultmailboxquota. Setting the configuration parameter store.quotaenforcement to ”on’ causes the message store to enforce the quota.
LDAP_DISK_QUOTA is the MTA option used to specify a different attribute name for this function.
To specify a mailQuota value for the user's entire mailbox tree, use the following format:
mailQuota: quota |
where
quota is the number of bytes.
Valid numeric values for quota are
pos_num[G|M|K] or -1 or -2.
where pos_num is a positive number up to a maximum of 4294966272
and G (gigabytes), M (megabytes), and K (kilobytes) are the valid units of measurement.
You can specify the full quota value as a positive number by itself (for example, 20000000) or use a unit of measurement (for example, 20M).
The maximum quota value of the user mailbox is 4096G.
Specifying a quota value of 0 will mean that no mail will be delivered.
You can also use the values shown in the following table.
Table 3–16 quota Values
Value |
Meaning |
---|---|
-1 |
No limit on space usage allowed |
-2 |
Use system default quota |
To enable the quotas for individual folders or specific message types, you must run the configutil command with the parameters store.quotafolder.enable and store.typequota.enable.
To enable and configure message types, you also must enable the configutil parameter store.messagetype.enable and configure other configutil parameters.
Guidelines for Specifying Multiple Quota Values
You can specify the following mailQuota values for a user's mailbox tree:
Quota values for specific folders in the user's mailbox
Quota values for specific message types such as voice mail or text messages. A message type quota applies to messages of that type in all folders in the user's mailbox.
A default quota value that applies to all folders and message types in the user's mailbox that are not explicitly assigned quotas.
The following guidelines apply when you assign multiple quota values for a user:
Quotas do not overlap. For example, when there is a quota for a particular message type or folder, messages of that type or messages in that folder are not counted toward the default quota. Each message counts toward one and only one quota.
The total quota for the whole user mailbox equals the sum of the values of all the quotas specified by default, type, and folder.
Message type quotas take precedence over folder quotas. For example, suppose one quota is specified for a user's memos folder and another quota is specified for voice messages. Now suppose the user stores eight voice messages in the memos folder. The eight messages are counted toward the voice-mail quota and excluded from the memos folder quota.
Formatting Quota Values for Folders and Message Types
To specify mailQuota values for folders or message types, use the following format:
mailQuota: {quota}[;{name}%{quota}]... |
where
{quota} is the number of bytes. For a description of the allowed numeric values, see quota Values.
{name} is the name of the folder or message type.
The semicolon (“;” ) is a separator that separates multiple quota values.
The percent sign (“%”) associates a folder or message-type name with the quota value that follows it.
Additional Formatting Guidelines for Quota Values
The first {quota} in the syntax shown above–that is, the first quota value entered after the mailQuota attribute—does not have a name. This value represents the default quota for all folders in the user's mailbox that are not explicitly assigned quotas. The default value applies to all the unnamed folders combined, not individual folders.
A message-type name starts with a pound sign (“#”).
A folder name does not start with a pound sign (“#”).
The “%” and “#” signs are not allowed in folder names or message-type names.
To specify a quota of 4 gigabytes for the user mailbox:
mailQuota: 4G
To specify the system default quota, do not add mailQuota to the LDAP entry. Or you can use the following value:
mailQuota: -2
To specify a 20 MB default quota for all user folders not explicitly assigned a quota; a 10 MB voice-message quota; and a 100 MB quota for the Archive folder:
mailQuota: 20M;#voice%10M;Archive%100M
In the preceding example, the 20 MB default quota includes messages in all user folders except the Archive folder; it also excludes voice messages. The 10 MB voice-message quota includes voices messages in all user folders, including the Archive folder. The 100 MB Archive folder quota includes messages in the Archive folder and its subfolders; it includes messages of all types except voice messages.
2.16.840.1.113730.3.1.21
Messaging Server 5.2
ces, multi-valued
The first line of text stored in the first value of this attribute is saved. This text is returned if any of the authentication attributes cause the message to be rejected. Since text can appear in SMTP responses, the value is limited to US-ASCII characters in order to comply with messaging standards.
LDAP_REJECT_TEXT is the MTA option used to specify a different attribute name for this function.
No example given.
Unknown
Messaging Server 5.0
cis, single-valued
Used together with mailHost to determine whether or not the address should be acted upon at this time or forwarded to another system.
LDAP_ROUTING_ADDRESS is the MTA option used to specify a different attribute name for this function.
No example given.
