This chapter describes LDAP object classes and attributes for Sun JavaTM System Access Manager implementing LDAP Schema 2. The objects and attributes are listed alphabetically.
Note that the Access Manager schema is subject to change. To understand provisioning considerations, see the Sun Java Enterprise System Installation Guide.
The chapter is divided into two sections:
This section describes the following Access Manager object classes:
Access Manager
Specifies a dynamic group with a well-known attribute in the search filter. For Messaging Server, the well-known attribute is memberOf. The search filter is contained in the mgrpDeliverTo attribute.
iplanet-am-managed-group
auxiliary
2.16.840.1.113730.3.2.182
none
Inherits attributes from superior class.
Access Manager
Specifies a dynamic group which can be filtered on any attribute. The search filter is set in the mgrpDeliverTo attribute.
This group is not subscribable. Do not use iplanet-am-group-subscribable for a filtered dynamic group.
iplanet-am-managed-group
auxiliary
2.16.840.1.113730.3.2.181
none
Inherits attributes from superior class. Note that since this group can not be subscribed to, the mail attribute should not be used with it. If present, it will be ignored.
Access Manager
Specifies the attributes necessary to define administrator roles and their ACIs. The list of all users assigned this role is a dynamic list; that is, the list can be retrieved only by performing a search filtered by the role name. For further information on roles, see the Access Manager documentation at:
http://docs.sun.com
iplanet-am-managed-role
auxiliary
1.3.6.1.4.1.42.2.27.9.2.74
none
This class inherits the attributes of its superior class, see iplanet-am-managed-role.
Access Manager
This is the superior class for the various types of groups: static, assignable dynamic, and filtered dynamic. (See iplanet-am-managed-assignable-group, iplanet-am-managed-filtered-group, iplanet-am-managed-static-group.)
top
auxiliary
2.16.840.1.113730.3.2.180
none
Access Manager
The Access Manager class that defines the groups container under each Messaging Server hosted domain.
top
auxiliary
2.16.840.1.113730.3.2.189
none
none
Access Manager
This class is used by Access Manager to manage organizational units. It uses the same attributes as sunManagedOrganization and for all intents and purposes functions as any other organization managed by Access Manager.
Do not use this class for the domain organizations, or people and group containers in Messaging Server. Even though the attribute that holds the container name is organizational unit (ou), the proper Access Manager class to use is either iplanet-am-managed-group-container, or iplanet-am-managed-people-container.
top
auxiliary
2.16.840.1.113730.3.2.186
none
businessCategory, iplanet-am-service-status, telephoneNumber, sunOverrideTemplates, sunPreferredDomain, seeAlso
Access Manager
The Access Manager class that defines the people container under each Messaging Server hosted domain.
top
auxiliary
2.16.840.1.113730.3.2.187
none
none
Access Manager
Specifies Access Manager attributes used to manage users.
top
auxiliary
2.16.840.1.113730.3.2.184
none
iplanet-am-modifiable-by, iplanet-am-role-aci-description, iplanet-am-static-group-dn, iplanet-am-user-account-life
Access Manager
Specifies the attributes necessary to define administrator roles and their ACIs. This is the superior class for iplanet-am-managed-filtered-role.
top
auxiliary
2.16.840.1.113730.3.2.179
none
iplanet-am-role-aci-description, iplanet-am-role-aci-list, iplanet-am-role-any-options, iplanet-am-role-description, iplanet-am-role-managed-container-dn, iplanet-am-role-service-options, iplanet-am-role-type
Access Manager
Defines a group in which there are members identified with the uniqueMember attribute. Each user named in those attributes has the memberOf attribute in their LDAP user entry.
Note that static groups can have dynamic members. In this case, the LDAP entry must also contain the iplanet-am-managed-assignable-group object class.
iplanet-am-managed-group
auxiliary
2.16.840.1.113730.3.2.183
none
none (inherits from iplanet-am-managed-group)
Access Manager
This class contains the Access Manager attributes necessary to manage user accounts.
top
auxiliary
2.16.840.1.113730.3.2.176
none
iplanet-am-user-account-life, iplanet-am-user-admin-start-dn, iplanet-am-user-alias-list, iplanet-am-user-auth-config, iplanet-am-user-auth-modules, iplanet-am-user-failure-url, iplanet-am-user-federation-info, iplanet-am-user-federation-info-key, iplanet-am-user-login-status, iplanet-am-user-password-reset-force-reset, iplanet-am-user-password-reset-options, iplanet-am-user-password-reset-question-answer, iplanet-am-user-service-status, iplanet-am-user-success-url
Directory Server
Used by Access Manager. While Messaging Server does not use this object class, it is necessary for Access Manager.
