Chapter 8 Configuring the Directory Schema

This chapter explains how to obtain the current schema from the directory server, and how to modify it to add object class or attribute definitions.

It also contains a list of all the object classes and attributes that belong to the default schema for Sun Directory Services 3.1 with a description of their purpose and meaning.

Schema Definition

The schema is the set of rules that describe the data that can be stored in the directory. It defines the type of entries, their structure and their syntax. The schema can be modified and extended, though certain objects and attributes cannot be changed.

The schema definition is stored in two files in the configuration directory /etc/opt/SUNWconn/ldap/current:

• dsserv.oc.conf defines the object classes. These specify the types of entries permitted, their superior object class, and their mandatory and optional attributes.

• dsserv.at.conf contains attribute definition information:

  • An oid representing the attribute

  • The attribute syntax, specified using a keyword

  • Alternate names for some attributes

  • The keyword naming for attributes that are naming attributes

  • The keyword single for single-valued attributes

For the exact format of an LDAP attribute definition, refer to the dsserv.at.conf(4) man page.

Displaying the Current Schema

There are two ways of displaying the current schema:

• From the command line, using the ldapsearch command

• In the Admin Console

Displaying the Schema with ldapsearch

Use the ldapsearch command with the following arguments to read the current schema through the directory server:

/opt/SUNWconn/bin/ldapsearch -h hostname -b "cn=schema" -s base 'objectclass=*'

where hostname is the name of the directory server.

Table 8-1 shows an extract of the type of information returned.

objectclasses=( 2.5.6.0 NAME 'top' DESC 'Standard ObjectClass'
MUST ( objectclass ) )
objectclasses=( 2.5.6.1 NAME 'alias' DESC 'Standard ObjectClass'
SUP 'top'  MUST ( objectclass $ aliasedobjectname )  MAY ( * )  )
objectclasses=( 2.5.6.2 NAME 'country' DESC 'Standard ObjectClass'
SUP 'top'  MUST ( objectclass $ c )  MAY ( description $ searchguide
)  )
objectclasses=( 2.5.6.3 NAME 'locality' DESC 'Standard
ObjectClass' SUP 'top'  MUST ( objectclass )  MAY ( description $
l $ searchguide $ seealso $ st $ street )  )
objectclasses=( 2.5.6.4 NAME 'organization' DESC 'Standard
ObjectClass' SUP 'top'  MUST ( objectclass $ o )  MAY (
businesscategory $ description $ destinationindicator $
facsimiletelephonenumber $ internationalisdnnumber $ l $
physicaldeliveryofficename $ postofficebox $ postaladdress $
postalcode $ preferreddeliverymethod $ registeredaddress $
searchguide $ seealso $ st $ street $ telephonenumber $
teletexterminalidentifier $ telexnumber $ userpassword $
x121address )  )
objectclasses=( 2.5.6.5 NAME 'organizationalUnit' DESC 'Standard
ObjectClass' SUP 'top'  MUST ( objectclass $ ou )  MAY (
businesscategory $ description $ destinationindicator $
facsimiletelephonenumber $ internationalisdnnumber $ l $
physicaldeliveryofficename $ postofficebox $ postaladdress $
postalcode $ preferreddeliverymethod $ registeredaddress $
searchguide $ seealso $ st $ street $ telephonenumber $
teletexterminalidentifier $ telexnumber $ userpassword $
x121address )  )
objectclasses=( 2.5.6.6 NAME 'person' DESC 'Standard ObjectClass'
SUP 'top'  MUST ( objectclass $ sn $ cn )  MAY ( description $
seealso $ telephonenumber $ userpassword )  )

When you use the ldapsearch command to display the schema, the keywords are shown in capitals. They introduce the following:

• NAME introduces the name of the object class.

• DESC introduces a description of the object class.

• SUP introduces the name of the superior object class.

• MUST introduces the list of mandatory attributes for an object class. In dsserv.oc.conf mandatory attributes are identified by the keyword requires.

• MAY introduces the list of optional attributes for an object class. In dsserv.oc.conf mandatory attributes are identified by the keyword allows.

Displaying the Schema in the Admin Console

1. In the Admin Console, go to the Schema section.

   This section displays a list of object classes in hierarchical order, or in alphabetical order. Use the buttons below the pane to change the display mode.

   Click the folder icon for an object class to display its mandatory (M) and optional (O) attributes. With the hierarchical display, clicking on the folder icon of an object class will display any subclasses of that object class.

2. To display a list of attributes, click the Attributes list button.

   An attribute list window is displayed. It contains a five-column table that shows:

   • The name of the attribute

   • Alias names for this attribute (separated by commas)

   • The attribute syntax, identified by a keyword (see "Attribute Reference")

   • A unique OID for the attribute

   • Whether the attribute is a naming attribute (that is, an attribute that can be used in the distinguished name of an entry), and whether it is single-valued

Modifying the Schema

You can modify the schema in the following ways:

• By creating new object classes or attributes

• By modifying object classes and attributes

It is safer to always create a new object class rather than modify an existing one. If you want to extend an existing object class, you can create an object class that inherits from the object class that you want to extend.

Deleting object classes or attributes is not advisable since there might be directory entries that use the existing definitions.

There is no automatic check that schema modifications do not invalidate entries. Therefore, to minimize the risk of entries becoming invalid, restrict your changes to the addition of object classes or attributes. You can, however, enable schema checking. For this, refer to "Schema Checking".

The schema definition contains object classes that are used internally by the Sun Directory Services directory server or by the Sun Internet Mail Server (SIMS). The Admin Console does not permit you to modify these object classes. They are marked with the keyword frozen in the configuration files. You must not remove this keyword from any standard schema item.

If you use the web gateway to allow users to browse the directory, all modification made to the schema must also be made to the dswebtmpl.conf file. See the dswebtmpl.conf(4) man page for details.

Schema Checking

Sun Directory Services provides a schema checking feature. When directory information is added or modified, the directory server checks that all mandatory attributes of the object class or inherited by the object class are present.

The schema checking options are:

• Off: no checking is performed

• Weak: a check is performed when entries are created or modified

• Strong: in addition to the previous level, a check is performed on search operations

Select the appropriate level of checking from the Schema check menu button in the Schema section of the Admin Console. The default level of checking is weak.

Schema checking cannot be performed on the compatibility of object classes. For example, you could create an entry with the device object class and the person object class. The IETF standards do not enforce rules on object classes.

To Create a New Object Class

1. From the Admin Console main window, choose Class/Attribute from the Create menu.

   The Create Object Class window is displayed.

2. Specify:

   • The name of the new object class

   • The object identifier for the object class (optional)

   • The superior object class, from which this object class will inherit attributes

3. Specify the mandatory and optional attributes you want to include in this class:

   1. Select or create the attributes you want to include in the object class.

   2. Select the mode of the attributes (Mandatory or Optional) from the pop-up menu.

   3. Click Add to add the attributes to the object class definition.

4. Click OK to save the modified object class definition.

   This change will take effect when you restart the dsservd daemon. Figure 8-1 shows a new object class plumber, with the atttributes you would need to contact a plumber.

   Figure 8-1 Create Object Class Window

   
   

To Create a New Attribute

1. From the Admin Console main window, choose Class/Attribute from the Create menu.

   The Create Object Class window is displayed.

2. In the Create Object Class window, choose Attribute from the Create menu.

   The Add Attribute window is displayed.

3. Specify:

   • The name of the attribute

   • The unique OID for this attribute (optional)

   • Any alternate names in the Aliases field (optional)

   • Whether the attribute is multi-valued

   • Whether the attribute can be used as a naming attribute

4. Click OK to save the new attribute definition.

   This change will take effect when you restart the dsservd daemon. Figure 8-2 shows a new attribute hourlyRate has been created to be added to the plumber object class.

   Figure 8-2 Create Attribute Window

   
   

To Add an Attribute to an Object Class

1. In the object class list, highlight the object class to which you want to add an attribute, and choose Modify Class/Attribute from the Selected menu.

   The Modify Object Class window is displayed. The name of the object class you are modifying is displayed in the General section of this window. The mandatory and optional attributes for that object class are listed in the Object class attributes section.

2. In the Defined Attributes list, highlight the attribute that you want to add.

3. Select the mode of the attribute (Mandatory or Optional) from the pop-up menu.

4. Click Add to add the attribute to the object class definition.

5. Click OK to save the modified object class definition.

   This change will take effect when you restart the dsservd daemon.

   To change the mode of an attribute that is already included in the object class definition, select the attribute in the Class attributes list and change the mode using the Mode pop-up menu.

Object Class Reference

This section contains an alphabetical list of the object classes accepted by the default schema, except for pilot project object classes described in RFC 1274 The COSINE and Internet X.500 Schema. It explains the purpose of each object class, and gives the list of mandatory and optional attributes specific to the particular object class. An object class also inherits the mandatory and optional attributes from its superior object class. Inherited attributes are not listed.

