This chapter describes the basic concepts of the LDAP directory schema and provides detailed lists of the schema elements for Oracle Identity Management.
This chapter includes the following sections:
A directory schema specifies, among other rules, the types of objects that a directory may have and the mandatory and optional attributes of each object type. The Lightweight Directory Access Protocol (LDAP) version 3 defines a schema based on the X.500 standard for common objects found in a network, such as countries, localities, organizations, people, groups, and devices. In the LDAP v3, the schema is available from the directory. That is, it is represented as entries in the directory and its information as attributes of those entries.
This section contains the following topics:
An object class is an LDAP directory term that denotes the type of object being represented by a directory entry or record. There are also object classes that define an object's relationship to other objects, such as object class top
denotes that the object may have subordinate objects under it in a hierarchical tree structure. Some LDAP object classes may be combined to create an entry in the directory. For example, and entry for a user uses the top
, person
, organizationalPerson
, inetOrgPerson
, and orclUserV2
object classes.
Required and Allowed Attributes
The definition of an object class includes a list of required attributes (MUST) and allowed attributes (MAY). Required attributes include the attributes that must be present in entries using the object class. Allowed attributes include the attributes that may be present in entries using the object class.
The X.500 1993 specification requires that object classes be assigned to one of four categories:
Structural: Object classes that can have instances in the directory. Structural classes are used to create directory objects or entries.
Abstract: Template object classes that are used only to derive new structural classes. Abstract classes cannot be instantiated in the directory.
Auxiliary: A list of attributes that can be appended to the definition of a Structural or Abstract class. An Auxiliary class cannot be instantiated in the directory.
88 Classes: Assigning object classes to categories was not required in the X.500 1988 specification. Classes that were defined prior to the X.500 1993 standards, default to the 88 class. Do not define new 88 classes.
Inheritance, which is also referred to as derivation, is the ability to build new object classes from existing object classes. The new object is defined as a subclass of the parent object. A subclass is a class that inherits from some other class; for example, a subclass inherits structure and content rules from the parent. The parent object becomes a superclass of the new object. A superclass is a class from which one or more other classes inherit information.
Directory data is represented as attribute-value pairs. Any piece of information in the directory is associated with a descriptive attribute. For example, the cn
(commonName
) attribute is used to store a nickname. A person named William (Bill) Smith can be represented in the directory as:
cn: Bill Smith
The length of an attribute name must not exceed 127 characters. For more information about attribute management, refer to the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
Oracle Internet Directory imposes no limitations on the characters that can be used in attribute names. Other components of Oracle Identity Management, however, do limit the characters that can be used for certain attributes.
Oracle Delegated Administration Services and Oracle Directory Integration Platform prohibit the use of spaces and of any of the following characters in UserID
: & ' % ? \ / + = ( ) * ^ , ; | ' ~
Oracle Application Server Single Sign-On requires that a password should not contain the following characters: & { } < > " ' ( )
An attribute syntax is the basic building block of an attribute. Every attribute is assigned a syntax that defines the attribute value's data format. For example, attribute syntaxes determine whether an attribute stores an integer, string, or binary data. The syntax also defines the matching rules that control the type of comparison operations you can perform on the attribute value.
Oracle Internet Directory recognizes attribute syntax as specified in RFC 2252, that is, it enables you to associate the attribute syntax described in that document with an attribute. Oracle Internet Directory enforces attribute syntax for the following types:
DN
OID (object identifier)
Telephone Number
The following table describes the attribute syntax most commonly used in Oracle Internet Directory:
Table 6-1 Attribute Syntax Commonly Used in Oracle Internet Directory
Syntax and Object ID | Description |
---|---|
ACI Item 1.3.6.1.4.1.1466.115.121.1.1 |
Values for this attribute are access control identifier items. |
Binary 1.3.6.1.4.1.1466.115.121.1.5 |
Values for this attribute are binary. |
Boolean 1.3.6.1.4.1.1466.115.121.1.7 |
The attribute can contain only one of two values: true (1) or false (0). |
Directory String 1.3.6.1.4.1.1466.115.121.1.15 |
Values for this attribute are strings which are not case-sensitive. |
DN 1.3.6.1.4.1.1466.115.121.1.12 |
Values for this attribute are DNs (distinguished names). |
Generalized Time 1.3.6.1.4.1.1466.115.121.1.24 |
Values for this attribute are encoded as printable strings. A time zone must be specified (such as GMT). |
IA5String 1.3.6.1.4.1.1466.115.121.1.26 |
International Reference Alphabet Reference Alphabet No. 5 string. Values for this attribute are case-sensitive. |
Integer 1.3.6.1.4.1.1466.115.121.1.27 |
Valid values for this attribute are numbers. |
JPEG 1.3.6.1.4.1.1466.115.121.1.28 |
Valid values for this attribute are JPEG files. |
Name 1.3.6.1.4.1.1466.115.121.1.34 |
Valid values for this attribute are names or optional UIDs. |
OID 1.3.6.1.4.1.1466.115.121.1.38 |
A unique object identifier. |
Printable String 1.3.6.1.4.1.1466.115.121.1.44 |
A string that does NOT allow extended characters. Values for this attribute are not case-sensitive. |
Telephone Number 1.3.6.1.4.1.1466.115.121.1.50 |
Values for this attribute are in the form of telephone numbers. |
As of 11g Release 1 (11.1.1), you can create aliases for attribute names. For example. you could create the user-friendly alias surname
for the attribute sn
. Once you create an alias for an attribute name, a user can specify the alias instead of the attribute name in an LDAP operation.