Attributes for this object class hold certain preferences for this user. Specifically, the preferred language, preferred locale, and preferred time zone.
Note: The Messaging Server does not use this object class to define the preferred language. In addition, it does not use an attribute for locale; it infers the locale from the language. Messaging Server holds the preferredLanguage attribute in inetOrgPerson.
top
auxiliary
Unassigned
none
preferredLanguage, preferredLocale, preferredTimeZone
Calendar Server 6.0, Messaging Server 6.0
For LDAP Schema 2, this is a core class for both Messaging and Calendar products doing authentication with SSO. Every physical node must contain this class, including the root suffix.
The attribute holds the fully qualified login host name.
top
auxiliary
Unassigned
none
Calendar Server 6.0, Messaging Server 6.0
This is a core class for both Messaging and Calendar products. Every physical node must contain this class.
top
auxiliary
2.16.840.1.113730.3.2.185
sunPreferredDomain, associatedDomainbusinessCategory, sunPreferredOrganization, telephoneNumber, sunOverrideTemplates, inetDomainBaseDN
Access Manager
Used for LDAP Schema 2 only. Required to be present at the root of a subtree representing a namespace. Access Manager enforces the uniqueness attribute for namespaces.
Any organization or its subtree nodes can be designated as a namespace by extending the organization LDAP entry with this object class. Namespaces based on different unique attributes may overlap. That is, a subtree of a node designated as a namespace could also be its own namespace if the unique attributes are different. For example, the parent node could use uid to enforce uniqueness, while the child node uses the employee number.
This is a different paradigm than was used in LDAP Schema 1, in which every domain was considered a unique namespace (using uid as the default unique attribute). For LDAP Schema 2, all namespaces must be explicitly declared using this object class.
After Access Manager is installed, the root-suffix node contains this object class, but not its corresponding attribute. If you want to provision more than one unique namespace for your Messaging Server or Calendar Server installation, do not add sunNameSpaceUniqueAttrs to the root-suffix node.
For more information about namespaces, see the Sun Java Enterprise System Installation Guide.
top
auxiliary
1.3.6.1.4.1.42.2.27.9.2.29
none
Calendar Server 6.0, Messaging Server 6.0
Templates are LDAP entries of this object class. Search templates are used to describe how applications should construct searches to send to the directory server in order to locate entries in the DIT.
The entry is named by its required ou attribute.
top
auxiliary
1.3.6.1.4.1.42.2.27.9.2.27
organizationalUnitName (ou)
description, sunKeyValue, sunServiceId, sunSmsPriority, sunXmlKeyValue
Messaging Server 5.0
Used to store the presence information for a user.
top
auxiliary
2.16.840.1.113730.3.2.136
none
vacationEndDate, vacationStartDate
This section describes the following Access Manager attributes:
LDAP Schema 2
dn, multi-valued
inetDomain,, sunManagedOrganization
Specifies the DNS domain name aliases used to lookup an organization entry.
Used when a domain subtree is being referenced by domain names in addition to the one specified in the attribute sunPreferredDomain.
associatedDomain:qa.sesta.com
associatedDomain:eng.sesta.com
Unassigned
Access Manager
cis, single-valued
This is a global status for groups and overrides the status found in inetMailGroupStatus. It holds the current status of the group: active, inactive, or deleted for all services. It is used by Access Manager to manage groups. Status changes can be made to a group’s status using the commcli interface, or by directly changing the LDAP entry for the group.
The following table lists the attribute’s values and their meanings:
Table 4–1 Status Attribute Values
Value |
Description |
---|---|
active |
The group is active and its users may use services enabled by the overlay of service-specific object classes and the service state as indicated by the particular status attribute for that service. |
inactive |
Group is inactive. The group users may not use any services granted by service-specific object classes. This state overrides individual service status set using the service’s status attributes. |
deleted |
Group is marked as deleted. The group may remain in this state within the directory for some time (pending purging of deleted groups). Service requests for all groups marked as deleted will return permanent failures. |
A missing value implies status is active. An illegal value is treated as inactive.
inetGroupStatus: active
1.3.6.1.4.1.42.2.27.9.1.588
Access Manager
boolean, single-valued
Specifies if users can subscribe to the group. Boolean value: true, false. Default setting is true.
If the value is true, the group can be seen, searched for and subscribed to by end users. If the value is false, the group can be seen and searched for but can not be subscribed to by end users.
