This section describes the following Access Manager attributes:
LDAP Schema 2
dn, multi-valued
inetDomain,, sunManagedOrganization
Specifies the DNS domain name aliases used to lookup an organization entry.
Used when a domain subtree is being referenced by domain names in addition to the one specified in the attribute sunPreferredDomain.
associatedDomain:qa.sesta.com
associatedDomain:eng.sesta.com
Unassigned
Access Manager
cis, single-valued
This is a global status for groups and overrides the status found in inetMailGroupStatus. It holds the current status of the group: active, inactive, or deleted for all services. It is used by Access Manager to manage groups. Status changes can be made to a group’s status using the commcli interface, or by directly changing the LDAP entry for the group.
The following table lists the attribute’s values and their meanings:
Table 4–1 Status Attribute Values
Value |
Description |
---|---|
active |
The group is active and its users may use services enabled by the overlay of service-specific object classes and the service state as indicated by the particular status attribute for that service. |
inactive |
Group is inactive. The group users may not use any services granted by service-specific object classes. This state overrides individual service status set using the service’s status attributes. |
deleted |
Group is marked as deleted. The group may remain in this state within the directory for some time (pending purging of deleted groups). Service requests for all groups marked as deleted will return permanent failures. |
A missing value implies status is active. An illegal value is treated as inactive.
inetGroupStatus: active
1.3.6.1.4.1.42.2.27.9.1.588
Access Manager
boolean, single-valued
Specifies if users can subscribe to the group. Boolean value: true, false. Default setting is true.
If the value is true, the group can be seen, searched for and subscribed to by end users. If the value is false, the group can be seen and searched for but can not be subscribed to by end users.
Filtered groups can not be subscribed to; this attribute is ignored if found on a filtered group.
iplanet-am-group-subscribable: true
2.16.840.1.113730.3.1.1085
Access Manager
dn, multi-valued
This attribute lists the role-dn of the administrator who has access rights to modify this user entry. By default, the value is set to the role-dn of the administrator who created the account.
For native mode (with domain nodes on the organization tree):
iplanet-am-modifiable-by: cn:Top-level Admin Role, o=sesta.com
For compatibility mode (with domain nodes on the DC Tree):
iplanet-am-modifiable-by: cn=Top-level Admin Role, dc=sesta, dc=com
2.16.840.1.113730.3.1.1094
Access Manager
string, multi-valued
Description of the ACI that belongs to this role.
No example given.
2.16.840.1.113730.3.1.1081
Access Manager
string, multi-valued
The set of ACI's associated with this role. The format is a DN:ACI pair, where the DN of the entry is specified with its ACI. When deleting a role, this attribute allows for the ACI's associated with this role to be located and cleaned up properly.
For native mode (with domain nodes on the organization tree):
iplanet-am-role-aci-list: o=sesta.com, o=basedn:aci: (target="ldap:///o=sesta.com,o=basedn") (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,o=sesta.com,o=basedn) (nsroledn=cn=Top-level Help Desk Admin Role,o=sesta.com,o=basedn)))) (targetattr != "nsroledn") (version 3.0; acl "Organization Admin access allow"; allow (all) roledn = "ldap:///cn=myrole,o=sesta.com,o=basedn";)
For compatibility mode (with domain nodes on a DC Tree):
iplanet-am-role-aci-list: dc=sesta,dc=com:aci: (target="ldap:///dc=sesta,dc=com") (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,dc=sesta,dc=com) (nsroledn=cn=Top-level Help Desk Admin Role,dc=sesta,dc=com)))) (targetattr != "nsroledn") (version 3.0; acl "Organization Admin access allow"; allow (all) roledn = "ldap:///cn=myrole,dc=sesta,dc=com";)
2.16.840.1.113730.3.1.1082
Access Manager
string, multi-valued
Not currently used.
No example given.
2.16.840.1.113730.3.1.1084
Access Manager
cis, multi-valued
An optional description of the role being defined.
iplanet-am-role-description: Top Level Admin Role
2.16.840.1.113730.3.1.1080
Access Manager
dn, multi-valued
Defines the container this role resides in.
For example, if the role being defined administers the domain organization east:
iplanet-am-role-managed-container-dn: ou=east,o=sesta.com,o=basedn
2.16.840.1.113730.3.1.977
Access Manager
string, multi-valued
Not currently used.
No example given.
2.16.840.1.113730.3.1.1083
Access Manager
string, multi-valued
Defines the type of role. There are three values, as shown in the following table:
Role Value |
Role Names |
---|---|
1 |
Top Level Administration Role |
2 |
General Administration Role |
3 |
User Role |
Even though this attribute is defined as multi-valued string, it is implemented in Messaging Server as if it were a single-valued integer.
iplanet-am-role-type: 1
2.16.840.1.113730.3.1.1079
This attribute is aliased to sunRegisteredServiceName. Use that attribute instead.
Access Manager
dn, multi-valued
Defines the DNs for the static groups this user belongs to.