2.16.840.1.113730.3.1.24
Messaging Server 5.0
cis, multi-valued
Fully qualified host name of the MTA responsible for making routing decisions for users in this (and all contained) domain(s). Unspecified attribute implies all MTA's must route messages for the users/groups of this (and contained) domain(s).
When a domain is found to be non-local, the use of this attribute depends on the value of the MTA option ROUTE_TO_ROUTING_HOST:
If the value is zero (0), which is the default setting, the attribute was checked as part of the $* rewrite rule. With a non-local domain, the $* rewrite rule fails and no further use is made of this attribute’s values. The remaining rewrite rules determine the handling of the domain.
If the value of the option is one (1), then the first value of this attribute that the MTA receives is installed as the source route in the address. And, all addresses associated with the domain are routed to that host.
Since this attribute is multi-valued and the first value the MTA “sees” will be chosen when the option is set to 1, it might be tempting to assume that you can direct the order in which these mail hosts will be used; that is, you might assume you can do a sort of load balancing by ordering the various values of this attribute. But, LDAP does not guarantee that attribute value ordering is preserved, so the first value seen by the MTA might be any of the attribute’s values, not necessarily the first one in the LDAP entry.
You can implement load balancing with a set of MX records for each of the routing host names. Do not attempt to do it with the ordering of this attribute’s values.
LDAP_DOMAIN_AATR_ROUTING_HOSTS is the MTA option used to specify a different attribute name for this function.
mailRoutingHosts: mail.siroe.com
2.16.840.1.113730.3.1.759
Messaging Server 5.0
cis, single-valued
Fully qualified host name, or domain-literal IP address, of a mail server responsible for handling mail for users not found in the local directory. Messages sent to users not found in the messaging server’s directory are forwarded to the mail server specified in this attribute. This is useful when making a transition from one mail system to another and all users have not yet been moved over to the messaging server directory. An empty or missing attribute implies the local MTA is responsible for routing and delivering all messages for users in that domain.
This attribute is used by the system only if the domain it cares about is listed in the attribute, otherwise, it is ignored.
LDAP_DOMAIN_ATTR_SMARTHOST is the MTA option used to specify a different attribute name for this function.
mailRoutingSmartHost: mail.siroe.com
mailRoutingSmartHost: 129.148.12.141
2.16.840.1.113730.3.1.760
Messaging Server 5.0
cis, multi-valued
inetMailUser, inetManagedGroup, inetMailGroup
SIEVE filters are not supported with iPlanet Delegated Administrator for Messaging. Use this with LDAP Schema 2 and Access Manager.
The attribute contains a SIEVE rule (RFC 3028 compliant) used to create a message filter script for a user entry. This attribute can be either single-valued, with the rule containing the complete SIEVE script, or multi-valued, with each rule containing an independently valid piece of the SIEVE script. When there are multiple values, the Web filter construction interface combines the rules into a single SIEVE script using an ordering parameter (Order) found in a #Rule Info: comment.
Note that when the value of Order is a negative number, the value is ignored, and the rule is processed with other unordered SIEVE rules for this entry, but when the value of Order is zero, the rule is disabled and not processed at all.
The script is applied when a message is ready to be enqueued to the delivery channel. Though the SIEVE script is created while the MTA is expanding aliases, it is not used until after the resulting delivery addresses have been expanded and are being sent to the ims-ms, native, autoreply or pipe channels.
A script has the following form:
require ["fileinto", "reject"]; # Rule Info: $Order=(1-infinity, or 0 for disabled) Template=(template-name) Name=(rule name) if header :is "Sender" "owner-ietf-mta-filters@imc.org" { fileinto "filter"; # move to "filter" folder } if header :is "Subject" "SPAM!" { delete }
The MTA option used to name a different attribute for this function is LDAP_FILTER.
mailSieveRuleSource: require ["fileinto", "reject", "redirect", "discard] if header :contains "Subject" "New Rules Suggestion {redirect "rules@sesta.com" # Forward message } if header :contains "Sender" "porn.com" {discard text: Your message has been rejected. Please remove this address from your mailing list. # Reject message, send reply message.} if size :over 1M { reject text: Please do not send me large attachments. Put your file on a server and send me the URL. Thank you. # Discard message, send reply message.} if header :contains "Sender" "barkley@sesta.com { fileinto complaints.refs # File message}
2.16.840.1.113730.3.1.775
Messaging Server 5.0
cis, single-valued
Most commonly, this attribute is a factor involved in setting up guaranteed message delivery, or in setting up other special classes of service. When defined, this attribute tells the MTA to consider the channel named by this attribute to be the effective submission channel, if the SMTP AUTH is successful.
mailSMTPSubmitChannel: tcp_tas
OID
2.16.840.1.113730.3.1.776
Messaging Server 5.0
cis, single-valued
Current status of the mail user. Can be one of the following values: active, inactive, deleted, hold, overquota, or removed.