The keyword frozen after the object class name indicates that this object class is used by a component of Sun Internet Mail Server, or by a component of Sun Directory Services. You cannot change a frozen object class definition using the Admin Console. If you change the definition of such an object class, ensure that your changes do not prevent the Sun Internet Mail Server and the Sun Directory Services components from using objects of this class.

account

• Description: Used to define entries representing a user account.

• Superior object class: top

• Mandatory attribute: uid

• Optional attributes: description, host, l, o, ou, seeAlso

alias (frozen)

• Description: An alternative name for an object located under the same data store suffix.

• Superior object class: top

• Mandatory attribute: aliasedObjectName

It is preferable to avoid using the alias object class and use instead the aliasObject subclass. This is because the alias object class only allows the full DN of the aliased object as its naming attribute, and not just the RDN.

aliasObject

• Description: An alternative name for an object located under the same data store suffix.

• Superior object class: alias

• Optional attributes: * (allows any attribute)

The attributes in the aliasObject entry must include the naming attribute of the entry. The naming attribute should be the same as for the aliased object.

applicationEntity

• Description: Used to define an entry representing an application entity.

• Superior object class: top

• Mandatory attributes: cn, presentationAddress

• Optional attributes: description, l, o, ou, seeAlso, supportedApplicationContext

applicationProcess

• Description: Used to define an entry representing an application process.

• Superior object class: top

• Mandatory attribute: cn

• Optional attributes: description, l, ou, seeAlso

automount

• Description: Used to define an entry representing an NIS automount record.

• Superior object class: top

• Mandatory attributes: cn, automountInformation

• Optional attribute: description

bootableDevice (auxiliary object class)

• Description: Used to define an entry representing any device that requires boot parameters. Used to import information from the /etc/bootparams file. It is an auxiliary object class, which means that it should be used in conjunction with a structural object class.

• Superior object class: device

• Optional attribute: bootFile, bootParameter

certificationAuthority (auxiliary object class)

• Description: Used to define entries representing objects that act as certification authorities. It is an auxiliary object class, which means that it should be used in conjunction with a structural object class.

• Superior object class: top

• Mandatory attributes: authorityRevocationList, cACertificate, certificateRevocationList

• Optional attribute: crossCertificatePair

certificationAuthority-V2 (auxiliary object class)

• Description: Used to define entries representing objects that act as certification authorities for version 2. It is an auxiliary object class, which means that it should be used in conjunction with a structural object class.

• Superior object class: certificationAuthority

• Optional attribute: crossCertificatePair

country

• Description: Identifies country entries in the directory.

• Superior object class: top

• Mandatory attribute: c

• Optional attributes: description, searchGuide

cRLDistributionPoint

• Description: Used to define an entry that provides a service for certification authority revocation lists.

• Superior object class: top

• Mandatory attribute: cn

• Optional attributes: authorityRevocationList, certificateRevocationList, deltaRevocationList

device

• Description: Used to define an entry representing a device (for example a modem or CD-ROM drive).

• Superior object class: top

• Mandatory attribute: cn

• Optional attributes: description, l, o, ou, owner, seeAlso, serialNumber

dcObject (auxiliary object class)

• Description: Used to define an entry representing a domain component, that is a component in the dot-separated sequence that forms a domain name. It is an auxiliary object class, which means that it should be used in conjunction with a structural object class.

• Superior object class: top

• Mandatory attribute: dc

dmd

• Description: Used to define an entry that represents a directory management domain (DMD), that is the authority responsible for a particular directory server.

• Superior object class: top

• Mandatory attribute: dmdName

• Optional attributes: businessCategory, description, destinationIndicator, facsimileTelephoneNumber, internationaliSDNNumber, l, physicalDeliveryOfficeName, postOfficeBox, postalAddress, postalCode, preferredDeliveryMethod, registeredAddress, searchGuide, seeAlso, st, street, telephoneNumber, userPassword, x121Address

dNSDomain

• Description: Used to define entries representing a DNS domain.

• Superior object class: domain

• Optional attribute: dNSRecord

document

• Description: Used to define an entry representing a document.

• Superior object class: pilotObject

• Mandatory attribute: documentIdentifier

• Optional attributes: abstract, cn, description, documentAuthor, documentAuthorCommonName, documentAuthorSurname, documentLocation, documentPublisher, documentStore, documentTitle, documentVersion, keywords, l, o, obsoletedByDocument, obsoletesDocument, ou, seeAlso, subject, updatedByDocument, updatesDocument

documentSeries

• Description: Used to define an entry representing a series of related documents.

• Superior object class: top

• Mandatory attributes: cn

• Optional attributes: description, l, o, ou, seeAlso, telephoneNumber

domain

• Description: Used to define an entry representing a domain.

• Superior object class: top

• Mandatory attribute: dc

• Optional attributes: associatedName, businessCategory, description, destinationIndicator, facsimileTelephoneNumber, internationaliSDNNumber, l, o, physicalDeliveryOfficeName, postOfficeBox, postalAddress, postalCode, preferredDeliveryMethod, registeredAddress, searchGuide, seeAlso, st, street, telephoneNumber, teletexTerminalIdentifier, telexNumber, userPassword, x121Address

domainRelatedObject

• Description: Used to define an entry related to a domain.

• Superior object class: top

• Mandatory attribute: associatedDomain

dSA

• Description: Used to define an entry representing a directory system agent (DSA) or any directory server.

• Superior object class: applicationEntity

• Optional attribute: knowledgeInformation

emailGroup

• Description: Used to define an entry representing an electronic mail distribution list that uses aliases(4) format.

• Superior object class: top

• Mandatory attributes: cn

• Optional attributes: authorizedDomain, authorizedSubmitter, dataSource, expandable, mailDeliveryFile, mailDeliveryOption, mailProgramDeliveryInfo, mailHost, ownerDeliveryFile, ownerDeliveryOption, ownerProgramDeliveryInfo, requestsToDeliveryFile, requestsToDeliveryOption, requestsToProgramDeliveryInfo, rfc822AuthorizedSubmitter, rfc822MailMember, rfc822Owner, rfc822UnauthorizedSubmitter, unauthorizedDomain, unauthorizedSubmitter

emailPerson (frozen)

• Description: Used to define an entry for a person who uses electronic mail.

• Superior object class: inetOrgPerson

• Mandatory attributes: cn, objectClass

• Optional attributes: assistant, channelName, channelType, dataSource, generationQualifier, freeFormName, homeDirectory, homeFacsimileTelephoneNumber, mail, mailAutoReplyExpirationDate, mailAutoReplyMode, mailAutoReplySubject, mailAutoReplyText, mailAutoReplyTextInternal, mailDeliveryFile, mailDeliveryOption, mailFolderMap, mailForwardingAddress, mailHost, mailMessageStore, mailProgramDeliveryInfo, mailQuota, objectStatus, preferredRfc822Recipient, reportsTo, rfc822Mailbox, userDefinedAttribute1, userDefinedAttribute2, userDefinedAttribute3, userDefinedAttribute4

friendlyCountry

• Description: Used to allow friendlier naming of country entries than with the object class country. The naming attribute of object class country, countryName, has to be a 2 letter string defined in ISO 3166.

• Superior object class: country

• Mandatory attribute: co

gatewayCCMailUser (frozen)

• Description: Used to define an entry representing a user of Lotus CC:Mail.

• Superior object class: top

• Optional attributes: cCMailAddresses, preferredCCMailOriginator, preferredCCMailRecipient

gatewayChannel (frozen)

• Description: Used to define an entry representing a legacy mail gateway channel.

• Superior object class: top

• Mandatory attributes: channelName

• Optional attributes: ackedSequenceNumber, channelType, currentSequenceNumber, maxLastModifiedTime, objectStatus, seeAlso, userPassword

gatewayDocConvPreference (frozen)

• Description: Used to store preferences for document conversion for a gateway user.

• Superior object class: top

• Optional attribute: docConvPreference

gatewayLotusNotesUser (frozen)

• Description: Used to define an entry representing a user of Lotus Notes.

• Superior object class: top

• Optional attributes: lotusNotesAddresses, preferredLotusNotesOriginator, preferredLotusNotesRecipient

gatewayMail11User (frozen)

• Description: Used to define an entry representing a user of Mail-11 (DEC).

• Superior object class: top

• Optional attributes: mail11Addresses, preferredMail11Originator, preferredMail11Recipient

gatewayMrUser (frozen)

• Description: Used to define an entry representing a user of the legacy Mail Relay (MR) mail system.

• Superior object class: top

• Optional attributes: mrAddresses, preferredMrOriginator, preferredMrRecipient

gatewayMSMailUser (frozen)

• Description: Used to define an entry representing a user of Microsoft Mail.