You define an alias for an attribute in the LDAP schema definition of the attribute. The directory schema operational attribute attributeTypes
has been enhanced to allow you to include aliases in the attribute name list. In previous releases, the format for an attribute name list was:
attributeTypes=( ObjectIdentifier NAME 'AttributeName' ... )
As of 11g Release 1 (11.1.1), you may optionally specify:
attributeTypes=( ObjectIdentifier NAME ( 'AttributeName' 'Alias1' 'Alias2' ...) ... )
This is consistent with the LDAP protocol as specified by RFC 2251 and RFC 2252. In the attribute name list, the first item is recognized as the name of the attribute and rest of the items in the list are recognized as attribute aliases. For example, to specify the alias surname
for the attribute sn
, you would change the schema definition for sn
from:
attributeTypes=( 2.5.4.4 NAME 'sn' SUP name )
to:
attributeTypes=( 2.5.4.4 NAME ( 'sn' 'surname' ) SUP name )
See Also:
For more information regarding attribute alias rules, managing attribute aliases using command-line tools, and using attribute aliases refer to the "Attribute Aliases In the Directory" section in Oracle Fusion Middleware Administrator's Guide for Oracle Internet DirectoryMatching rules are the rules for matching two attribute values that comply with the same attribute syntax. Oracle Internet Directory recognizes the following matching rule definitions in the schema.
accessDirectiveMatch
IntegerMatch
bitStringMatch
numericStringMatch
caseExactMatch
objectIdentifierFirstComponentMatch
caseExactIA5Match
ObjectIdentifierMatch
caseIgnoreIA5Match
OctetStringMatch
caseIgnoreListMatch
presentationAddressMatch
caseIgnoreMatch
protocolInformationMatch
caseIgnoreOrderingMatch
telephoneNumberMatch
distinguishedNameMatch
uniqueMemberMatch
generalizedTimeMatch
generalizedTimeOrderingMatch
orclpkimatchingrule
Of the matching rules in the previous list, Oracle Internet Directory actually enforces the following when it compares attribute values:
distinguishedNameMatch
caseExactMatch
caseIgnoreMatch
numericStringMatch
IntegerMatch
telephoneNumberMatch
orclpkimatchingrule
Attribute syntax does not put any specific size constraint on attribute values. You can, however, specify the size of the attribute value when defining the attribute. Some attributes in Oracle Internet Directory may have size constraints defined, however length characteristics of an attribute are not enforced.
For example, this syntax limits the attribute foo
size to 64, but this size limit is not enforced in Oracle Internet Directory:
(object_identifier_of_attribute NAME 'foo' EQUALITY caseIgnoreMatch SYNTAX 'object_identifier_of_syntax{64}' )
Single-Valued and Multi-Valued Attributes
By default, most attributes are multi-valued. This means that an entry can contain the same attribute with multiple values. For single-valued attributes, only one instance of the attribute can be specified in an entry. For example, the attribute orclObjectGUID
attribute can only have one possible value.
Attribute Usage defines how the attribute is used in the directory. The attribute usage types are:
User applications attribute–Default attribute usage if not explicitly defined for the attribute.
System Operational attribute–Attributes that control operation of the directory itself.
See Also:
"Managing System Operational Attributes" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet DirectoryAttributes that are designated as "not user modifiable" can only be modified by the directory server. They cannot be modified by any other user or process.
As an LDAP Version 3 directory, Oracle Internet Directory extends the standard LDAP operations by using controls. These are extra pieces of information carried along with existing operations, altering the behavior of the operation. When a client application passes a control along with the standard LDAP command, the behavior of the commanded operation is altered accordingly.
The controls supported by Oracle Internet Directory 11g Release 1 (11.1.1) are listed in Table 6-2, "Request Controls Supported by Oracle Internet Directory" and Table 6-3, "Response Controls Supported by Oracle Internet Directory".