A missing value implies status is active. An illegal value is treated as inactive.
Table 3–17 Mail User Status
Status Value |
Description |
---|---|
active |
Normal state. If inetUserStatus is also active, then mail is processed as per the values stored in other user attributes (such as mailDeliveryOption, mailSieveRuleSource, and so on). If not set to active, the status from inetUserStatus takes precedence. Other status attributes taken into consideration are inetDomainStatus and mailDomainStatus. If the combination of inetDomainStatus and mailDomainStatus permits mail delivery and access for the domain, the user state is determined from inetUserStatus and mailUserStatus. |
inactive |
The user’s mail account is inactive. A transient failure is returned to the sending MTA. |
disabled |
User's mail account is disabled. Messages sent to the user result in a permanent failure returned to the sending MTA with text specified by the ERROR_TEST_DISABLED_USER MTA option. If option is not set, the message "user disabled; cannot receive new mail" will be used. |
deleted |
The user’s mail account is marked to be deleted from the message store. A permanent failure is returned to the sending MTA and the user’s mail account is a candidate for cleanup by the msuser purge utility. User access to the mailbox is blocked. After msuser purge deletes the mail account from the message store, it sets the value of mailUserStatus to removed. |
removed |
Indicates that the resource (mailbox) associated with this entry has been removed. In addition, the user entry itself is marked to be deleted from the LDAP directory. A permanent failure is returned to the sending MTA. User access to the mailbox is blocked. This setting allows the Delegated Administrator commadmin domain purge command to delete the user entry from the LDAP directory. |
hold |
User’s mail is sent to the hold queue and access to the mailbox over IMAP, POP, and HTTP is disallowed. MTA and Message Access Servers on the store server must comply with this requirement. This setting overrides any other mailDeliveryOption settings. |
overquota |
The MTA will not deliver mail to a mailbox with this status. |
There are four status attributes that mail services look at and which are evaluated in this order: inetDomainStatus, mailDomainStatus, inetUserStatus, and mailUserStatus. The rule is: the first of these attributes that is set to something other than active takes precedence over all the others.
LDAP_USER_STATUS is the MTA option that overrides the mailUserStatus attribute. The LDAP_USER_STATUS option does not affect the message store or Delegated Administrator commadmin utility, which only recognize and use the current value of mailUserStatus.
mailUserStatus: active
2.16.840.1.113730.3.1.778
Messaging Server 5.0
integer, single-valued
Specifies the maximum number of personal address book entries users are permitted to have in their personal address book store. A value of -1 implies there is no limit. If this attribute is not present then the system default specified in the personal address book configuration is used.
maxPabEntries: 1000
2.16.840.1.113730.3.1.705
Messaging Server 5.0, deprecated in Messaging Server 6.0 for inetUser; Access Manager
dn, multi-valued
For LDAP Schema 2, this attribute decorates inetAdmin, and specifies the DN of an assignable dynamic group to which a user belongs. It is used as the default well-known filtered attribute used in conjunction with mgrpDeliverTo to search for assignable dynamic group members.
This attribute is deprecated for inetUser in Messaging Server 6.0 and is likely to be removed from the inetUser object class in future versions of the schema.
For LDAP Schema 1, this attribute specifies the DN of a mailing list to which a user belongs, indicating static group membership as a backpointer.
memberOf: cn=Administrators,ou=groups o=sesta.com,o=basedn
1.2.840.113556.1.2.102
Messaging Server 5.0
cis, multi-valued
The unique name (un) of the personal address book(s) in which this entry belongs.
memberOfPAB:addressbook122FA7
2.16.840.1.113730.3.1.718
Messaging Server 5.0
cis, multi-valued
Unique name of the personal group(s) in which this user belongs.
memberOfPabGroup:testgroup15577F2D
2.16.840.1.113730.3.1.719
Messaging Server 5.2
ces, multi-valued
groupOfURLs
A list of URLs, which, when expanded, provides a list of mailing list member addresses.
This is the preferred way to specify a dynamic mailing list. Alternately, you can use mgrpDeliverTo.
The MTA option used to override this attribute’s value is LDAP_GROUP_URL2.
memberURL:ldap://cn=jdoes, o=sesta.com
2.16.840.1.113730.3.1.198
Netscape Messaging Server
ces, multi-valued
Each attribute value specifies a header field that is to be added to the message header if it is present.