• Superior object class: top

• Optional attributes: mSMailAddresses, preferredMSMailOriginator, preferredMSMailRecipient

gatewayNGMUser (frozen)

• Description: Used to define an entry representing a user of the legacy Novell Groupwise Mail (NGM) mail system.

• Superior object class: top

• Optional attributes: nGMAddresses, preferredNGMOriginator, preferredNGMRecipient

gatewayNGM70User (frozen)

• Description: Used to define an entry representing a user of the legacy Novell Groupwise Mail 7.0 (NGM70) mail system.

• Superior object class: top

• Optional attributes: nGM70Addresses, preferredNGM70Originator, preferredNGM70Recipient

gatewayPROFSUser (frozen)

• Description: Used to define an entry representing a user of IBM PROFS.

• Superior object class: top

• Optional attributes: pROFSAddresses, preferredPROFSOriginator, preferredPROFSRecipient

groupOfNames

• Description: Used to define entries representing an unordered set of names of objects or other groups.

• Superior object class: top

• Mandatory attributes: cn, member

• Optional attributes: businessCategory, description, o, ou, owner, seeAlso

groupOfUniqueNames

• Description: Used to define entries representing an unordered set of names of objects or other groups. Each name in the set is unique in the directory.

• Superior object class: top

• Mandatory attributes: cn, uniqueMember

• Optional attributes: businessCategory, description, o, ou, owner, seeAlso

ieee802Device (auxiliary object class)

• Description: Used to define entries representing any device that has a MAC address. Used to import information from the /etc/ethers file. It is an auxiliary object class, which means that it should be used in conjunction with a structural object class.

• Superior object class: device

• Optional attributes: macAddress

inetOrgPerson

• Description: Used to define an entry for a person who uses the Internet and belongs to an organization.

• Superior object class: organizationalPerson

• Optional attributes: audio, businessCategory, carLicense, departmentNumber, employeeNumber, employeeType, givenName, homePhone, homePostalAddress, initials, jpegPhoto, labeledURI, mail, manager, mobile, pager, photo, preferredLanguage, roomNumber, secretary, uid, userCertificate, userSMIMECertificate, x500uniqueIdentifier

ipHost (auxiliary object class)

• Description: Used to describe a device that has an IP address. Used to import information from the /etc/hosts file. It is an auxiliary object class, which means that it should be used in conjunction with a structural object class.

• Superior object class: top

• Mandatory attributes: cn, ipHostNumber

• Optional attributes: description, bootFile, bootParameter, l, macAddress, manager, serialNumber

ipProtocol

• Description: Used to define an entry that describes an IP protocol. Used to import information from the /etc/protocols file.

• Superior object class: top

• Mandatory attributes: cn, ipProtocolNumber

• Optional attribute: description

ipNetwork

• Description: Used to define an entry that describes an IP network. Used to import information from the /etc/networks file.

• Superior object class: top

• Mandatory attributes: cn, ipNetworkNumber

• Optional attributes: description, ipNetmaskNumber, l, manager

ipService

• Description: Used to define an entry that represents an IP service.

• Superior object class: top

• Mandatory attributes: cn, ipServicePort, ipServiceProtocol

• Optional attribute: description

labeledURIObject (auxiliary object class)

• Description: Used to define an entry that describes a resource on the network that is identified by a URI. It is an auxiliary object class, which means that it should be used in conjunction with a structural object class.

• Superior object class: top

• Optional attribute: labeledURI

locality

• Description: Used to define entries that describe locality.

• Superior object class: top

• Optional attributes: description, locality, searchGuide, seeAlso, st, street

nas

• Description: Used to define a Network Access Server used in the context of RADIUS authentication.

• Superior object class: device

• Mandatory attributes: iphostnumber, sharedKey

• Optional attributes: dictionaryFile, acctattrFile

nisMailAlias

• Description: Used to define an entry that represents an NIS mail.aliases record. Used to import information from the /etc/mail/aliases file.

• Superior object class: top

• Mandatory attribute: cn

• Optional attribute: rfc822MailMember

nisMap

• Description: Used to define an entry that represents an NIS map.

• Superior object class: top

• Mandatory attribute: nisMapName

• Optional attribute: description

nisNetGroup

• Description: Used to define an entry that represents an NIS netgroup record. Used to import information from the /etc/netgroup file.

• Superior object class: top

• Mandatory attribute: cn

• Optional attributes: description, memberNisNetGroup, nisNetGroupTriple

nisNetId

• Description: Used to define an entry that represents an NIS netid.byname record.

• Superior object class: top

• Mandatory attribute: cn

• Optional attribute: nisNetIdGroup, nisNetIdHost, nisNetIdUser

nisObject

• Description: Used to define an entry in the directory that represents an entry in an NIS map. The NIS key is stored in the cn attribute.

• Superior object class: top

• Mandatory attribute: nisMapName

• Optional attributes: cn, description, nisMapEntry

nisSunObject

• Description: Used to define an entry in the directory that represents an entry in an NIS map. This object class is used in the generic NIS map definition in Sun Directory Services. The NIS key is stored in the sunNisKey attribute.

• Superior object class: top

• Mandatory attribute: nisMapName

• Optional attributes: cn, description, nisMapEntry, sunNisKey

oncRpc

• Description: Used to define an entry that represents an Open Network Computing (ONC) remote procedure call (RPC). Used to import information from the /etc/rpc file.

• Superior object class: top

• Mandatory attributes: cn, oncRpcNumber

• Optional attribute: description

organization

• Description: Used to define organization entries in the directory.

• Superior object class: top

• Mandatory attributes: o

• Optional attributes: businessCategory, description, destinationIndicator, facsimileTelephoneNumber, internationaliSDNNumber, l, physicalDeliveryOfficeName, postOfficeBox, postalAddress, postalCode, preferredDeliveryMethod, registeredAddress, searchGuide, seeAlso, st, street, telephoneNumber, teletexTerminalIdentifier, telexNumber, userPassword, x121Address

organizationalPerson

• Description: Used to define entries representing people employed by, or in some way associated with, an organization.

• Superior object class: person

• Optional attributes: destinationIndicator, facsimileTelephoneNumber, internationaliSDNNumber, l, ou, physicalDeliveryOfficeName, postOfficeBox, postalAddress, postalCode, preferredDeliveryMethod, registeredAddress, st, street, telephoneNumber, teletexTerminalIdentifier, telexNumber, title, x121Address

organizationalRole

• Description: Used to define entries representing a role or position within an organization. An organizationalRole is usually filled by an organizationalPerson, but it can also be filled by a non-human entity.

• Superior object class: top

• Mandatory attribute: cn

• Optional attributes: description, destinationIndicator, facsimileTelephoneNumber, internationaliSDNNumber, l, ou, physicalDeliveryOfficeName, postOfficeBox, postalAddress, postalCode, preferredDeliveryMethod, registeredAddress, roleOccupant, seeAlso, st, street, telephoneNumber, teletexTerminalIdentifier, telexNumber, x121Address

organizationalUnit

• Description: Used to define entries representing subdivisions of an organization.

• Superior object class: top

• Mandatory attributes: ou

• Optional attributes: businessCategory, description, destinationIndicator, facsimileTelephoneNumber, internationaliSDNNumber, l, physicalDeliveryOfficeName, postOfficeBox, postalAddress, postalCode, registeredAddress, searchGuide, seeAlso, st, street, telephoneNumber, teletexTerminalIdentifier, telexNumber, userPassword, x121Address

person

• Description: Used to define entries representing people.

• Superior object class: top

• Mandatory attributes: cn, sn

• Optional attributes: description, seeAlso, telephoneNumber, userPassword

posixAccount (auxiliary object class)

• Description: Used to represent an account defined by POSIX attributes. Used to import information from the /etc/passwd file. It is an auxiliary object class, which means that it should be used in conjunction with a structural object class.

• Superior object class: top

• Mandatory attributes: cn, uid, uidNumber, gidNumber, homeDirectory

• Optional attributes: description, gecos, loginShell, userPassword

posixGroup

• Description: Used to define an entry that represents a group of POSIX accounts. Used to import information from the /etc/group file.

• Superior object class: top

• Mandatory attributes: cn, gidNumber

• Optional attributes: description, memberUid, userPassword

referral (frozen)

• Description: Used to define an entry that points to another data store.

• Superior object class: top

• Optional attributes: ref, * (allows any attribute, in particular the same naming attribute as in the RDN of the referenced object)

remoteUser (frozen)

• Description: In the context of RADIUS authentication, used to define remote users who access the network through a Network Access Server (NAS).