Table 6-2 Request Controls Supported by Oracle Internet Directory
Object Identifier | Name | Description |
---|---|---|
2.16.840.1.113730.3.4.18 |
Proxy Authorization |
Allows an LDAP client application to bind to Oracle Internet Directory server with its own identity and then to perform operations on behalf of another user or on behalf of multiple users. This control can improve performance especially for proxy operations performed on behalf of multiple users. The LDAP operation does not require a rebind for each user. For example, consider this scenario:
Considerations for the Proxy Authorization control are:
|
1.3.6.1.4.1.42.2.27.8.5.1 |
Password Policy |
Allows an LDAP client to request information from Oracle Internet Directory server about the current password policy state for a user. If a password policy is applicable, a client can send this control with these operations:
Other operations such as The password policy request control does not have a The password policy is typically applied to the single-valued attribute For more information, see "Password Policy for LDAP Directories" at this location:
|
2.16.840.1.113730.3.4.3 |
Persistent Search |
Allows an LDAP client to send a persistent search request to Oracle Internet Directory server. A persistent search operation is an enhanced search that continues after the initial search results are returned by the server to the client. After the initial search is finished, the connection to the server is kept alive until the client unbinds or abandons the operation. The client can track changes for entries in the search scope and receive an Entry Change Notification response control if an entry is modified. The definition for this control is: PersistentSearch ::= SEQUENCE { controlType 2.16.840.1.113730.3.4.3 changeTypes INTEGER, changesOnly BOOLEAN, returnECs BOOLEAN } For a description of these fields, see: |
2.16.840.1.113894.1.8.39 |
Computed Attribute Value Uniqueness |
Allows computed attribute value uniqueness for an entry-based combination of multiple attribute values. Usually, attribute uniqueness is configured only for a single attribute. An application that requires uniqueness for a combination of attribute values can send this control, and Oracle Internet Directory server ensures that the computed attribute value is unique across the directory during an operation such as If an entry with the computed value already exists, Oracle Internet Directory server returns the LDAP error code: LDAP_ALREADY_EXISTS = 0x44. For example, in a multi-tenant environment, the UID attribute of a user must be unique for a specific tenant but not necessarily unique across the directory. An application creates an LDAP entry with a computed attribute named TenantID_UID, where TenantID is the identifier of the tenant and UID is the attribute. The application that creates the LDAP entry sends this control, and if an entry with the computed attribute already value already exists, Oracle Internet Directory server returns the LDAP_ALREADY_EXISTS error code. |
2.16.840.1.113730.3.4.9 |
OID_SEARCH_VLV_REQ_CONTROL |
Allows a client to specify that the server return, for a given LDAP search, a contiguous subset of a large search result set. It can be used to go through the search results one page at a time, which allows a client to retrieve results more quickly and prevents the client from needing to store too many search results at a time. The server returns the OID_SEARCH_VLV_RES_CONTROL 2.16.840.1.113730.3.4.10. The OID_SEARCH_VLV_REQ_CONTROL works only in conjunction with the SORT control (ldapsearch -T argument). If you do not include a SORT control, the request returns LDAP error code 53 - Search operation with VLV request control is missing SORT request control. The SORT control can contain any sort specification valid for the server. When the SORT control is used with the OID_SEARCH_VLV_REQ_CONTROL, the server does not return the complete set of sorted search results, but instead returns a contiguous subset of those entries specified in the control using a target entry as a reference point for results. For more information, see "LDAP Extensions for Scrolling View Browsing of Search Results" at |
1.2.840.113556.1.4.319 |
OID_SEARCH_PAGING_CONTROL |
See the "Extensions to the LDAP Protocol" chapter in Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management |
1.2.840.113556.1.4.473 |
OID_SEARCH_SORTING_REQUEST_CONTROL |
See the "Extensions to the LDAP Protocol" chapter in Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management |
2.16.840.1.113730.3.4.2 |
GSL_MANAGE_DSA_CONTROL |
Used to manage referrals, dynamic groups, and alias objects in Oracle Internet Directory. For more information, please see RFC 3296, "Named Subordinate References in Lightweight Directory Access Protocol (LDAP) Directories," at |
2.16.840.1.113894.1.8.1 |
OID_RESET_PROXYCONTROL_IDENTITY |
Used to perform a proxy switch of an identity on an established LDAP connection. For example, suppose that Application A connects to the directory server and then wishes to switch to Application B. It can simply do a rebind by supplying the credentials of Application B. However, there are times when the proxy mechanism for the application to switch identities could be used even when the credentials are not available. With this control, Application A can switch to Application B provided Application A has the privilege in Oracle Internet Directory to proxy as Application B. |