For the MTA, the values of these attributes are headers, which are used to set header-trimming ADD options.
LDAP_ADD_HEADER is the MTA option used to specify a different attribute name for this function.
mgrpAddHeader:Reply-To: thisgroup@sesta.com
2.16.840.1.113730.3.1.781
Messaging Server 5.0
ces, multi-valued
Identifies mail users allowed to send messages to the mail group. The purpose of this attribute is to restrict who can send messages to the mail group. If no instances of this attribute exist on the inetMailGroup entry, there are no restrictions on who can send messages to the mail group unless the mgrpAllowedDomain, mgrpDisallowedDomain, and mgrpDisAllowedBroadcaster attributes are used.
The Messaging Server expects this attribute to contain either a distinguished name or an RFC822address using an LDAP URI or a mailto address (see example). If a distinguished name is used, it must represent a mailable entry or entries of type group or groupOfUniqueNames. (That is, the group entry must contain an email address in one of the following attributes: mail, mailAlternateAddress, mailEquivalentAddress.)
If multi-valued, each URL or DN is expanded into a list of addresses and each address is checked against the current envelope “from” address. The message is allowed if there is a match.
Any email addresses specified are expanded as if they are a mailing list. Unlike a mailing list, this expansion includes all the attributes used to store email addresses (normally mail, mailAlternateAddress, and mailEquivalentAddress). Thus, if an address for the list itself is specified as a mgrpAllowedBroadcaster, a user can subscribe to a restricted list using one address and use an alternate address to send messages to the list.
If none of the attribute values is a valid URL, or none of the members of the group specified in the attribute value have a valid URL, the message will bounce or be directed to a moderator (as determined by the mgrpMsgRejectAction attribute).
LDAP_AUTH_URL is the MTA option used to specify a different attribute name for this function.
mgrpAllowedBroadcaster: uid=bjensen,o=siroe.com
mgrpAllowedBroadcaster: ldap:///uid=bjensen,o=siroe.com
mgrpAllowedBroadcaster:mailto:group1@siroe.com
2.16.840.1.113730.3.1.22
Messaging Server 5.0
cis, multi-valued
Identifies domains or subdomains from which users are allowed to send messages to the mail group. Note that glob-style wild carding can be used in the domains. In other words, any part of the domain specification can be wild carded.
If no instances of this attribute exist on the inetMailGroup entry, then there are no restrictions on who can send messages to the mail group unless the mgrpAllowedBroadcaster, mgrpDisallowedBroadcaster, and mgrpDisallowedDomain attributes are used.
LDAP_AUTH_DOMAIN is the MTA option used to specify a different attribute name for this function.
mgrpAllowedDomain:siroe.com will only match the siroe.com domain.
mgrpAllowedDomain:*.siroe.com will match any subdomain of the siroe.com domain.
mgrpAllowedDomain:*.com will match any *.com domain.
mgrpAllowedDomain:siroe.* will match any top-level domain beginning with siroe.
2.16.840.1.113730.3.1.23
Messaging Server 5.0
ces, single-valued
Specifies a password needed to post to the list.
The presence of this attribute forces a reprocessing pass. As the message is enqueued to the reprocessing channel, the password is taken from the header and placed in the envelope. Then, while reprocessing, the password is taken from the envelope and checked against this attribute. Only passwords that are actually used are removed from the header field.
This allows for routing to the moderator in the event of a password failure.
LDAP_AUTH_PASSWORD is the MTA option used to specify a different attribute name for this function.
No example given.
2.16.840.1.113730.3.1.783
Messaging Server 5.0
cis, single-valued
Policy for determining allowed broadcaster. It specifies the level of authentication required to access the list of broadcaster addresses. The allowed values are:
AUTH_REQ, SMTP_AUTH_REQUIRED
In order to post to the list, the sender must be authenticated using the SMTP AUTH command.
PASSWORD_REQUIRED, PASSWD_REQUIRED, PASSWD_REQ
All values mean the password to the broadcaster list, specified by the mgrpAuthPassword attribute, must appear in an Approved: header field in the message.
NO_REQUIREMENTS
This value means no special requirements apply.
LDAP_AUTH_POLICY is the MTA option used to specify a different attribute name for this function.
mgrpBroadcasterPolicy:AUTH_REQ
2.16.840.1.113730.3.1.3
Messaging Server 5.0
ces, multi-valued
Used as an alternative method of specifying mail group membership. This can be used to create a dynamic mailing list.
The preferred attribute to use for specifying dynamic mail group is memberURL.