• Superior object class: top

• Mandatory attribute: uid

• Optional attributes: acctAuthentic, acctDelayTime, acctInputOctet, acctOutputOctet, acctSessionId, acctSessionTime, acctStatusType, acctTerminateCause, authCalleddStationId, authCallingStationId, authFilterId, authHostPortNumber, authHostPortType, authLoginService, authPortLimit, authPrefixName, authReplyMessage, authServiceProtocol, authType, authStartMenuId, authSuffixName, authState, authStopMenuId, authTerminationAction, chapPassword, expirationDate, framedCompression, framedIPAddress, framedMTU, framedRoute, framedRouting, framedProtocol, grpCheckInfo, grpReplyInfo, idleTimeoutNumber, ipHostNumber, ipLoginHost, ipLoginPort, ipNetmaskNumber, ipxNetworkNumber, radiusLoginProfile, radiusPppProfile, radiusSlipProfile, radiusAuthFailedAccess, radiusLoginExpiration, radiusLoginPasswd, radiusPppExpiration, radiusPppPasswd, radiusSlipExpiration, radiusSlipPasswd, dynamicSessionCounter, dynamicSessionId, dynamicIPAddress, sessionTimeoutNumber, userCallbackId, userCallbackNumber, userPassword

residentialPerson

• Description: Used to define entries representing a person in the residential environment.

• Superior object class: top

• Mandatory attribute: l

• Optional attributes: businessCategory, destinationIndicator, facsimileTelephoneNumber, internationaliSDNNumber, l, physicalDeliveryOfficeName, postOfficeBox, postalAddress, postalCode, preferredDeliveryMethod, registeredAddress, st, street, telephoneNumber, teletexTerminalIdentifier, telexNumber, x121Address

rFC822LocalPart

• Description: Used to define entries which represent the local part of RFC822 mail addresses. This treats this part of an RFC822 address as a domain.

• Superior object class: domain

• Optional attributes: cn, description, destinationIndicator, facsimileTelephoneNumber, internationaliSDNNumber, l, o, physicalDeliveryOfficeName, postOfficeBox, postalAddress, postalCode, preferredDeliveryMethod, registeredAddress, seeAlso, sn, st, street, telephoneNumber, teletexTerminalIdentifier, telexNumber, userPassword, x121Address

room

• Description: Used to define an entry representing a room.

• Superior object class: top

• Mandatory attribute: cn

• Optional attributes: description, roomNumber, seeAlso, telephoneNumber

shadowAccount (auxiliary object class)

• Description: Used to represent a user that has a shadow password. It is an auxiliary object class, which means that it may be used in conjunction with any object class.

• Superior object class: top

• Mandatory attribute: uid

• Optional attributes: description, shadowLastChange, shadowMax, shadowMin, shadowWarning, shadowInactive, shadowExpire, shadowFlag, userPassword

simpleSecurityObject

• Description: Used to define an entry containing a user password, for simple authentication.

• Superior object class: top

• Mandatory attribute: userPassword

strongAuthenticationUser (auxiliary object class)

• Description: Used to define an entry for an object participating in Strong Authentication. It is an auxiliary object class, which means that it should be used in conjunction with a structural object class.

• Superior object class: top

• Mandatory attribute: userCertificate

subschema (auxiliary object class)

• Description: Used to define an entry that contains the rules governing the schema. It is an auxiliary object class, which means that it should be used in conjunction with a structural object class.

• Optional attributes: attributeTypes, dITStructureRules, ditContentRules, matchingRules, matchingRuleUse, nameForms, objectClasses

sunNisMap

• Description: Used by the NIS/LDAP server to manage NIS maps. An entry is created for each map stored in the LDAP directory.

• Superior object class: top

• Mandatory attributes: sunNisDomain, sunNisMapFullName, sunNisMapState, sunNisMaster, sunNisSecurityMode

• Optional attributes: description, seeAlso, sunNisDbmCache, sunNisDnsForwarding, sunNisInputFile, sunNisOutputName, sunNisLoadMap

sunNisServer

• Description: Used to define an entry that represents an NIS ypservers record. Used to import information from the ypservers file.

• Superior object class: top

• Mandatory attributes: cn

top

• Description: An abstract object class, parent of all others. It ensures that every object class contains the objectClass attribute.

• Mandatory attribute: objectClass

uidObject (auxiliary object class)

• Description: Used to name an entry with a unique ID. It is an auxiliary object class, which means that it should be used in conjunction with a structural object class.

• Superior object class: top

• Mandatory attribute: uid

userSecurityInformation (auxiliary object class)

• Description: Used to store security information about a user. It is an auxiliary object class, which means that it should be used in conjunction with a structural object class.

• Superior object class: top

• Optional attribute: supportedAlgorithms

Attribute Reference

All attributes defined in the schema have one of the following syntaxes:

• Distinguished name (dn)

• Case-ignore string (cis) -- An alphanumeric string, not case-sensitive

• Case-exact string (ces) -- A case-sensitive alphanumeric string

• Telephone number (tel)

• Integer (int or long)

• Binary (bin)

• Encrypted (protected) -- A value that has been encrypted using the method specified through the Admin Console. Possible values are sunds, crypt, or none.

• UTC time (utctime)

The following list of attributes in the default schema gives the attribute syntax, any alternative names, and explains how the attribute is used.

abstract

• Syntax: cis

• Description: A brief description of the document described by the entry.

acctattrFile

• Syntax: ces

• Description: Specifies the name of the dynamic accounting attributes file to be used to interpret the dynamic accounting information received from the NAS described by the entry.

acctAuthentic

• Syntax: ces

• Description: Used in RADIUS accounting requests to indicate how the user described by the entry was authenticated.

acctDelayTime

• Syntax: ces

• Description: Used in RADIUS accounting requests to indicate for how long the NAS has been trying to send an accounting report. The delay is deducted from the time of arrival of the report to determine the actual time at which the event occurred.

acctInputOctet

• Syntax: ces

• Description: Used in RADIUS accounting requests to indicate the number of octets received during the provision of service.

acctInputPacket

• Syntax: ces

• Description: Used in RADIUS accounting requests to indicate the number of packets received during the provision of service.

acctOutputOctet

• Syntax: ces

• Description: Used in RADIUS accounting requests to indicate the number of octets sent during the provision of service.

acctOutputPacket

• Syntax: ces

• Description: Used in RADIUS accounting requests to indicate the number of packets sent during the provision of service.

acctSessionId

• Syntax: ces

• Description: Used in RADIUS accounting to provide a unique accounting ID. It is used to match start and stop records for the same session.

acctSessionTime

• Syntax: ces

• Description: Used in RADIUS accounting to indicate the number of seconds during which the user described by the entry has received service.

acctStatusType

• Syntax: ces

• Description: Used in RADIUS accounting to indicate whether the current report marks the beginning of service (start) or the end (stop).

acctTerminateCause

• Syntax: ces

• Description: Used in RADIUS accounting to indicate how a session was terminated.

ackedSequenceNumber

• Syntax: ces

• Description: A sequence number used during Legacy Mail directory synchronization.

aliasedObjectName

• Alternate name: aliasedEntryName

• Syntax: dn

• Description: The DN of the entry for which the alias entry is an alias. This attribute is single-valued.

altServer

• Syntax: cis

• Description: Specifies the URLs of other servers to contact if the current server is unavailable.

assistant

• Syntax: cis

• Description: An assistant to the person described by the entry.

associatedDomain

• Syntax: cis

• Description: The domain with which the object described by this entry is associated.

associatedName

• Syntax: dn

• Description: The distinguished name of an entry associated with this entry.

attributeName

• Syntax: cis

• Description: Specifies the name of an attribute.

attributeTypes

• Syntax: cis

• Description: Specifies the attribute types allowed in the schema.

audio

• Syntax: bin

• Description: Sound information associated with the object described by the entry.

authCalledStationId

• Syntax: ces

• Description: Indicates the phone number called by the user to request access through a NAS.

authCallingStationId

• Syntax: ces

• Description: Indicates the phone number from which the used called to request access through a NAS.

authFilterId

• Syntax: ces

• Description: Indicates the name of the filter list for the user described by the entry.

authHostPortNumber

• Syntax: ces

• Description: Indicates the physical port number of the NAS that is authenticating the user.

authHostPortType

• Syntax: ces

• Description: Indicates the type of physical port number of the NAS that is authenticating the user.

authLoginService

• Syntax: ces

• Description: Indicates the service that should be used to connect the user to the login host.

authNASidentifier

• Syntax: ces

• Description: Contains a string that identifies the NAS that transmitted an access request.

authorityRevocationList

• Syntax: cis

• Description: A list of certificates that have been revoked by the certification authority described in the entry, or that the certification authority knows have been revoked by other certification authorities.

authorizedDomain

• Syntax: cis

• Description: Domain name from which users are authorized to post to the list described by the entry.

authorizedSubmitter

• Syntax: cis

• Description: A registered user authorized to post messages to the list described by the entry.

authPortLimit

• Syntax: ces

• Description: Sets the maximum number of ports to be provided by the NAS to the user.

authPrefixName

• Syntax: ces

• Description: Used internally by the RADIUS server to distinguish between the user name to be processed for authentication and a possible prefix. In some cases, the connection protocol can add a prefix to the user's name, for example, ppp%jsmith.