2.16.840.1.113894.1.8.2 |
OID_APPLYUSEPASSWORD_POLICY |
Sent by applications that require Oracle Internet Directory to check for account lockout before sending the verifiers of the user to the application. If Oracle Internet Directory detects this control in the verifier search request and the user account is locked, then Oracle Internet Directory does not send the verifiers to the application. It sends an appropriate password policy error. |
2.16.840.1.113894.1.8.3 |
CONNECT_BY |
See the "Extensions to the LDAP Protocol" chapter in Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management |
2.16.840.1.113894.1.8.4 |
OID_CLIENT_IP_ADDRESS |
Intended for a client to send the end user IP address if IP lockout is to be enforced by Oracle Internet Directory. |
2.16.840.1.113894.1.8.5 |
GSL_REQDATTR_CONTROL |
Used with dynamic groups. Directs the directory server to read the specific attributes of the members rather than the membership lists. |
2.16.840.1.113894.1.8.6 |
PasswordStatusRequestControl |
When packaged as part of the LDAP Bind/Compare operation request, this control causes the server to generate a password policy response control. The actual response control depends on the situation. Cases include imminent password expiration, number of grace logins remaining, password expired, and account locked. |
2.16.840.1.113894.1.8.14 |
OID_DYNAMIC_VERIFIER_REQUEST_CONTROL |
The request control that the client sends when it wants the server to create a dynamic password verifier. The server uses the parameters in the request control to construct the verifier. |
2.16.840.1.113894.1.8.16 |
AccountStatusRequestControl |
When packaged with the LDAP search operation associated with the authentication process, the Oracle Internet Directory returns a password policy response control to inform the client application of account state related information like account lockout, password expiration etc. The application can then parse and enforce the results. |
2.16.840.1.113894.1.8.23 |
GSL_CERTIFICATE_CONTROL" |
Certificate search control. The request control that the client sends to specify how to search for a user certificate. See the appendix "Searching the Directory for User Certificates" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory. |
2.16.840.1.113894.1.8.29 |
EffectivePolicyControl |
This control is packaged as part of an LDAP base search, where the base DN is that of the user entry being tested. The entry need not exist in the directory at the time. Passing this control results in the return of the LDAP entry describing the applicable password policy, assuming the entity performing the search has the access rights to view the password policy entry. If the desired password is provided as the optional testPassword parameter, the directory server returns the response control 2.16.840.1.113894.1.8.32. |
2.16.840.1.113894.1.8.36 |
DelSubtreeControl |
When this control is sent with a delete operation, it causes the deletion of the entire subtree below the DN provided. Any user having necessary privileges can perform this operation. |
1.2.840.113556.1.4.805 |
DelSubtreeControl |
When this control is sent with a delete operation, it causes the deletion of the entire subtree below the DN provided. Any user having necessary privileges can perform this operation. |
1.3.6.1.1.21.2 |
Transaction Specification Control |
This is an LDAPControl indicating association of an operation to a transaction by means of the transaction identifier, which is the value of this control. Its criticality is |
Table 6-3 Response Controls Supported by Oracle Internet Directory
Object Identifier | Name | Description |
---|---|---|
1.3.6.1.4.1.42.2.27.8.5.1 |
Password Policy |
Response control that the Oracle Internet Directory server returns to an LDAP client in response to the Password Policy request control. The response control value is encoded as follows: PasswordPolicyResponseValue ::= SEQUENCE { warning [0] CHOICE { timeBeforeExpiration [0] INTEGER (0 .. maxInt), graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL, error [1] ENUMERATED { passwordExpired (0), accountLocked (1), changeAfterReset (2), passwordModNotAllowed (3), mustSupplyOldPassword (4), insufficientPasswordQuality (5), passwordTooShort (6), passwordTooYoung (7), passwordInHistory (8) } OPTIONAL } The server sends either an error or warning in the password policy response control (but not both). Error codes are described in:
Control criticality is not returned in the response. For a non violation of the password policy, the server does not send a response. |
2.16.840.1.113730.3.4.7 |
Entry Change Notification |
Returned by the Oracle Internet Directory server to an LDAP client in response to a Persistent Search control that has the The definition for this control is: EntryChangeNotification ::= SEQUENCE { controlType 2.16.840.1.113730.3.4.7 changeType ENUMERATED { add (1), delete (2), modify (4), modDN (8) }, previousDN LDAPDN OPTIONAL, -- modifyDN ops. only changeNumber INTEGER OPTIONAL -- if supported } For a description of these fields, see: |
2.16.840.1.113730.3.4.10 |
OID_SEARCH_VLV_RES_CONTROL |
The server sends this control in response to an OID_SEARCH_VLV_REQ_CONTROL 2.16.840.1.113730.3.4.9. |
2.16.840.1.113894.1.8.7 |
OID_PASSWORD_EXPWARNING_CONTROL |
Password policy control. Response control that the server sends when the pwdExpireWarning attribute is enabled and the client sends the request control. The response control value contains the time in seconds to password expiration. |