The values of this attribute are a list of URL's, which, when expanded, provides mailing list member addresses.
Messaging Server expects this attribute to contain an LDAP URL using the format described in RFC 1959. Any entries returned by the resulting LDAP search are members of the mailing group. There is a hard limit on the length of the search filter of 1024 bytes.
LDAP_GROUP_URL1 is the MTA option used to specify a different attribute name for this function.
This example returns all users in the United States Accounting department for Sesta corporation.
mgrpDeliverTo: ldap:///ou=Accounting,o=Sesta,c=US??sub?(&(objectClass=inetMailUser)(objectClass=inetOrgPerson))
2.16.840.1.113730.3.1.25
Messaging Server 5.0
ces, multi-valued
Identifies mail users not allowed to send messages to the mail group. If no instances of this attribute exist on the inetMailGroup entry, then there are no restrictions on who can send messages to the mail group unless the mgrpAllowedDomain and mgrpDisallowedDomain attributes are used.
Messaging Server expects this attribute to contain either a distinguished name or an RFC822address. If a distinguished name is used, it must represent a mailable entry or entries of type group or groupOfUniqueNames. (That is, the group entry must contain an email address in one of the following attributes: mail, mailAlternateAddress, mailEquivalentAddress.) The distinguished name must be represented in the form of an LDAP URL as described in RFC 1959.
If multi-valued, each URL is expanded into a list of addresses and each address is checked against the current envelope “from” address. The message is disallowed if there is a match.
LDAP_CANT_URL is the MTA option used to specify a different attribute name for this function.
mgrpDisallowedBroadcaster: ldap:///uid=bjensen, o=sesta.com
mgrpDisallowedBroadcaster: mailto:sys50@sesta.com
2.16.840.1.113730.3.1.785
Messaging Server 5.0
cis, multi-valued
Identifies domains from which users are not allowed to send messages to the mail group. This attribute is a private extension used by Messaging Server to manage mailing lists. If this attribute exists, then messages from listed domains are rejected. If no instances of this attribute exist on the inetMailGroup entry, then there are no restrictions on who can send messages to the mail group unless the mgrpAllowedBroadcaster, mgrpDisallowedBroadcaster, and mgrpAllowedDomain attributes are used.
LDAP_CANT_DOMAIN is the MTA option used to specify a different attribute name for this function.
mgrpDisallowedDomain:sesta.com
2.16.840.1.113730.3.1.784
Messaging Server 5.0
ces, single-valued
Recipient of error messages generated when messages are submitted to this list. Recipient’s address can be specified using the mailto syntax, which includes an RFC 822 email address preceded by the keyword “mailto:” or simply an RFC 822 email address. Also supports LDAP URL syntax. However, if an LDAP URL is used, it must be one that produces a single address.
The envelope originator (MAIL FROM) address is set to the value of this attribute.
LDAP_ERRORS_TO is the MTA option used to specify a different attribute name for this function.
Example 1: mgrpErrorsTo:mailto:jordan@siroe.comExample 2: mgrpErrorsTo: ldap:///uid=ofanning,ou=people,o=siroe.com,o=isp
2.16.840.1.113730.3.1.26
Messaging Server 5.0
ces, multi-valued
LDAP URI or mailto URL identifying the moderators allowed to submit messages to this list. Only those messages that are submitted by the moderator are sent to the members of this list. Messages submitted by others are forwarded to the moderators for approval and resubmitting.
The URLs given as the value of this attribute are expanded into a series of addresses, and then compared with the envelope “from” address. If there is a match, group processing continues. If there is no match, the value of this attribute becomes the group URL, any list of RFC 822 addresses or DNs associated with the group is cleared, the delivery options for the group are set to “members,” and there is no further group processing for the failed URL (subsequent group attributes are ignored).
LDAP_MODERATOR_URL is the MTA option used to specify a different attribute name for this function.
mgrpModerator: mailto:jordan@sesta.com
2.16.840.1.113730.3.1.33
Messaging Server 5.0
cis, single-valued
Maximum message size in bytes that can be sent to the group. Messaging Server expects zero or one instance of this attribute to exist for every mailGroup entry. If no entry exists, then no size limit is imposed on mail to the group.
This attribute is obsolete, but still supported for backwards compatibility. Use mailMsgMaxBlocks instead.
LDAP_ATTR_MAXIMUM_MESSAGE_SIZE is the MTA option used to specify a different attribute name for this function.
mgrpMsgMaxSize:8000
2.16.840.1.113730.3.1.3
Not implemented.