For native mode (with domain nodes on the organization tree):
iplanet-am-static-group-dn: cn=mygroup, ou=groups, o=sesta.com
For compatibility mode (with domain nodes on the DC Tree):
iplanet-am-static-group-dn: cn=mygroup, ou=groups, dc=sesta, dc=com
2.16.840.1.113730.3.1.1094
Access Manager
date string, single-valued
Specifies the account expiration date in the following format:
yyyy/mm/dd hh:mm:ss
where the first mm is for month, dd is for day, yyyy for full year (for example, 2005), hh is for the time stamp hour, the final mm is for the timestamp minutes, and ss is for the timestamp seconds.
If this attribute is present, the authentication service will disallow login if the current date has passed the specified account expiration date.
iplanet-am-user-account-life: 2040/12/31 23:59:59
2.16.840.1.113730.3.1.976
Access Manager
dn, single-valued
Specifies the starting point node (DN) displayed in the starting view of the IS Console when this administrator logs in.
iplanet-am-user-admin-start-dn: ou=people,o=sesta.com,o=basedn
2.16.840.1.113730.3.1.1072
Access Manager
string, single-valued
Defines a list of aliases for the user.
User jdoe could have an alias of jd, johnd, or jd123456.
iplanet-am-user-alias-list: jd iplanet-am-user-alias-list: johnd iplanet-am-user-alias-list: jd123456
1.3.6.1.4.1.42.2.27.9.1.59
Access Manager
string, single-valued
Specifies the user authentication configuration method in an XML string. There is no default value.
<AttributeValuePair\><Value\> com.sun.identity.authentication.modules.ldap.LDAP REQUIRED </Value\></AttributeValuePair\>
1.3.6.1.4.1.42.2.27.9.1.58
Access Manager
string, multi-valued
Not currently used.
No example given.
2.16.840.1.113730.3.1.1071
Access Manager
string, single-valued
Defines the routing taken (URL user is redirected to) if the login fails. Any valid URL can be used.
No example given.
1.3.6.1.4.1.42.2.27.9.1.71
Access Manager
string, single-valued
For Access Manager internal use only. Do not use.
Specifies the user account’s Federation specific information. This is managed internally by Access Manager’s Federation Management module to store user account’s Federation related information, and should not be modified outside of that module.
No example given.
1.3.6.1.4.1.42.2.27.9.1.74
Access Manager
string, single-valued
For Access Manager internal use only. Do not use.
Specifies the user account’s Federation information key. This is managed internally by Access Manager’s Federation Management module to store the user account’s Federation information key, and should not be modified outside of that module.
No example given.
1.3.6.1.4.1.42.2.27.9.1.73
Access Manager
string, single-valued
Specifies the user status. It takes two values:
Active - The user is allowed to authenticate through the Access Manager.
Inactive - The user is not allowed to authenticate through the Access Manager.
No example given.
2.16.840.1.113730.3.1.1074
Access Manager
boolean, single-valued
Not currently used.
Specifies whether password will be forced to be reset. Values: true, false. Defaults to false.
No example given.
1.3.6.1.4.1.42.2.27.9.1.591
Access Manager
string, single-valued
Used internally by Access Manager’s password reset module. Do not use. Any values assigned to this attribute will be ignored.
No example given.
1.3.6.1.4.1.42.2.27.9.1.589
Access Manager
string, single-valued
Not used.
No example given.
1.3.6.1.4.1.42.2.27.9.1.592
Access Manager
string, single-valued
Password question and answer used to prompt user who has forgotten their password. The format is question answer.
iplanet-am-user-password-reset-question-answer: favorite restaurant Outback
1.3.6.1.4.1.42.2.27.9.1.590
Access Manager
dn, single-valued
Specifies the status of the user for various services.
No example given.
2.16.840.1.113730.3.1.1073
Access Manager
dn, single-valued
Defines the routing taken (URL the user is directed) if the login succeeds. Any valid URL can be used.
No example given.
1.3.6.1.4.1.42.2.27.9.1.71
Directory Server
cis, single-valued
Used by Access Manager to store user preference for locale. The values accepted by this attribute are described in the Sun Java System Access Manager Administration Guide, chapter 18. Some additional information on locales is located in the Sun Java System Directory Server Reference Manual.
preferredLocale:en-US
2.16.840.1.113730.3.1.39
Directory Server
cis, single-valued
Used by Access Manager to store user preference for time zone. Supported time zone names can be found in the appendix under Standard Time Zones.
preferredTimeZone: America/Los Angeles
Unassigned
Messaging Server 6.0, Calendar Server 6.0
cis, multi-valued
inetDomain, sunManagedOrganization
Specifies relative DN (RDN) sequences, that is DN's that are relative to the organization entry. Values identify entries in the configuration templates part of the ou=services tree below this organization. These are additional templates beyond those specified in the global configuration templates. These are used to specify operations private to an organization.
This attribute must appear in the top entry for this organization.
No example given.
1.3.6.1.4.1.42.2.27.9.1.76
Messaging Server 6.0, Calendar Server 6.0
cis, multi-valued
Each value is a “key=value” pair, where the key is the name of the XML element. table lists the keys for search templates.