authReplyMessage

• Syntax: cis

• Description: Contains text that the NAS can display to the user.

authServiceProtocol

• Syntax: ces

• Description: Indicates the type of service requested by the user.

authStartMenuId

• Syntax: ces

• Description: This attribute is used internally by the RADIUS server.

authState

• Syntax: ces

• Description: A state attribute sent by the RADIUS server to the NAS. The NAS must send it back unchanged in the reply to the server. This attribute is single-valued.

authStopMenuId

• Syntax: ces

• Description: Used internally by the RADIUS server.

authType

• Syntax: ces

• Description: Indicates to the RADIUS server how passwords are stored, so that the password supplied by the user can be compared correctly against the password stored under the user's entry in the directory. Possible values for this attribute are:

  • Crypt-Local -- specifies that passwords are stored encrypted

  • Local -- specifies that passwords are stored in clear text

  • System -- specifies that passwords are maintained in /etc/passwd

authSuffixName

• Syntax: ces

• Description: Used internally by the RADIUS server to distinguish between the user name to process for authentication and a possible suffix. In some cases, the domain name can be added to the user's name, for example, jsmith@eng.xyz.com.

authTerminationAction

• Syntax: ces

• Description: Indicates the action to perform by the NAS when the service session is finished.

automountInformation

• Syntax: ces

• Description: The automount information for the entry in the NIS automount map.

bootFile

• Syntax: ces

• Description: The name of the file containing the boot parameters for the bootable device described by the entry.

bootParameter

• Syntax: ces

• Description: A boot parameter for the bootable device described by the entry.

buildingName

• Syntax: cis

• Description: The name of the building where the object described by the entry resides.

businessCategory

• Syntax: cis

• Description: The type of business of the object described by the entry.

c, see countryName

carLicense

• Syntax: cis

• Description: The type of car license held by the person described by the entry.

cACertificate

• Syntax: bin

• Description: The public key of the certification authority described by the entry.

cCMailAddress

• Syntax: cis

• Description: Used to route email messages through a Lotus CC:mail channel. It stores a copy of the email addresses in the preferredCCMailOriginator and preferredCCMailRecipient attributes.

certificateRevocationList

• Syntax: cis

• Description: A list of certificates that have been revoked by the certification authority described by the entry, or that the certification authority knows have been revoked by other certification authorities.

channelName

• Alternate name: ch

• Syntax: cis

• Description: The name of the Legacy Mail channel for the user described by the entry. Channel names are chosen for users by the system administrator.

channelType

• Syntax: ces

• Description: The type of the Legacy Mail channel for the user described in the entry. The value must be one of the following:

  • 0 for CC:mail

  • 1 for Microsoft Mail

  • 4 for an SMTP mail system

  • 8 for IBM PROFS

chapPassword

• Syntax: ces

• Description: Contains the response value provided by a PPP Challenge Handshake Authentication Protocol (CHAP) user in response to a challenge. This attribute is single-valued.

cn, see commonName

commonName

• Alternate name: cn

• Syntax: cis

• Description: The full name of the user described by the entry.

copyright

• Syntax: cis

• Description: The copyright statement for the object described by the entry.

countryName

• Alternate name: c

• Syntax: cis

• Description: The name of the country where the object described by the entry resides, or where a parent of the entry resides. The name has to be a two-letter string defined in ISO 3166. This attribute is single-valued. Multinational corporations usually use the country of their headquarters as the country of the whole organization.

createtimestamp

• Syntax: utctime

• Description: A timestamp that indicates the time at which the entry was created. This attribute is single-valued. It is created and maintained by the server.

creatorsName

• Syntax: dn

• Description: The DN of the person who created the entry. This attribute is single-valued. It is created and maintained by the server.

crossCertificatePair

• Syntax: cis

• Description: A pair of certificates, containing the public keys of the object described by the entry.

currentSequenceNumber

• Syntax: ces

• Description: A sequence number used during Legacy Mail directory synchronization.

dataSource

• Syntax: cis

• Description: The original data source or migration tool for data in the entry.

dc, see domainComponent

deltaRevocationList

• Syntax: cis

• Description: The differences in revocation lists. This attribute provides a list of newly revocated certificates.

departmentNumber

• Syntax: cis

• Description: A string identifying the department to which a user described by the entry belongs. The format is a local decision.

description

• Syntax: cis

• Description: The description of the entry object.

destinationIndicator

• Syntax: cis

• Description: The country and city addressing information for the object described by the entry.

dictionaryFile

• Syntax: ces

• Description: Specifies the dictionary to be used by the RADIUS server when it receives a request from the NAS described by the entry.

distinguishedName

• Alternate name: dn

• Syntax: dn

• Description: Specifies the distinguished name of an entry.

dITContentRules

• Syntax: cis

• Description: Specifies the rules governing the content of the DIT.

dITRedirect

• Syntax: dn

• Description: Indicates that the object described by one entry now has a newer entry in the DIT. The entry containing the redirection attribute should be removed after a suitable period.

dITStructureRules

• Syntax: cis

• Description: Specifies the rules governing the structure of the DIT.

dmdName

• Syntax: cis

• Description: Gives the name of the Directory Management Domain (DMD) stored on the server.

dn, see distinguishedName

dNSRecord

• Syntax: ces

• Description: Used to store DNS record fields.

docConvPreference

• Syntax: cis

• Description: The preferred method for converting a document sent through the gateway described by the entry.

documentAuthor

• Syntax: dn

• Description: The author of the document described by the entry.

documentIdentifier

• Syntax: cis

• Description: A string identifying the document described by the entry.

documentLocation

• Syntax: cis

• Description: The location of the document described by the entry.

documentPublisher

• Syntax: cis

• Description: The publisher of the document described by the entry.

documentStore

• Syntax: cis

• Description: The location where the document described by the entry is stored.

documentTitle

• Syntax: cis

• Description: The title of the document described by the entry.

documentVersion

• Syntax: cis

• Description: The version number of the document described by the entry.

domainComponent

• Alternate name: dc

• Syntax: cis

• Description: Part of the name of the domain described by the entry. This attribute is single-valued.

drink

• Alternate name: favouriteDrink

• Syntax: cis

• Description: The favorite drink of the person described by the entry.

dynamicIPaddressBinding

• Syntax: cis

• Description: When RADIUS accounting is activated, associates the dynamicIPAddress and the dynamicSessionId assigned to the remote user.

dynamicIPAddress

• Syntax: cis

• Description: When RADIUS accounting is activated, the IP address assigned to the remote user is recorded in the user's entry using this attribute. This attribute is created when the session begins, and removed when the session ends.

dynamicSessionCounter

• Syntax: int

• Description: When RADIUS accounting is activated, the number of concurrent open sessions for a remote user is recorded in the user's entry using this attribute. This attribute is removed when the user ends the last session. This attribute is single-valued.

dynamicSessionId

• Syntax: cis

• Description: When RADIUS accounting is activated, the session identifier assigned to the remote user for a particular session is recorded in the user's entry using this attribute. This identifier is used in to open and close the accounting report for the session.

employeeNumber

• Syntax: cis

• Description: A number identifying the person described by the entry.

employeeType

• Syntax: cis

• Description: Information identifying the type of the employee (for example, Contractor) described by the entry.

expandable

• Syntax: cis

• Description: Whether the membership of the list described by the entry is visible (TRUE or FALSE).

expirationDate

• Syntax: ces

• Description: Indicates the expiration date for the password stored in the userPassword attribute. The expirationDate attribute is single-valued.

facsimileTelephoneNumber

• Alternate name: fax

• Syntax: tel

• Description: The fax telephone number of the object described by the entry.

favouriteDrink, see drink

framedCompression

• Syntax: ces

• Description: Indicates a compression protocol to be used for the link.

framedIPAddress

• Syntax: ces

• Description: Indicates the address to be configured for the user.

framedMTU

• Syntax: ces

• Description: Indicates the maximum transmission unit (MTU) to be configured for the user, when it is not negotiated by some other means (such as PPP).

framedProtocol

• Syntax: ces

• Description: Indicates the framing to be used for framed access.

framedRoute

• Syntax: ces

• Description: Provides routing information to be configured for the user on the NAS. Not to be confused with the framedRouting attribute.

framedRouting

• Syntax: ces

• Description: Indicates the routing method for the user, when the user is a router to a network. Not to be confused with the framedRoute attribute.

freeFormName

• Syntax: cis

• Description: The name of the person described by the entry.

gecos

• Syntax: cis

• Description: The gecos field of the user described in the entry. Usually the user's common name. This attribute is single-valued.

generationQualifier

• Syntax: cis

• Description: Generation information, for example, Senior or III, to qualify the name of the user described by the entry.

gidNumber

• Syntax: long

• Description: An integer that uniquely identifies a group in an administrative domain. This attribute is single-valued.