2.16.840.1.113894.1.8.8 |
OID_PASSWORD_GRACELOGIN_CONTROL |
Password policy control. The response control that the server sends when grace logins are configured and the client sends a request control. The response control value contains the remaining number of grace logins. |
2.16.840.1.113894.1.8.20 |
OID_PWDEXPIRED_CONTROL |
Password policy control. The response control that the server sends when the password has expired, there are no grace logins remaining, and the client sends a request control. |
2.16.840.1.113894.1.8.9 |
OID_PASSWORD_MUSTCHANGE_CONTROL |
Password policy control. The response control that the server sends when forced password reset is enabled and the client sends the request control. The client must force the user to change the password upon receipt of this control. |
2.16.840.1.113894.1.8.15 |
OID_DYNAMIC_VERIFIER_RESPONSE_CONTROL |
The response control that the server sends to the client when an error occurs. The response control contains the error code. |
2.16.840.1.113894.1.8.32 |
PasswordValidationControl |
The server sends this in response to control 2.16.840.1.113894.1.8.29 when the desired password is provided as the optional testPassword parameter. A client application can parse the validationResult to determine whether the password can be accepted by the server ("Success") or the reason it has been rejected. The same type of error message generated during a failed LDAP modify operation on userpassword is returned as the value. |
2.16.840.1.113894.1.8.37 |
OID_SEARCH_DYNGRP_STATIC_UMEM |
When you send a query with filter |
This section lists the Oracle Identity Management schema elements by category. Each category contains a list of applicable LDAP object classes and attributes that link to the detailed information for the specified attribute or object class. The schema elements are grouped into the following categories:
Section 6.2.2, "Oracle Internet Directory Configuration Schema Elements"
Section 6.2.5, "Oracle Directory Replication Schema Elements"
Section 6.2.6, "Oracle Directory Integration and Provisioning Schema Elements"
Section 6.2.7, "Oracle Delegated Administration Services Schema Elements"
Section 6.2.8, "Oracle Application Server Certificate Authority and PKI Schema Elements"
Section 6.2.13, "User, Group, and Subscriber Schema Elements"
System operational schema elements are those used by the directory server. System operational object classes are used by the directory server to create entries that pertain to directory server operations. Certain system operational attributes may be available for use on every entry in the directory, regardless of whether they are defined for the object class of the entry. This section contains the following topics:
This section lists the operational attributes and object classes for the directory schema.
attributeTypes, contentRules, ldapSyntaxes, matchingRules, objectClasses
This section lists the operational attributes for access control.
This section lists the operational attributes for change logs.
createTimestamp, creatorsName, modifiersName, modifyTimestamp
This section lists the operational attributes for password policy.
orclPwdAccountUnlock, orclPwdIPAccountLockedTime, orclPwdIPFailureTime, orclRevPwd, orclUnsyncRevPwd, pwdAccountLockedTime, pwdChangedTime, pwdExpirationWarned, pwdFailureTime, pwdGraceUseTime, pwdHistory, pwdReset
This section lists the schema elements that pertain to the configuration of Oracle Internet Directory. It contains the following topics:
This section lists the attributes and object classes that pertain to the configuration of Oracle Internet Directory server.
namingContexts, orclAnonymousBindsFlag, orclCatalogEntryDN, orclCompatibleVersion, orclCryptoScheme, orclDBType, orclDebugFlag, orclDebugForceFlush, orclDebugOp, orclDIPRepository, orclDirectoryVersion, orclDITRoot, orclEcacheEnabled, orclEcacheMaxEntries, orclEcacheMaxSize, orclEnableGroupCache, orclEventLevel, orclGUPassword, orclHostname, orclIndexedAttribute, orclIpAddress, orclLDAPConnTimeout, orclMatchDnEnabled, orclMaxCC, orclNonSSLPort, orclNormDN, orclNwrwTimeout, orclPKIMatchingRule, orclPrName, orclPrPassword, orclReplAgreements, orclReplicaID, orclSASLAuthenticationMode, orclSASLCipherChoice, orclSASLMechanism, orclsDumpFlag, orclServerMode, orclServerProcs, orclSizeLimit, orclSkewedAttribute, orclSkipRefInSQL, orclSSLAuthentication, orclSSLCipherSuite, orclSSLEnable, orclSSLPort, orclSSLVersion, orclSSLWalletURL, orclStatsDN, orclStatsFlag, orclStatsLevel, orclStatsOp, orclStatsPeriodicity, orclSUAccountLocked, orclSuffix, orclSULoginFailureCount, orclSUName, orclSUPassword, orclTimeLimit, orclTLimitMode, orclUpgradeInProgress
orclDSAConfig, orclIndexOC, orclLDAPInstance, orclLDAPSubConfig, subentry, subregistry
This section lists the attributes and object classes that pertain to the configuration of the Oracle Context.
orclCommonAutoRegEnabled, orclCommonContextMap, orclCommonDefaultUserCreateBase, orclCommonGroupCreateBase, orclCommonNamingAttribute, orclCommonNicknameAttribute, orclCommonSASLRealm, orclCommonUserSearchBase, orclDefaultSubscriber, orclProductVersion, orclSubscriberNickNameAttribute, orclSubscriberSearchBase, orclUserObjectClasses, orclVersion
orclCommonAttributes, orclCommonAttributesV2, orclRootContext, orclSchemaVersion
This section lists the attributes and object classes that pertain to the configuration of Oracle Network Services.