UTF-8 text, single-valued
Specifies the text to be added to the beginning of the message text. You must supply the formatting. That is, you must insert CRLF where they belong in the text.
LDAP_PREFIX_TEXT is the MTA option used to specify a different attribute name for this function.
No example given.
Unknown
Messaging Server 5.0
cis, single-valued
Identifies the action to be taken when a email sent to a mail group is rejected. The Messaging Server may reject mail for the following reasons:
It is received from an unauthorized domain (as defined by the mgrpAllowedDomain attribute).
It is received from an mail address that is not a member of the mgrpAllowedBroadcaster attribute.
It is larger than the size permitted on mgrpMsgMaxSize.
This attribute takes two values: reply and toModerator:
reply– The system produces an SMTP error, which is also the default if the attribute is not set. The text of the failure notice is stored in the mgrpMsgRejectText attribute.
toModerator– The mail is forwarded to the moderator for processing. The moderator is identified by the mgrpModerator attribute.
LDAP_REJECT_ACTION is the MTA option used to specify a different attribute name for this function.
mgrpMsgRejectAction: reply
2.16.840.1.113730.3.1.28
Messaging Server 5.0
cis, single-valued
Specifies the error text to use in the event of a group access failure. Because this text may appear in SMTP responses, this restricts the text to a single line of US-ASCII. This is implemented by reading only the first line of text in this attribute and using it only if it contains no 8 bit characters. (This is a limitation of the SMTP protocol.)
No example given.
2.16.840.1.113730.3.1.29
Not implemented.
UTF-8 text, single-valued
inetMailGroup
Specifies the text to be appended to the text message. You must supply the formatting. That is, you must insert any CRLF's (carriage return, line feeds) that belong in the text.
LDAP_SUFFIX_TEXT is the MTA option used to specify a different attribute name for this function.
No example given.
Unknown
Messaging Server 5.0, not implemented going forward for Messaging Server 5.2
cis, single-valued
This attribute is no longer supported. Duplicate checking is controlled by characteristics of the lists themselves. Some lists combine and some lists don’t.
Old definition: Prevents Messaging Server from checking for duplicate delivery to members of the mail group. Prevents multiple deliveries if a user is on multiple lists. No means the system checks for duplicate delivery. Yes means the system does not check for duplicate delivery.
mgrpNoDuplicateChecks: yes
2.16.840.1.113730.3.1.789
Messaging Server 5.0
cis, multi-valued
Each attribute value specifies a header field that is to be removed from the message header, if present.
Turns the headers specified into header trimming MAXLINES=-1 options.
LDAP_REMOVE_HEADER is the MTA option used to specify a different attribute name for this function.
No example given.
2.16.840.1.113730.3.1.801
This attribute has been removed from the schema. It is no longer supported. It only worked for dirsync mode, which was deprecated in Messaging Server 5.2.
Messaging Server 5.0
cis, multi-valued
Identifies recipients of mail sent to mail group. Mail sent to both this attribute and uniqueMember attributes are not members of the mixed-in groupOfUniqueNames. This attribute represents mail recipients that cannot be expressed as distinguished names, or who are to be sent mail from this group but who do not have the full privileges of a unique group member. Messaging Server expects this attribute to contain RFC 822 mail addresses. Generally used for group members who are not in the local directory.
For backwards compatibility, rfc822MailMember is also supported. You can use either one or the other of these attributes in any given group, but not both.
LDAP_GROUP_RFC822 is the MTA option used to specify a different attribute name for this function.
mgrpRFC822MailMember:bjensen@siroe.com
2.16.840.1.113730.3.1.30
Messaging Server 5.0
cis, single-valued
This attribute and the object class using it are deprecated in the current release, and may not be supported in future releases. Sites should stop using this feature and consider migrating current vanity domains to hosted domains.
No example given.
2.16.840.1.113730.3.1.799
Messaging Server 5.0
cis, single-valued
Detailed description of the distribution list. A dollar sign (“$”) creates a new line.
multiLineDescription:People who like cats. $And are ambivalent about people.
1.3.6.1.4.1.250.1.2
Messaging Server 5.0
cis, single-valued
Identifies the short name used to locate a pabPerson or a pabGroup entry.
nickname:Nick
2.16.840.1.113730.3.1.720
NetscapeTM Calendar Hosting Server
cis, single
Lists the calendar protocols not allowed to be used by this user.
No example given.
2.16.840.1.113730.3.1.539
Messaging Server 5.0
cis, multi-valued
This attribute holds the pairs that define client user preferences such as sort order, Mail From address, and so on. Each instance of this attribute is the tuple pref_name=pref_value. This is a proprietary syntax and the example below is for illustrative purposes only.