givenName

• Alternate name: gn

• Syntax: cis

• Description: The given name of the person described by the entry.

grpCheckInfo

• Syntax: ces

• Description: Contains a list of attributes that must be checked by the RADIUS server against the information supplied by the remote user. If the grpCheckInfo attribute is not present, or if it does not contain any attributes, then all the attributes in the remote user's entry are checked before access is granted to the user. This attribute is used internally by the server.

grpReplyInfo

• Syntax: ces

• Description: Contains a list of attributes returned by the RADIUS server with an access-accept or access-reject response. It can contain connection parameters such as a PPP or SLIP profile. This attribute is used internally by the server.

homeDirectory

• Syntax: ces

• Description: The filesystem location of the home directory of the user described by the entry. This attribute is single-valued.

homeFacsimileTelephoneNumber

• Alternate name: homeFax

• Syntax: tel

• Description: The home fax number of the user described by the entry.

homePhone

• Syntax: tel

• Description: The home phone number of the user described by the entry.

homePostalAddress

• Syntax: cis

• Description: The home postal address of the user described by the entry.

host

• Syntax: cis

• Description: The host used by the object described by the entry.

idleTimeoutNumber

• Syntax: ces

• Description: Sets the maximum number of consecutive seconds that the connection can remain idle before the session is terminated.

initials

• Syntax: cis

• Description: The initials of the person described by the entry.

internationalISDNNumber

• Syntax: cis

• Description: The ISDN telephone number of the object described by the entry, including country and area codes.

ipHostNumber

• Syntax: cis

• Description: Specifies the IP address of the host described by the entry, in dotted decimal format, without leading zeros.

ipLoginHost

• Syntax: cis

• Description: Indicates the system with which to connect the user, when the authLoginService attribute is included in the connection request.

ipLoginPort

• Syntax: cis

• Description: Indicates the TCP port with which the user is to be connected, when the authLoginService attribute is included in the connection request.

ipNetmaskNumber

• Syntax: cis

• Description: Specifies an IP netmask, in dotted decimal format, without leading zeros. This attribute is single-valued.

ipNetworkNumber

• Syntax: cis

• Description: Specifies the number of the IP network described by the entry, in dotted decimal format, without leading zeros. This attribute is single-valued.

ipProtocolNumber

• Syntax: long

• Description: Specifies the port number/port type (for example UDP or TCP) pair for the IP protocol described by the entry. This attribute is single-valued.

ipxNetworkNumber

• Syntax: cis

• Description: Indicates the IPX network number to be configured for the user.

joinable

• Syntax: cis

• Purpose: Whether or not users may add themselves to the list described by the entry (TRUE or FALSE).

jpegPhoto

• Syntax: bin

• Description: A photograph, in JPEG format, of, or associated with, the object described by the entry.

keywords

• Syntax: cis

• Description: Keywords associated with the object described by the entry.

knowledgeInformation

• Syntax: cis

• Description: The knowledge information (references to other directory servers) stored by the DSA described by the entry.

labeledURI

• Alternate name: labeledURL

• Syntax: ces

• Description: The uniform resource identifier (URI) and label associated with the object described by the entry.

lastModifiedBy

• Syntax: dn

• Description: The distinguished name of the user who last modified the object described by the entry. Note that this is not the user who last modified the entry itself.

lastModifiedTime

• Syntax: utctime

• Description: The date and time when the object described by the entry was last modified. Note that this is not the date and time at which the entry itself was modified.

loginShell

• Syntax: ces

• Description: The path to the login shell of the user described by the entry. This attribute is single-valued.

ldapSyntaxes

• Syntax: cis

• Description: Specifies the syntaxes supported by the LDAP server.

localityName

• Alternate name: l

• Syntax: cis

• Description: The geographical locality of the object described by the entry.

lotusNotesAddresses

• Syntax: cis

• Description: The Lotus Notes electronic mail address of the user described by the entry.

macAddress

• Syntax: cis

• Description: Specifies a MAC address for the device described by the entry, expressed in colon-separated hex notation.

mail

• Alternate name: preferredRfc822Originator

• Syntax: cis

• Description: The advertised electronic mail address, in RFC822 format, of the user described by the entry.

mail11Addresses

• Syntax: cis

• Description: The Mail-11 electronic mail address of the user described by the entry.

mailAutoReplyExpirationDate

• Syntax: cis

• Description: At midnight on this date, disable auto-reply to email sent to the user described by the entry. The date must be in UTC format.

mailAutoReplyMode

• Syntax: cis

• Description: Mode of operation for the auto-reply facility (currently only vacation is supported) for the user described by the entry.

mailAutoReplySubject

• Syntax: cis

• Description: The subject line of an auto-reply message from the user described by the entry. If it contains the token $SUBJECT, it is replaced by the subject line of the incoming message.

mailAutoReplyText

• Syntax: cis

• Description: The body of an auto-reply message from the user described by the entry. If the text contains the tokens $SUBJECT or $BODY, they are replaced by the subject line or body from the incoming message. Use '$' as the line-separator.

mailAutoReplyTextInternal

• Syntax: cis

• Description: The body of an auto-reply message from the user described by the entry, for use within the organization. If the text contains the tokens $SUBJECT or $BODY, they are replaced by the subject line or body from the incoming message. Use '$' as the line-separator.

mailDeliveryFile

• Syntax: ces

• Description: The name of a file. Mail delivered to the user whose entry contains this attribute is appended to this file.

mailDeliveryOption

• Syntax: cis

• Description: One or more delivery options:

  • mailbox - deliver mail to the message store mailbox specified by the mailMessageStore attribute

  • shared - deliver mail to the message store shared-mailbox specified by the mailMessageStore attribute

  • native - deliver mail to a Unix filesystem mailbox

  • autoreply - deliver mail to an auto-reply facility (for example, vacation mail)

  • program - deliver mail to the Unix program specified by the mailProgramDeliveryInfo attribute

  • forward - forward mail to the address specified by the mailForwardingAddress attribute

  • file - append mail to the file specified by the mailDeliverFile attribute

  Email received by the user described by the entry is delivered according to the options selected.

mailFolderMap

• Syntax: cis

• Description: The message store for a user's mail folders. The value must be one of the following:

  • UNIX V7 - UNIX V7 message store (also known as the /var/mail message store)

  • Sun-MS - Sun Internet Mail message store

mailForwardingAddress

• Syntax: cis

• Description: Forward mail received by the user described by the entry to the specified email address (RFC-822 format).

mailHost

• Syntax: cis

• Description: The hostname of the SMTP/MIME mail server of the user described by the entry, including the full domain name.

mailMessageStore

• Syntax: ces

• Description: The filesystem location for the inbox of the user described by the entry.

mailProgramDeliveryInfo

• Syntax: ces

• Description: One or more commands, with arguments, to be executed when a message is delivered to the user whose entry contains this attribute if the attribute mailDeliveryOptions contains the value program.

mailQuota

• Syntax: cis

• Description: The maximum size (in bytes) of the message store of the user described by the entry. A value of zero denotes an unlimited message store.

manager

• Syntax: dn

• Description: The distinguished name of the manager of the person or object described by the entry.

matchingRules

• Syntax: cis

• Description: Specifies the matching rules allowed in the schema.

matchingRuleUse

• Syntax: cis

• Description: Specifies how matching rules are used in the schema.

maxLastModifiedTime

• Syntax: cis

• Description: A timestamp used during Legacy Mail directory synchronization.

member

• Syntax: dn

• Description: The distinguished name of a member of the distribution list described by the entry.

memberUid

• Syntax: cis

• Description: The uid name of a member of the Posix group described by the entry.

memberNisNetgroup

• Syntax: cis

• Description: The name of a member of the netgroup described by the entry.

middleName

• Syntax: cis

• Description: The middle name of the person described by the entry.

mobiletelephoneNumber

• Alternate name: mobile

• Syntax: tel

• Description: The telephone number of the mobile phone used by the person described in the entry.

modifiersName

• Syntax: dn

• Description: The DN of the person who modified the entry . This attribute is single-valued.

modifytimestamp

• Syntax: utctime

• Description: A timestamp that indicates the time at which the entry was modified. This attribute is single-valued.

mrAddresses

• Syntax: cis

• Description: The address of a user of the MR mail system.

mSMailAddresses

• Syntax: cis

• Description: Used to route email messages through a Microsoft Mail channel. It stores a copy of the email addresses in the preferredMSMailOriginator and preferredMSMailRecipient attributes.

nameForms

• Syntax: cis

• Description: Specifies the name forms allowed in the schema.

namingContexts

• Syntax: dn

• Description: Specifies the master and slave naming contexts stored on the server.

nGM70Addresses

• Syntax: cis

• Description: The electronic mail address of a user of the NMG70 mail system.

nGMAddresses

• Syntax: cis

• Description: The electronic mail address of a user of the NMG mail system.