labeledURI, orclActiveEndDate, orclActiveStartdate, orclAssocDB, orclAssocIasInstance, orclEnabled, orclFlexAttribute1, orclIsEnabled, orclMasterNode, orclNetDescName, orclNetDescString, orclOracleHome, orclServiceInstanceLocation, orclServiceMember, orclServiceSubscriptionLocation, orclServiceSubType, orclServiceType, orclSID, orclSuiteType, orclSystemName, orclVersion
orclService, orclServiceInstance, orclServiceInstanceReference, orclServiceRecipient, orclServiceSuite, orclServiceSubscriptionDetail
This section lists the attributes and object classes that pertain to the configuration of garbage collection.
orclPurgeBase, orclPurgeDebug, orclPurgeEnable, orclPurgeFileLoc, orclPurgeFileName, orclPurgeFilter, orclPurgeInterval, orclPurgeNow, orclPurgePackage, orclPurgeStart, orclPurgeTargetAge, orclPurgeTranSize
This section lists the attributes and object classes that pertain to the configuration of attribute uniqueness.
orclUniqueAttrName, orclUniqueEnable, orclUniqueObjectClass, orclUniqueScope, orclUniqueSubtree
This section lists the attributes and object classes that pertain to audit logs and error logs.
orclAuditAttribute, orclAuditMessage, orclDBConnCreationFailed, orclDNSUnavailable, orclEventTime, orclEventType, orclFDIncreaseError, orclMaxFDLimitReached, orclMaxProcessLimitReached, orclMemAllocError, orclNWCongested, orclNwUnavailable, orclOpResult, orclORA28error, orclORA3113error, orclORA3114error, orclSequence, orclThreadSpawnFailed, orclUserDN
orclAuditOC, orclEventLog, orclEvents, orclSysResourceEvents
This section lists the schema elements for Oracle Internet Directory server manageability statistics.
orclACLResultsLatency, orclActiveConn, orclActiveThreads, orclAttrACLEvalLatency, orclAuditMessage, orclBERgenLatency, orclDBLatency, orclDIMEonlyLatency, orclEcacheHitRatio, orclEcacheNumEntries, orclEcacheSize, orclEntryACLEvalLatency, orclEventTime, orclEventType, orclFilterACLEvalLatency, orclFrontLatency, orclGenObjLatency, orclGetNearACLLatency, orclHostname, orclIdleConn, orclIdleThreads, orclInitialServerMemSize, orclIpAddress, orclLDAPInstanceID, orclLDAPProcessID, orclOpAbandoned, orclOpCompleted, orclOpenConn, orclOpFailed, orclOpInitiated, orclOpLatency, orclOpPending, orclOpResult, orclOpSucceeded, orclOpTimedOut, orclQueueDepth, orclQueueLatency, orclReadWaitThreads, orclSequence, orclServerAvgMemGrowth, orclSMSpec, orclSQLexeFetchLatency, orclSQLGenReusedParsed, orclTcpConnToClose, orclTcpConnToShutDown, orclTotFreePhyMem, orclTraceDimesionLevel, orclTraceFileLocation, orclTraceFileSize, orclTraceLevel, orclTraceMode, orclUserDN, orclWriteWaitThreads
orclGeneralStats, orclHealthStats, orclPerfStats, orclSecRefreshEvents, orclSM, orclTraceConfig, orclUserStats
This section lists the schema elements for directory replication.
orclAgreementId, orclChangeLogLife, orclChangeRetryCount, orclCompatibleVersion, orclDirReplGroupAgreement, orclDirReplGroupDSAs, orclExcludedAttributes, orclExcludedNamingContexts, orclHIQSchedule, orclHostname, orclIncludedNamingContexts, orclLastAppliedChangeNumber, orclLDAPConnKeepALive, orclPilotMode, orclPurgeSchedule, orclReplicaDN, orclReplicaID, orclReplicaSecondaryURI, orclReplicaState, orclReplicationProtocol, orclReplicaType, orclReplicaURI, orclReplicaVersion, orclThreadsPerSupplier, orclUpdateSchedule, pilotStartTime
orclReplAgreementEntry, orclReplInstance, orclReplicaSubentry, orclReplNameCtxConfig, orclReplSubConfig
This section lists the schema elements for Oracle Directory Integration and Provisioning. It contains the following topics:
This section lists the attributes and object classes for Oracle Directory Integration and Provisioning applications.
orclApplicationType, orclInterval, orclODIPAgent, orclODIPApplicationName, orclODIPCommand, orclODIPDbConnectInfo, orclODIPEventSubscriptions, orclOwnerGUID, orclStatus, orclVersion
This section lists the attributes and object classes for Oracle Directory Integration and Provisioning change logs.
orclLastAppliedChangeNumber, orclSubscriberDisable, serverName, userPassword
This section lists the attributes and object classes for Oracle Directory Integration and Provisioning events and objects.