Example 1: nswmExtendedUserPrefs: meColorSet=4
Example 2:nswmExtendedUserPrefs: meSort=r
Example 3: nswmExtendedUserPrefs: meAutoSign=True
Example 4: nswmExtendedUserPrefs: meSignature=OtisFanning$ofanning@sesta.com
Example 5: nswmExtendedUserPrefs: meDraftFolder=Drafts
2.16.840.1.113730.3.1.520
Messaging Server 5.0
cis, single-valued
Name of the user’s company or organization. Abbreviation of organizationName.
organizationName:Company22 Incorporated
or
o:Company22 Incorporated
2.5.4.10
Origin
Messaging Server 5.0
cis
Specifies the objects for this object class.
objectClass:person
2.5.4.0
All information about this attribute found under o.
All information about this attribute found under ou.
Messaging Server 5.0
cis, single-valued
Name of the organization unit to which the user belongs. Abbreviation for organizationUnitName.
organizationUnitName:docs
or
ou:docs
2.16.840.1.113730.3.1.722
Messaging Server 5.0, Calendar Server
dn, single-valued
groupOfUniqueNames, icsCalendarResource
Identifies the distinguished name (DN) of the person or group with administrative privileges over the entry.
If the group has Calendar service (is a Calendar group), the owner must be a Calendar user in the same domain as the group. That is, Calendar service must be assigned to the owner as well as the Calendar group.
owner:cn=John Smith,o=Sesta,c=US
2.5.4.32
Messaging Server 5.0
cis, single-valued
LDAP URI specifying the container of the personal address book entries for this user. It takes the following form: ldap://server:port/container_dn, where:
server– Host name of the personal address book LDAP server.
port– Port of the personal address book LDAP server.
container_dn– DN of the subtree where all PAB entries for the user are created.
pabURI: ldap://ldap.siroe.com:389/ou=ed,ou=people,o=sesta.com,o=isp,o=pab
2.16.840.1.113730.3.1.703
Messaging Server 6.0, Calendar Server 6.0
cis, single-valued
sunManagedSubOrganization
Specifies the logical parent of a suborganization. The value of this is the DN of the parent organization or parent suborganization.
parentOrganization:o=sesta,o=com,o=internet
Unknown
LDAP
cis
icsCalendarResource, organization, organizationalUnit
Identifies the entry’s mailing address. This field is intended to include multiple lines. When represented in LDIF format, each line should be separated by a dollar sign ($).
To represent an actual dollar sign (“$”) or back slash (“\”) within this text, use the escaped hex values, \24 and \5c respectively. For example, to represent the string:
The dollar ($) value can be found
in the c:\cost file.
provide the string:
The dollar(\24) value can be found$in the c:\5ccost file.
postalAddress:123 Oak Street$Anytown, CA$90101
2.5.4.16
Messaging Server 5.0, Calendar Server, Directory Server
icsCalendarUser, inetMailGroup, inetOrgPerson, iPlanetPreferences, mailDomain
Preferred written or spoken language for a person. The value for this attribute should conform to the syntax for HTTP Accept-Language header values.
Messaging Server uses this attribute to figure the locale. It does not use the locale specified with iPlanetPreferences.
Also used by Access Manager in user LDAP entries to store a user’s preferred language. Note that only Access Manager uses the iPlanetPreferences object class to host this attribute.
Table 3–18 Language Strings for preferredLanguage Attribute
Language String |
Language |
---|---|
de |
German |
en |
English |
es |
Spanish |
fr |
French |
ja |
Japanese |
ko |
Korean |
zh-CN |
Chinese - People’s Republic of China |
zh-TW |
Chinese - Taiwan |
preferredLanguage:en
2.16.840.1.113730.3.1.39
Messaging Server 5.0
cis, single-valued
If you are provisioning an LDAP Schema 2 directory with Communications Suite Delegated Administrator:
See preferredMailHost for a definition of how to use this attribute with Schema 2.
If you are provisioning an LDAP Schema 1 directory with iPlanet Delegated Administrator, use the following definition:
Used to set the mailHost attribute of newly created users in this mail domain. When a user is created, the mailHost attribute of the user entry is filled by the value of preferredMailHost.
preferredMailHost:mail.siroe.com
2.16.840.1.113730.3.1.761
Messaging Server 5.0
cis, single-valued
If you are provisioning an LDAP Schema 2 directory with Communications Suite Delegated Administrator:
See preferredMailMessageStore for a definition of how to use this attribute with Schema 2.