Filtered groups can not be subscribed to; this attribute is ignored if found on a filtered group.
iplanet-am-group-subscribable: true
2.16.840.1.113730.3.1.1085
Access Manager
dn, multi-valued
This attribute lists the role-dn of the administrator who has access rights to modify this user entry. By default, the value is set to the role-dn of the administrator who created the account.
For native mode (with domain nodes on the organization tree):
iplanet-am-modifiable-by: cn:Top-level Admin Role, o=sesta.com
For compatibility mode (with domain nodes on the DC Tree):
iplanet-am-modifiable-by: cn=Top-level Admin Role, dc=sesta, dc=com
2.16.840.1.113730.3.1.1094
Access Manager
string, multi-valued
Description of the ACI that belongs to this role.
No example given.
2.16.840.1.113730.3.1.1081
Access Manager
string, multi-valued
The set of ACI's associated with this role. The format is a DN:ACI pair, where the DN of the entry is specified with its ACI. When deleting a role, this attribute allows for the ACI's associated with this role to be located and cleaned up properly.
For native mode (with domain nodes on the organization tree):
iplanet-am-role-aci-list: o=sesta.com, o=basedn:aci: (target="ldap:///o=sesta.com,o=basedn") (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,o=sesta.com,o=basedn) (nsroledn=cn=Top-level Help Desk Admin Role,o=sesta.com,o=basedn)))) (targetattr != "nsroledn") (version 3.0; acl "Organization Admin access allow"; allow (all) roledn = "ldap:///cn=myrole,o=sesta.com,o=basedn";)
For compatibility mode (with domain nodes on a DC Tree):
iplanet-am-role-aci-list: dc=sesta,dc=com:aci: (target="ldap:///dc=sesta,dc=com") (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,dc=sesta,dc=com) (nsroledn=cn=Top-level Help Desk Admin Role,dc=sesta,dc=com)))) (targetattr != "nsroledn") (version 3.0; acl "Organization Admin access allow"; allow (all) roledn = "ldap:///cn=myrole,dc=sesta,dc=com";)
2.16.840.1.113730.3.1.1082
Access Manager
string, multi-valued
Not currently used.
No example given.
2.16.840.1.113730.3.1.1084
Access Manager
cis, multi-valued
An optional description of the role being defined.
iplanet-am-role-description: Top Level Admin Role
2.16.840.1.113730.3.1.1080
Access Manager
dn, multi-valued
Defines the container this role resides in.
For example, if the role being defined administers the domain organization east:
iplanet-am-role-managed-container-dn: ou=east,o=sesta.com,o=basedn
2.16.840.1.113730.3.1.977
Access Manager
string, multi-valued
Not currently used.
No example given.
2.16.840.1.113730.3.1.1083
Access Manager
string, multi-valued
Defines the type of role. There are three values, as shown in the following table:
Role Value |
Role Names |
---|---|
1 |
Top Level Administration Role |
2 |
General Administration Role |
3 |
User Role |
Even though this attribute is defined as multi-valued string, it is implemented in Messaging Server as if it were a single-valued integer.
iplanet-am-role-type: 1
2.16.840.1.113730.3.1.1079
This attribute is aliased to sunRegisteredServiceName. Use that attribute instead.
Access Manager
dn, multi-valued
Defines the DNs for the static groups this user belongs to.
For native mode (with domain nodes on the organization tree):
iplanet-am-static-group-dn: cn=mygroup, ou=groups, o=sesta.com
For compatibility mode (with domain nodes on the DC Tree):
iplanet-am-static-group-dn: cn=mygroup, ou=groups, dc=sesta, dc=com
2.16.840.1.113730.3.1.1094
Access Manager
date string, single-valued
Specifies the account expiration date in the following format:
yyyy/mm/dd hh:mm:ss
where the first mm is for month, dd is for day, yyyy for full year (for example, 2005), hh is for the time stamp hour, the final mm is for the timestamp minutes, and ss is for the timestamp seconds.
If this attribute is present, the authentication service will disallow login if the current date has passed the specified account expiration date.
iplanet-am-user-account-life: 2040/12/31 23:59:59
2.16.840.1.113730.3.1.976
Access Manager
dn, single-valued
Specifies the starting point node (DN) displayed in the starting view of the IS Console when this administrator logs in.
iplanet-am-user-admin-start-dn: ou=people,o=sesta.com,o=basedn
2.16.840.1.113730.3.1.1072
Access Manager
string, single-valued
Defines a list of aliases for the user.