orclODIPAttributeMappingRules, orclODIPEventFilter, orclODIPFilterAttrCriteria, orclODIPMustAttrCriteria, orclODIPObjectCriteria, orclODIPObjectEvents, orclODIPObjectName, orclODIPObjectSyncBase, orclODIPOperationMode, orclODIPOptAttrCriteria, orclODIPProvEventCriteria, orclODIPProvEventLDAPChangeType, orclODIPProvEventObjectType, orclODIPProvEventRule, orclODIPProvEventRuleDTD, orclStatus
orclODIPEventContainer, orclODIPObject, orclODIPProvEventDefn, orclODIPProvEventTypeConfig
This section lists the attributes and object classes for Oracle Directory Integration and Provisioning plug-ins and interfaces.
orclODIPPluginAddInfo, orclODIPPluginConfigInfo, orclODIPPluginEvents, orclODIPPluginExecData, orclODIPPluginExecName, orclODIPProfileProvSubscriptionMode, orclODIPProfileStatusUpdate, orclODIPProvInterfaceFilter, orclODIPProfileInterfaceType, orclODIPProvInterfaceProcessor, orclStatus
orclODIPProvInterfaceDetails, orclODIPPlugin, orclODIPPluginContainer
This section lists the attributes and object classes for configuring the Oracle Directory Integration and Provisioning server.
cn, orclCompatibleVersion, orclHostname, orclODIPConfigDNs, orclODIPConfigRefreshFlag, orclODIPInstanceStatus, orclODIPProfileExecGroupID, orclODIPSearchCountLimit, orclODIPSearchTimeLimit, orclODIPServerCommitSize, orclODIPServerDebugLevel, orclODIPServerRefreshIntvl, orclODIPServerSSLMode, orclODIPServerWalletLoc, orclSSLEnable, orclVersion, seeAlso, userPassword
orclODIPServerConfig, orclODISConfig, orclODIServer, orclODISInstance
This section the attributes and object classes for Oracle Directory Integration and Provisioning synchronization and provisioning profiles.
cn, orclODIPAgentConfigInfo, orclODIPAgentControl, orclODIPAgentExeCommand, orclODIPAgentHostName, orclODIPAgentName, orclODIPAgentPassword, orclODIPAttributeMappingRules, orclODIPBootStrapStatus, orclODIPConDirAccessAccount, orclODIPConDirAccessPassword, orclODIPConDirLastAppliedChgNum, orclODIPConDirMatchingFilter, orclODIPConDirURL, orclODIPEncryptedAttrKey, orclODIPInterfaceType, orclODIPLastExecutionTime, orclODIPLastSuccessfulExecutionTime, orclODIPOIDMatchingFilter, orclODIPProfileDebugLevel, orclODIPProfileExecGroupID, orclODIPProfileInterfaceAdditionalInformation, orclODIPProfileInterfaceConnectInformation, orclODIPProfileInterfaceName, orclODIPProfileInterfaceType, orclODIPProfileInterfaceVersion, orclODIPProfileLastAppliedAppEventID, orclODIPProfileLastProcessingTime, orclODIPProfileLastSuccessfulProcessingTime, orclODIPProfileMaxErrors, orclODIPProfileMaxEventsPerInvocation, orclODIPProfileMaxEventsPerSchedule, orclODIPProfileMaxRetries, orclODIPProfileName, orclODIPProfileProcessingErrors, orclODIPProfileProcessingStatus, orclODIPProfileSchedule, orclODIPProvisioningAppGUID, orclODIPProvisioningAppName, orclODIPProvisioningEventMappingRules, orclODIPProvisioningEventPermittedOperations, orclODIPProvisioningEventSubscription, orclODIPProvisioningOrgGUID, orclODIPProvisioningOrgName, orclODIPSchedulingInterval, orclODIPSynchronizationErrors, orclODIPSynchronizationMode, orclODIPSynchronizationStatus, orclODIPSyncRetryCount, orclPasswordAttribute, orclStatus, orclVersion, userPassword
orclODIPIntegrationProfile, orclODIProfile, orclODIPProvisioningIntegrationProfile, orclODIPProvisioningIntegrationProfileV2, orclODIPProvisioningIntegrationOutBoundProfile, orclODIPProvisioningIntegrationOutBoundProfileV2
This section lists the attributes and object classes for Oracle Directory Integration and Provisioning schema information.
orclODIPApplicationsLocation, orclODIPInstancesLocation, orclODIPObjectDefnLocation, orclODIPProvProfileLocation, orclODIPRootLocation, orclODIPSchemaVersion, orclODIPServerConfigLocation, orclODIPSyncProfileLocation
The following attributes and object classes are used for users that are imported into Oracle Internet Directory from Microsoft Active Directory using Oracle Directory Integration and Provisioning.
orclObjectGUID, orclObjectSID, orclSAMAccountName, orclUserPrincipalName
This section lists the attributes and object classes for Oracle Delegated Administration Services.