If you are provisioning an LDAP Schema 1 directory with iPlanet Delegated Administrator, use the following definition:
Used to set the mailMessageStore attribute of newly created users. If missing, Delegated Administrator leaves the mailMessageStore attribute empty and the access server assumes that the user’s mailbox is in the default partition of the server instance.
preferredMailMessageStore: primary
2.16.840.1.113730.3.1.762
LDAP
dn
groupOfUniqueNames, organization, organizationalUnit
Identifies another LDAP entry that may contain information related to this entry.
seeAlso: cn=Quality Control Inspectors,ou=manufacturing,o=Company22, c=US
2.5.4.34
LDAP
cis
Identifies the entry’s surname, also referred to as last name or family name.
surname:jones
2.5.4.4
LDAP
tel
domain, organization, organizationalUnit
Identifies the entry’s phone number.
telephoneNumber:800-555-1212
2.5.4.20
Calendar Server 5.0, Messaging Server 5.0
cis, single-valued
icsCalendarResource, icsCalendarUser
Identifies the unique identifier for this user or resource within its relative namespace. All valid user and resource entries must have a uid attribute. Group entries may have a uid.
For Messaging Server, the uid is used to generate the user address to pass to the delivery channel. If a user entry does not have a uid attribute, the entry is ignored. If multiple uid attributes exist in an entry, only the first one is used. The MTA used to override this attribute’s value is LDAP_UID.
uid:jdoe
0.9.2342.19200300.100.1.1
Messaging Server 5.0
cis, single-valued
Unique name assigned to PAB entry. This is also the naming attribute for entries created by this object class and is used to form the DN of all PAB entries, irrespective of the type (pab, pabPerson, or pabGroup).
un:Nick
2.16.840.1.113730.3.1.717
Messaging Server 5.0
dn, multi-valued
Identifies a member of a static group. Each member of the group is listed in the group’s LDAP entry using this attribute.
uniqueMember:uid=jdoe,ou=People,o=sesta.com,o=basedn uniqueMember: uid=rsmith,ou=People,o=sesta.com,o=basedn
2.5.4.50
All information for this attribute found at uid.
Messaging Server 5.0
bin, single-valued
Even though RFC 2256 defines this attribute as multi-valued, for Sun JavaTM System products, only one value is allowed.
inetUser, domain, organization, organizationalUnit
This attribute identifies the entry’s password and encryption method in the following format:
{encryption method}encrypted password
Transfer of cleartext passwords is strongly discouraged where the underlying transport service cannot guarantee confidentiality. Transfer of cleartext may result in disclosure of the password to unauthorized parties.
userPassword:{sha}FTSLQhxXpA05
2.5.4.35
Messaging Server 5.0
cis, single-valued
Vacation end date and time. Date is in the following format: YYYYMMDDHHMMSSZ; where YYYY is the four digit year, MM is the two digit month, DD is the two digit day, HH is the two digit hour, and SS is the two digit second. Time is normalized to GMT. Z is the character Z.
When the current date falls outside the range of dates specified by the attributes vacationStartDate and vacationEndDate, then any delivery options (in the DELIVERY_OPTIONS list) prefixed with “^” are removed from the active set of options. For example, if one of the DELIVERY_OPTIONS is “^*autoreply” and today’s date falls outside the vacation date range, then the option is removed from the active options list. Otherwise, the autoreply delivery option is activated.
vacationEndDate:20000220000000Z
2.16.840.1.113730.3.1.708
Messaging Server 5.0
cis, single-valued
Vacation start date and time. Date is in the following format: YYYYMMDDHHMMSSZ; where YYYY is the four digit year, MM is the two digit month, DD is the two digit day, HH is the two digit hour, and SS is the two digit second. Time is normalized to GMT. Z is the character Z.
vacationStartDate:20000215000000Z
2.16.840.1.113730.3.1.707
Messaging Server
cis, single-valued
inetMailGroup
The mgrpErrorsTo attribute specifies either an email address or a URL, which is resolved to produce an address. The address is placed in the MAIL FROM (envelope from) field of all messages the list produces. Additionally, the presence of the mgrpErrorsTo attribute causes the MTA to treat the group as a full-fledged mailing list and not as a simple autoforwarder. The basic purpose of the MAIL FROM address is to create a place to send reports of message delivery problems. As such, the main effect of mgrpErrorsTo is to cause errors delivering list mail to be directed to the mgrpErrorsTo address.
mgrpErrorsTo=mgrperrors.log@siroe.com
2.16.840.1.113730.3.1.26