Table 4–2 Search Template Keys
Key |
Description |
---|---|
attrs |
Attribute to retrieve from LDAP entry. |
rfc2247Flag |
Boolean (ture, false) that tells applications to use the RFC 2247 algorithm for constructing the DN of the LDAP entry, instead of performing an LDAP search using the filter specified in the inetDomainSearchFilter attribute. |
baseDN |
If rfc2247Flag is set to true, and if this key is present, then it must be appended to the algorithmically constructed DN in order to get the DN of the target entry. |
For more information on templates and the native and compatibility mode LDAP data models, see Chapter 1, Overview.
The following sunKeyValue attributes appear in the default search template for the native mode LDAP data model:
sunKeyValue:attrs=objectclasssunKeyValue: attrs=ousunKeyValue:attrs=inetDomainStatus
The following sunKeyValue attributes appear in the default search template for compatibility mode (uses the RFC 2247 algorithm for constructing the search DN):
sunKeyValue:attrs=objectclasssunKeyValue: attrs=ousunKeyValue:attrs=inetDomainStatussunKeyValue: rfc2247=truesunKeyValue: baseDN=o=internet
1.3.6.1.4.1.42.2.27.9.1.83
Messaging Server 6.0, Calendar Server 6.0
cis, multi-valued
Stores the name of an attribute required to be unique across all entries in the subtree.
This attribute allows namespace uniqueness to be enforced. For further explanation of namespaces, see the Sun Java Enterprise System Installation Guide and the object class description for sunNameSpace.
sunNameSpaceUniqueAttrs:uid sunNameSpaceUniqueAttrs:c
1.3.6.1.4.1.42.2.27.9.1.85
Access Manager
cis, single-valued
Access Manager uses this attribute for authentication. It holds the fully qualified host name for the server the user is logging into.
The format is: server.domain.
sunOrganizationAlias: seaside.siroe.com
Unassigned
Messaging Server 6.0, Calendar Server 6.0
cis, multi-valued
inetDomain,sunManagedOrganization
Specifies relative DN (RDN) sequences, that is DN's that are relative to the organization entry. Values identify entries in the configuration templates part of the ou=services tree below this organization. These templates override global configuration templates for searches and other operations within this organization.
This attribute must appear in the top entry for this organization.
No example given.
1.3.6.1.4.1.42.2.27.9.1.77
Messaging Server 6.0, Calendar Server 6.0
cis, single-valued
iplanet-am-managed-org-unit, sunManagedOrganization
Specifies the DNS domain name used to lookup an organization entry when a unique matching organization is required.
When a value for this is available, provisioners should set it so as to enable applications to look up organizations using a domain name.
The domain name value of this attribute must be unique across all organizations in the directory, including the domains named in associatedDomain.
This attribute is for use with Schema 2 native mode LDAP directories only; it must not be used in DC Tree nodes.
sunPreferredDomain:sesta.com
2.16.840.1.113730.3.1.1086
Messaging Server 6.0, Calendar Server 6.0
cis, single-valued
iplanet-am-managed-org-unit, sunManagedOrganization
Specifies the DNS name used to lookup an organization entry when a unique matching organization is required.
When a value for this is available, provisioners should set it so as to enable applications to look up organizations using the organization’s name.
This attribute is for use with Schema 2 native mode LDAP directories only; it must not be used in DC Tree nodes.
sunPreferredOrganization:sesta.com
1.3.6.1.4.1.42.2.27.9.1.75
Access Manager
string, multi-valued
iplanet-am-managed-org-unit, sunManagedOrganization
Defines the set of names of the registered services. The following services are defined for Messaging Server and Calendar Server:
Service Name |
Description |
---|---|
DomainMailService |
Mail service definition for domains. |
DomainCalendarService |
Calendar service definition for domains. |
UserMailService |
Mail service definition for users. |
UserCalendarService |
Calendar service definition for users. |
GroupMailService |
Mail service definition for groups. |
For informational purposes: The following services are used by Access Manager for authentication with SSO (Single Sign-On). These services must be registered to the root suffix node. This step is done by Access Manager as part of its installation process. The services are:
PlanetAMAuthService
iPlanetAMAuthLDAPService
iPlanetAMPolicyConfigService
iPlanetAMAuthenticationDomainConfigService
iPlanetAMProviderConfigService
Any one can create a new service and load it into Access Manager. For information on how to do this, see the Access Manager documentation at:
http://docs.sun.com/
sunRegisterdServiceName: DomainMailService
1.3.6.1.4.1.42.2.27.9.1.593
Messaging Server 6.0, Calendar Server 6.0
cis, single-valued
The kind of template being created. For search templates, the value is StuctureUmsObjects. (At this time search templates are the only publicly defined template.)
sunServiceId:StructureUmsObjects
1.3.6.1.4.1.42.2.27.9.1.79
Access Manager
cis, single-valued
Stores the priority of the service with respect to its siblings.
sunSmsPriority:
1.3.6.1.4.1.42.2.27.9.1.81
Access Manager
cis, single-valued
Not currently used.
No example given.
1.3.6.1.4.1.42.2.27.9.1.84