User jdoe could have an alias of jd, johnd, or jd123456.
iplanet-am-user-alias-list: jd iplanet-am-user-alias-list: johnd iplanet-am-user-alias-list: jd123456
1.3.6.1.4.1.42.2.27.9.1.59
Access Manager
string, single-valued
Specifies the user authentication configuration method in an XML string. There is no default value.
<AttributeValuePair\><Value\> com.sun.identity.authentication.modules.ldap.LDAP REQUIRED </Value\></AttributeValuePair\>
1.3.6.1.4.1.42.2.27.9.1.58
Access Manager
string, multi-valued
Not currently used.
No example given.
2.16.840.1.113730.3.1.1071
Access Manager
string, single-valued
Defines the routing taken (URL user is redirected to) if the login fails. Any valid URL can be used.
No example given.
1.3.6.1.4.1.42.2.27.9.1.71
Access Manager
string, single-valued
For Access Manager internal use only. Do not use.
Specifies the user account’s Federation specific information. This is managed internally by Access Manager’s Federation Management module to store user account’s Federation related information, and should not be modified outside of that module.
No example given.
1.3.6.1.4.1.42.2.27.9.1.74
Access Manager
string, single-valued
For Access Manager internal use only. Do not use.
Specifies the user account’s Federation information key. This is managed internally by Access Manager’s Federation Management module to store the user account’s Federation information key, and should not be modified outside of that module.
No example given.
1.3.6.1.4.1.42.2.27.9.1.73
Access Manager
string, single-valued
Specifies the user status. It takes two values:
Active - The user is allowed to authenticate through the Access Manager.
Inactive - The user is not allowed to authenticate through the Access Manager.
No example given.
2.16.840.1.113730.3.1.1074
Access Manager
boolean, single-valued
Not currently used.
Specifies whether password will be forced to be reset. Values: true, false. Defaults to false.
No example given.
1.3.6.1.4.1.42.2.27.9.1.591
Access Manager
string, single-valued
Used internally by Access Manager’s password reset module. Do not use. Any values assigned to this attribute will be ignored.
No example given.
1.3.6.1.4.1.42.2.27.9.1.589
Access Manager
string, single-valued
Not used.
No example given.
1.3.6.1.4.1.42.2.27.9.1.592
Access Manager
string, single-valued
Password question and answer used to prompt user who has forgotten their password. The format is question answer.
iplanet-am-user-password-reset-question-answer: favorite restaurant Outback
1.3.6.1.4.1.42.2.27.9.1.590
Access Manager
dn, single-valued
Specifies the status of the user for various services.
No example given.
2.16.840.1.113730.3.1.1073
Access Manager
dn, single-valued
Defines the routing taken (URL the user is directed) if the login succeeds. Any valid URL can be used.
No example given.
1.3.6.1.4.1.42.2.27.9.1.71
Directory Server
cis, single-valued
Used by Access Manager to store user preference for locale. The values accepted by this attribute are described in the Sun Java System Access Manager Administration Guide, chapter 18. Some additional information on locales is located in the Sun Java System Directory Server Reference Manual.
preferredLocale:en-US
2.16.840.1.113730.3.1.39
Directory Server
cis, single-valued
Used by Access Manager to store user preference for time zone. Supported time zone names can be found in the appendix under Standard Time Zones.
preferredTimeZone: America/Los Angeles
Unassigned
Messaging Server 6.0, Calendar Server 6.0
cis, multi-valued
inetDomain, sunManagedOrganization
Specifies relative DN (RDN) sequences, that is DN's that are relative to the organization entry. Values identify entries in the configuration templates part of the ou=services tree below this organization. These are additional templates beyond those specified in the global configuration templates. These are used to specify operations private to an organization.
This attribute must appear in the top entry for this organization.
No example given.
1.3.6.1.4.1.42.2.27.9.1.76
Messaging Server 6.0, Calendar Server 6.0
cis, multi-valued
Each value is a “key=value” pair, where the key is the name of the XML element. table lists the keys for search templates.
Table 4–2 Search Template Keys
Key |
Description |
---|---|
attrs |
Attribute to retrieve from LDAP entry. |
rfc2247Flag |
Boolean (ture, false) that tells applications to use the RFC 2247 algorithm for constructing the DN of the LDAP entry, instead of performing an LDAP search using the filter specified in the inetDomainSearchFilter attribute. |
baseDN |
If rfc2247Flag is set to true, and if this key is present, then it must be appended to the algorithmically constructed DN in order to get the DN of the target entry. |
For more information on templates and the native and compatibility mode LDAP data models, see Chapter 1, Overview.