orclDASAdminModifiable, orclDASAttrDispOrder, orclDASAttrName, orclDASEnableProductLogo, orclDASEnableSubscriberLogo, orclDASIsEnabled, orclDASIsMandatory, orclDASIsPersonal, orclDASLOV, orclDASPublicGroupDNs, orclDASSearchable, orclDASSearchColIndex, orclDASSearchFilter, orclDASSearchSizeLimit, orclDASSelfModifiable, orclDASUIType, orclDASURL, orclDASURLBase, orclDASValidatePwdReset, orclDASViewable
orclDASAppContainer, orclDASAttrCategory, orclDASConfigAttr, orclDASConfigPublicGroup, orclDASLOVVal, orclDASOperationURL, orclDASSubscriberContainer
This section lists the attributes and object classes that pertain to public key infrastructure (PKI), certificates, and Oracle Application Server Certificate Authority.
orclCertExtensionAttribute, orclCertExtensionOID, orclCertificateHash, orclCertificateMatch, orclCertMappingAttribute, orclPKINextUpdate, orclPKIValMecAttr, x509issuer
This section lists the attributes and object classes that pertain to applications.
authPassword, description, labeledURI, orclAppFullName, orclApplicationCommonName, orclCategory, orclDBSchemaIdentifier, orclOwnerGUID, orclPasswordVerifier, orclResourceIdentifier, orclTrustedApplicationGroup, orclVersion, protocolInformation, seeAlso, userCertificate;binary, userPassword, userPKCS12
orclApplicationEntity, orclAppSpecificUserInfo, orclAppUserEntry
This section lists the attributes and object classes that pertain to resources.
description, displayName, javaClassName, orclConnectionFormat, orclFlexAttribute1, orclFlexAttribute2, orclFlexAttribute3, orclOwnerGUID, orclPasswordAttribute, orclResourceName, orclResourceTypeName, orclResourceViewers, orclUserIDAttribute, orclUserModifiable
This section lists the attributes and object classes for configuring Plug-ins for Oracle Internet Directory.
orclPluginAttributeList, orclPluginCheckEntryExist, orclPluginEnable, orclPluginEntryProperties, orclPluginIsReplace, orclPluginKind, orclPluginLDAPOperation, orclPluginName, orclPluginPort, orclPluginRequestGroup, orclPluginRequestNegGroup, orclPluginResultCode, orclPluginSASLCallBack, orclPluginSearchNotFound, orclPluginShareLibLocation, orclPluginSubscriberDNList, orclPluginTiming, orclPluginType, orclPluginVersion, userPassword
This section lists the attributes and object classes for configuring directory user agents (DUAs).
attributeMap, authenticationMethod, bindTimeLimit, cn, credentialLevel, defaultSearchBase, defaultSearchScope, defaultServerList, followReferrals, objectClass, objectClassMap, preferredServerList, profileTTL, serviceAuthenticationMethod, serviceCredentialLevel, serviceSearchDescriptor
This section lists the attributes and object classes used for users, groups, and subscribers. It contains the following topics:
Oracle Internet Directory uses the standard object classes groupOfNames
and groupOfUniqueNames
as defined in RFC 2256. In addition to the standard attributes and object classes, the following are also used for groups.
This section lists the attributes and object classes for dynamic groups.
labeledURI, mail, orclConnectByAttribute, orclConnectBySearchBase, orclConnectByStartingValue
Oracle Internet Directory uses the standard object classes person
and inetOrgPerson
as defined in RFC 2256. In addition to the standard attributes and object classes, the following are also used for users.
authPassword, c, jpegPhoto, krbPrincipalName, middleName, orclActiveEndDate, orclActiveStartdate, orclContact, orclDateOfBirth, orclDefaultProfileGroup, orclDisplayPersonalInfo, orclGender, orclHireDate, orclHostedCreditCardExpireDate, orclHostedCreditCardNumber, orclHostedCreditCardType, orclHostedDunsNumber, orclHostedPaymentTerm, orclIsEnabled, orclIsVisible, orclMaidenName, orclPassword, orclPasswordHint, orclPasswordHintAnswer, orclPasswordVerifier, orclPKCS12Hint, orclSAMAccountName, orclSearchFilter, orclSubscriberFullName, orclSubscriberType, orclTimeZone, orclTxnMaxOperations, orclVersion, orclWirelessAccountNumber, orclWorkflowNotificationPref, userPKCS12
This section lists the attributes and object classes that pertain to password policy configuration.
cn, displayName, orclPwdAllowHashCompare, orclPwdAlphaNumeric, orclPwdEncryptionEnable, orclPwdIllegalValues, orclPwdIPLockout, orclPwdIPLockoutDuration, orclPwdIPMaxFailure, orclPwdPolicyEnable, pwdAllowUserChange, pwdCheckSyntax, pwdExpireWarning, pwdFailureCountInterval, pwdGraceLoginLimit, pwdInHistory, pwdLockout, pwdLockoutDuration, pwdMaxAge, pwdMaxFailure, pwdMinAge, pwdMinLength, pwdMustChange, pwdSafeModify
This section lists the attributes and object classes that pertain to password verifiers.