nisMapEntry

• Syntax: ces

• Description: Contains a record in the NIS map described by the entry. This attribute is single-valued.

nisMapName

• Syntax: ces

• Description: Specifies the name of the NIS map described by the entry. This attribute is single-valued.

nisNetgroupTriple

• Syntax: cis

• Description: Represents a triple of the form hostname/username/domainname associated with the netgroup described by the entry.

nisNetIdGroup

• Syntax: ces

• Description: Represents the group id associated with a record in the netid.byname map.

nisNetIdHost

• Syntax: ces

• Description: Represents the hostname associated with a record in the netid.byname map.

nisNetIdUser

• Syntax: ces

• Description: Represents the user id associated with a record in the netid.byname map.

o, see organizationName

objectClass

• Syntax: cis

• Description: The object class of the type of entry.

objectClasses

• Syntax: cis

• Description: Specifies the object classes allowed in the schema.

objectStatus

• Syntax: cis

• Description: Used during Legacy Mail directory synchronization to denote a deleted entry.

obsoletedByDocument

• Syntax: cis

• Description: Information identifying a document that makes the document described in the entry obsolete.

obsoletesDocument

• Syntax: cis

• Description: Information identifying a document that is made obsolete by the document described in the entry.

oncRpcNumber

• Syntax: long

• Description: RPC number of the RPC service described by the entry. This attribute is single-valued.

organizationName

• Alternate name: o

• Syntax: cis

• Description: The name of the organization to which the object described by the entry belongs.

owner

• Syntax: dn

• Description: The distinguished name of an entry describing the person responsible for the distribution list described by the entry.

ownerDeliveryFile

• Syntax: ces

• Description: The name of the file to which mail addressed to the owner of the distribution list described by the entry is appended.

ownerDeliveryOption

• Syntax: ces

• Description: Delivery options for mail addressed to owner-listname. The values must be one of the following:

  • mailbox: deliver mail to a message store mailbox

  • shared: deliver mail to a message store shared mailbox

  • native: deliver mail to a UNIX filesystem mailbox

  • autoreply: deliver mail to the autoreply facility, such as a vacation mailer

  • program: deliver mail to the UNIX program specified as the value of the attribute ownerProgramDeliveryInfo

  • forward: forward mail to another recipient

  • file: append mail to the file specified as a value of the attribute ownerDeliveryFile

ownerProgramDeliveryInfo

• Syntax: ces

• Description: Mail addressed to the owner of a distribution list is delivered to this program. Specifies one or more commands, with arguments, to use in program delivery. Use '$' as the line-separator.

pagertelephonenumber

• Alternate name: pager

• Syntax: tel

• Description: The telephone number of the pager of the person described by the entry.

personalMobile

• Syntax: tel

• Description: The telephone number of the mobile phone belonging personally to the person described by the entry.

personalPager

• Syntax: tel

• Description: The telephone number of the pager belonging personally to the person described by the entry.

personalSignature

• Syntax: bin

• Description: The signature of the person described by the entry.

personalTitle

• Syntax: cis

• Description: The title of the person described by the entry, for example, Doctor, or Ms.

photo

• Syntax: bin

• Description: A photograph of, or associated with, the object described by the entry.

physicalDeliveryOfficeName

• Syntax: cis

• Description: The mailstop of the object described by the entry.

postalAddress

• Syntax: cis

• Description: The postal address of the object described by the entry.

postalCode

• Syntax: cis

• Description: The postal code of the object described by the entry.

postOfficeBox

• Syntax: cis

• Description: The post office box of the object described by the entry.

preferredCCMailOriginator

• Syntax: cis

• Description: The email address for routing through a Lotus CC:mail channel.

preferredCCMailRecipient

• Syntax: cis

• Description: The native Lotus CC:mail address.

preferredDeliveryMethod

• Syntax: cis

• Description: Preferred delivery method for communication with the object described by the entry. This attribute is single-valued.

preferredLanguage

• Syntax: cis

• Description: The preferred language for communication with the person described by the entry. This attribute is single-valued.

preferredLotusNotesOriginator

• Syntax: cis

• Description: The email address used for routing through a Lotus Notes channel.

preferredLotusNotesRecipient

• Syntax: cis

• Description: The native Lotus Notes mail address.

preferredMail11Originator

• Syntax: cis

• Description: The email address used for routing through a Mail-11 channel.

preferredMail11Recipient

• Syntax: cis

• Description: The native Mail-11 mail address.

preferredMrOriginator

• Syntax: cis

• Description: The email address used for routing through a Mail Relay (MR) channel.

preferredMrRecipient

• Syntax: cis

• Description: The native MR mail address.

preferredMSMailOriginator

• Syntax: cis

• Description: The email address for routing through a Microsoft Mail channel.

preferredMSMailRecipient

• Syntax: cis

• Description: The native Microsoft Mail address.

preferredNGM70Originator

• Syntax: cis

• Description: The email address used for routing through a Novell Groupwise Mail 7.0 (NMG70) channel.

preferredNGM70Recipient

• Syntax: cis

• Description: The native NMG70 address.

preferredNGMOriginator

• Syntax: cis

• Description: The email address used for routing through a Novell Groupwise Mail (NMG) channel.

preferredPROFSOriginator

• Syntax: cis

• Description: The email address for routing through an IBM PROFS channel.

preferredPROFSRecipient

• Syntax: cis

• Description: The native IBM PROFS address.

preferredRfc822Recipient

• Syntax: cis

• Description: The user's internal email address (RFC-822 format).

presentationAddress

• Syntax: cis

• Description: The presentation address of the object described by the entry. This attribute is single-valued.

pROFSAddresses

• Syntax: cis

• Description: Used to route email messages through an IBM PROFS channel. It stores a copy of the email addresses in the preferredPROFSOriginator and preferredPROFSRecipient attributes.

radiusAuthFailedAccess

• Syntax: ces

• Description: Created dynamically in a remote user's entry when an access request is rejected. This counter is incremented by 1 at each failed attempt. The user account is blocked when this counter reaches the blocking value specified in the configuration (by default, 4). This attribute is single-valued.

radiusLoginExpiration

• Syntax: ces

• Description: Indicates the expiration date for the password stored in the radiusLoginPasswd attribute. The radiusLoginExpiration attribute is single-valued.

radiusLoginPasswd

• Syntax: ces

• Description: Password provided by the remote user to gain access to the network through the LOGIN protocol. This attribute is single-valued.

radiusLoginProfile

• Syntax: ces

• Description: Flag with value 0 or 1. Value 1 indicates to check the password supplied by the user against the password stored in the radiusLoginPasswd attribute. Value 0 disables this check. The radiusLoginProfile attribute is single-valued.

radiusPppExpiration

• Syntax: ces

• Description: Indicates the expiration date for the password stored in the radiusPppPasswd attribute. The radiusPppExpiration attribute is single-valued.

radiusPppPasswd

• Syntax: ces

• Description: Password provided by the remote user to gain access to the network through the PPP protocol This attribute is single-valued.

radiusPppProfile

• Syntax: ces

• Description: Flag with value 0 or 1. Value 1 indicates to check the password supplied by the user against the password stored in the radiusPppPasswd attribute. Value 0 disables this check. The radiusPppProfile attribute is single-valued.

radiusSlipExpiration

• Syntax: ces

• Description: Indicates the expiration date for the password stored in the radiusSlipPasswd attribute. The radiusSlipExpiration attribute is single-valued.

radiusSlipPasswd

• Syntax: ces

• Description: Password provided by the remote user to gain access to the network through the SLIP protocol. This attribute is single-valued.

radiusSlipProfile

• Syntax: ces

• Description:Flag with value 0 or 1. Value 1 indicates to check the password supplied by the user against the password stored in the radiusSlipPasswd attribute. Value 0 disables this check. The radiusSlipProfile attribute is single-valued.

ref

• Syntax: ces

• Description: Provides a pointer to a subtree or entry in the DIT stored on a different data store. The pointer is a URL of the form "ldap://hostname[:port]/DN", where hostname is the name of the host where the data store resides, port is the LDAP port number (by default port 389), and DN is the data store suffix.

registeredAddress

• Syntax: cis

• Description: The registered postal address of the entity described by the entry.

reportsTo

• Syntax: cis

• Description: The name of the manager of the user described by the entry.

requestsToDeliveryFile

• Syntax: ces

• Description: The name of a file to which requests to be added to the distribution list described by the entry are appended.

requestsToDeliveryOption

• Syntax: cis

• Description: One or more delivery options for mail addressed to listname-request:

  • mailbox - deliver mail to a message store mailbox

  • shared - deliver mail to a message store shared-mailbox

  • native - deliver mail to a UNIX filesystem mailbox

  • autoreply - deliver mail to an auto-reply facility (for example, vacation mail)