The following sunKeyValue attributes appear in the default search template for the native mode LDAP data model:
sunKeyValue:attrs=objectclasssunKeyValue: attrs=ousunKeyValue:attrs=inetDomainStatus
The following sunKeyValue attributes appear in the default search template for compatibility mode (uses the RFC 2247 algorithm for constructing the search DN):
sunKeyValue:attrs=objectclasssunKeyValue: attrs=ousunKeyValue:attrs=inetDomainStatussunKeyValue: rfc2247=truesunKeyValue: baseDN=o=internet
1.3.6.1.4.1.42.2.27.9.1.83
Messaging Server 6.0, Calendar Server 6.0
cis, multi-valued
Stores the name of an attribute required to be unique across all entries in the subtree.
This attribute allows namespace uniqueness to be enforced. For further explanation of namespaces, see the Sun Java Enterprise System Installation Guide and the object class description for sunNameSpace.
sunNameSpaceUniqueAttrs:uid sunNameSpaceUniqueAttrs:c
1.3.6.1.4.1.42.2.27.9.1.85
Access Manager
cis, single-valued
Access Manager uses this attribute for authentication. It holds the fully qualified host name for the server the user is logging into.
The format is: server.domain.
sunOrganizationAlias: seaside.siroe.com
Unassigned
Messaging Server 6.0, Calendar Server 6.0
cis, multi-valued
inetDomain,sunManagedOrganization
Specifies relative DN (RDN) sequences, that is DN's that are relative to the organization entry. Values identify entries in the configuration templates part of the ou=services tree below this organization. These templates override global configuration templates for searches and other operations within this organization.
This attribute must appear in the top entry for this organization.
No example given.
1.3.6.1.4.1.42.2.27.9.1.77
Messaging Server 6.0, Calendar Server 6.0
cis, single-valued
iplanet-am-managed-org-unit, sunManagedOrganization
Specifies the DNS domain name used to lookup an organization entry when a unique matching organization is required.
When a value for this is available, provisioners should set it so as to enable applications to look up organizations using a domain name.
The domain name value of this attribute must be unique across all organizations in the directory, including the domains named in associatedDomain.
This attribute is for use with Schema 2 native mode LDAP directories only; it must not be used in DC Tree nodes.
sunPreferredDomain:sesta.com
2.16.840.1.113730.3.1.1086
Messaging Server 6.0, Calendar Server 6.0
cis, single-valued
iplanet-am-managed-org-unit, sunManagedOrganization
Specifies the DNS name used to lookup an organization entry when a unique matching organization is required.
When a value for this is available, provisioners should set it so as to enable applications to look up organizations using the organization’s name.
This attribute is for use with Schema 2 native mode LDAP directories only; it must not be used in DC Tree nodes.
sunPreferredOrganization:sesta.com
1.3.6.1.4.1.42.2.27.9.1.75
Access Manager
string, multi-valued
iplanet-am-managed-org-unit, sunManagedOrganization
Defines the set of names of the registered services. The following services are defined for Messaging Server and Calendar Server:
Service Name |
Description |
---|---|
DomainMailService |
Mail service definition for domains. |
DomainCalendarService |
Calendar service definition for domains. |
UserMailService |
Mail service definition for users. |
UserCalendarService |
Calendar service definition for users. |
GroupMailService |
Mail service definition for groups. |
For informational purposes: The following services are used by Access Manager for authentication with SSO (Single Sign-On). These services must be registered to the root suffix node. This step is done by Access Manager as part of its installation process. The services are:
PlanetAMAuthService
iPlanetAMAuthLDAPService
iPlanetAMPolicyConfigService
iPlanetAMAuthenticationDomainConfigService
iPlanetAMProviderConfigService
Any one can create a new service and load it into Access Manager. For information on how to do this, see the Access Manager documentation at:
http://docs.sun.com/
sunRegisterdServiceName: DomainMailService
1.3.6.1.4.1.42.2.27.9.1.593
Messaging Server 6.0, Calendar Server 6.0
cis, single-valued
The kind of template being created. For search templates, the value is StuctureUmsObjects. (At this time search templates are the only publicly defined template.)
sunServiceId:StructureUmsObjects
1.3.6.1.4.1.42.2.27.9.1.79
Access Manager
cis, single-valued
Stores the priority of the service with respect to its siblings.
sunSmsPriority:
1.3.6.1.4.1.42.2.27.9.1.81
Access Manager
cis, single-valued
Not currently used.
No example given.
1.3.6.1.4.1.42.2.27.9.1.84