  • program - deliver mail to a UNIX program

  • forward - forward mail to another address

  • file - append mail to a file

requestsToProgramDeliveryInfo

• Syntax: ces

• Description: Mail addressed to listname-request is delivered to this program. Specifies one or more commands, with arguments, to use in program delivery. Use $ as the line-separator.

rfc822AuthorizedSubmitter

• Syntax: cis

• Description: The email addresses of users authorized to post to the list.

rfc822Mailbox

• Syntax: cis

• Description: Stores all the email addresses (RFC-822 format) defined for the user. It stores a copy of the email addresses in the mail and preferredRfc822Recipient attributes.

rfc822MailMember

• Syntax: ces

• Description: Stores the email addresses (RFC-822 format) defined for members of the list.

rfc822Owner

• Syntax: cis

• Description: The email address of the owner of the list.

rfc822UnauthorizedSubmitter

• Syntax: cis

• Description: The email addresses of users not authorized to post to the list.

roleOccupant

• Syntax: cis

• Description: Information identifying the object or person fulfilling the role described by the entry.

roomNumber

• Syntax: cis

• Description: The number of the room where the object described by the entry is located.

searchGuide

• Syntax: cis

• Description: Information to facilitate searching for information contained in the entry.

secretary

• Syntax: dn

• Description: The distinguished name of the secretary of the person or organization described by the entry.

seeAlso

• Syntax: dn

• Description: The distinguished name of an entry that contains information that is also of interest to anyone interested in the object described by this entry.

serialNumber

• Syntax: cis

• Description: The serial number of the device described by the entry.

sessionTimeoutNumber

• Syntax: ces

• Description: Sets the maximum number of seconds of service to be provided to the user described in the entry before the session is shut down.

shadowLastChange

• Syntax: long

• Description: Indicates the number of days between January 1, 1970 and the day when the user password was last changed in the /etc/shadow file. This attribute is single-valued.

shadowExpire

• Syntax: long

• Description: Indicates the date on which the user login will be disabled. This attribute is single-valued.

shadowFlag

• Syntax: long

• Description: Reserved attribute, not currently in use.

shadowInactive

• Syntax: long

• Description: Indicates the number of days of inactivity allowed for the user. This attribute is single-valued.

shadowMax

• Syntax: long

• Description: Indicates the maximum number of days for which the user password remains valid. This attribute is single-valued.

shadowMin

• Syntax: long

• Description: Indicates the minimum number of days required between password changes. This attribute is single-valued.

shadowWarning

• Syntax: long

• Description: The number of days of advance warning given to the user before the user password expires. This attribute is single-valued.

sharedKey

• Syntax: ces

• Description: Specifies the shared secret used by the network access server (NAS) described by the entry during RADIUS authentication. This attribute is single-valued.

stateOrProvinceName

• Alternate name: st

• Syntax: cis

• Description: The name of the state, province, or geographical area within a country where the object described by the entry resides.

streetAddress

• Alternate name: street

• Syntax: cis

• Description: A street name and number.

subject

• Syntax: cis

• Description: The subject of the document described by the entry.

subschemaSubentry

• Syntax: dn

• Description: The DN of the subschema entry or subentry that contains the attributes specifying the schema. This attribute is single-valued.

sunNisDbmCache

• Syntax: cis

• Description: Indicates whether the NIS/LDAP server must maintain the map described by the entry in plain NIS format. The possible values of this attribute are Enabled or Disabled. It is usually Enabled for a master server, and Disabled for a slave server. The value automatically changes to Disabled for a map that exceeds 50 000 entries. This attribute is single-valued.

sunNisDnsForwarding

• Syntax: cis

• Description: Indicates that the server must look up DNS for hostnames and addresses not found in the NIS tables. The possible values of this attribute are Enabled or Disabled. This attribute is created with the value Enabled when you run the dsypinit command with option -b. This attribute is single-valued.

sunNisDomain

• Syntax: ces

• Description: Gives the name of the NIS domain to which the map described by the entry belongs. This attribute is single-valued.

sunNisInputFile

• Syntax: ces

• Description: Stores the value of a special NIS key called YP_INPUT_FILE. This attribute is single-valued.

sunNisKey

• Syntax: ces

• Description: Stores the value of a NIS key (case-sensitive).

sunNisLoadMap

• Syntax: cis

• Description: Adding this attribute to the entry launches a reload of the map described by the entry. It builds the map from the entries already present in the directory. This attribute is single-valued, and you can give it any value. This attribute is automatically removed when the reload of the map is complete. Creating this attribute is equivalent to running the dsypinit command with option -l.

sunNisMapFullName

• Syntax: ces

• Description: Gives the full name of a Sun NIS map with the domain name as suffix. This attribute is single-valued.

sunNisMapState

• Syntax: cis

• Description: Indicates whether the map described by the entry is supported by the server. The possible values of this attribute are Enabled and Disabled. Enabled indicates that the map is supported by the server, Disabled that it is not. This attribute is single-valued.

sunNisMaster

• Syntax: ces

• Description: Specifies the hostname of the master server for the map described by the entry. This attribute is single-valued.

sunNisOutputName

• Syntax: ces

• Description: Stores the value of a special NIS key called YP_OUTPUT_FILE . This attribute is single-valued.

sunNisSecurityMode

• Syntax: cis

• Description: Sets the security mode for the map described by the entry. The possible values of this attribute are Secure and Insecure. When set to Secure, the server will accept connections from secure networks only. This attribute is single-valued. Setting this attribute to Secure is equivalent to running the dsypinit command with the option -r.

supportedAlgorithms

• Syntax: cis

• Description: Specifies the algorithms that the server supports.

supportedApplicationContext

• Syntax: cis

• Description: An application context supported by the application entity described by the entry.

supportedControl

• Syntax: cis

• Description: Specifies the LDAP v3 controls that the server supports.

supportedLDAPVersion

• Syntax: int

• Description: Specifies the LDAP version that the server supports.

supportedExtension

• Syntax: cis

• Description: Specifies the LDAP v3 extensions that the server supports.

supportedSASLMechanisms

• Syntax: cis

• Description: Specifies the Simple Authentication Security Layer (SASL) mechanisms that the server supports.

surname

• Alternate name: sn

• Syntax: cis

• Description: The surname of the person described by the entry.

telephoneNumber

• Syntax: tel

• Description: Telephone number (in international format).

teletexTerminalIdentifier

• Syntax: cis

• Description: The teletex terminal identifier and, optionally, parameters for a teletex terminal associated with the object described by the entry.

telexNumber

• Syntax: cis

• Description: Telex number, country code and answerback code of a telex terminal. Dollar($)-separated string.

textEncodedORaddress

• Syntax: cis

• Description: The X.400 electronic mail originator/recipient address (ORAddress) of the user described in the entry.

thumbNailPhoto

• Syntax: bin

• Description: A thumbnail photograph of, or associated with, the object described by the entry.

thumbNailLogo

• Syntax: bin

• Description: A thumbnail logo associated with the object described by the entry.

title

• Syntax: cis

• Description: The title of the person described by the entry, for example, Doctor, or Ms.

uidNumber

• Syntax: long

• Description: An integer that uniquely identifies a user in an administrative domain. This attribute is single-valued.

unauthorizedDomain

• Syntax: cis

• Description: A domain name from which users are not authorized to post to the list.

unauthorizedSubmitter

• Syntax: cis

• Description: The registered users not authorized to post messages to the list.

uniqueIdentifier

• Syntax: cis

• Description: A unique identifier for the object described by the entry.

uniqueMember

• Syntax: cis

• Description: A unique member of the group described by the entry.

updatedByDocument

• Syntax: cis

• Description: Information identifying a document that updates the document described by the entry.

updatesDocument

• Syntax: cis

• Description: Information identifying a document that is updated by the document described by the entry.

userCallbackId

• Syntax: ces

• Description: Indicates a name of a place to be called. This attribute is interpreted by the NAS.

userCallbackNumber

• Syntax: ces

• Description: Indicates a dialing string to use for callback to provide service to the user.

userCertificate

• Syntax: cis

• Description: A certificate containing the public key of the user described by the entry.

userDefinedAttribute1

• Syntax: cis

• Description: Attribute for use by the user.

userDefinedAttribute2

• Syntax: cis

• Description: Attribute for use by the user.

userDefinedAttribute3

• Syntax: cis

• Description: Attribute for use by the user.

userDefinedAttribute4

• Syntax: cis

• Description: Attribute for use by the user.

userid

• Alternate name: uid

• Syntax: cis

• Description: The user ID of the user described by the entry.

userPassword

• Syntax: protected

• Description: The password that the user described by the entry uses to gain access to the entry.

userSMIMECertificate

• Syntax: bin

• Description: The Secure MIME certificate of the user described by the entry.

x121Address

• Syntax: cis

• Description: An address as defined by ITU Recommendation X.121.

x500uniqueIdentifier

• Syntax: cis

• Description: A unique identifier for the object described by the entry.