6 LDAP Schema Overview
This section contains the following topics:
6.1 Overview of Directory Schema
A directory schema specifies, among other rules, the types of objects that a directory may have and the mandatory and optional attributes of each object type.
The Lightweight Directory Access Protocol (LDAP) version 3 defines a schema based on the X.500 standard for common objects found in a network, such as countries, localities, organizations, people, groups, and devices. In the LDAP v3, the schema is available from the directory. That is, it is represented as entries in the directory and its information as attributes of those entries. This section includes the following topics:
6.1.1 About Object Classes
An object class is an LDAP directory term that denotes the type of object being represented by a directory entry or record. There are also object classes that define an object's relationship to other objects, such as object class top denotes that the object may have subordinate objects under it in a hierarchical tree structure.
Some LDAP object classes may be combined to create an entry in the directory. For example, and entry for a user uses the top, person, organizationalPerson, inetOrgPerson, and orclUserV2 object classes.
Required and Allowed Attributes
The definition of an object class includes a list of required attributes (MUST) and allowed attributes (MAY). Required attributes include the attributes that must be present in entries using the object class. Allowed attributes include the attributes that may be present in entries using the object class.
Object Class Types
The X.500 1993 specification requires that object classes be assigned to one of four categories:
-
Structural: Object classes that can have instances in the directory. Structural classes are used to create directory objects or entries.
-
Abstract: Template object classes that are used only to derive new structural classes. Abstract classes cannot be instantiated in the directory.
-
Auxiliary: A list of attributes that can be appended to the definition of a Structural or Abstract class. An Auxiliary class cannot be instantiated in the directory.
-
88 Classes: Assigning object classes to categories was not required in the X.500 1988 specification. Classes that were defined prior to the X.500 1993 standards, default to the 88 class. Do not define new 88 classes.
Object Class Inheritance
Inheritance, which is also referred to as derivation, is the ability to build new object classes from existing object classes. The new object is defined as a subclass of the parent object. A subclass is a class that inherits from some other class; for example, a subclass inherits structure and content rules from the parent. The parent object becomes a superclass of the new object. A superclass is a class from which one or more other classes inherit information.
6.1.2 Overview of Attributes
Directory data is represented as attribute-value pairs. Any piece of information in the directory is associated with a descriptive attribute.
For example, the cn (commonName) attribute is used to store a nickname. A person named William (Bill) Smith can be represented in the directory as:
cn: Bill Smith
This section contains the following topics:
6.1.2.1 Attribute Name Limitations
The length of an attribute name must not exceed 127 characters. For more information about attribute management, refer to the Understanding Attributes in Administering Oracle Internet Directory.
Oracle Internet Directory imposes no limitations on the characters that can be used in attribute names. Other components of Oracle Identity Management, however, do limit the characters that can be used for certain attributes.
Oracle Delegated Administration Services and Oracle Directory Integration Platform prohibit the use of spaces and of any of the following characters in UserID: & ' % ? \ / + = ( ) * ^ , ; | ' ~
Oracle Application Server Single Sign-On requires that a password should not contain the following characters: & { } < > " ' ( )
6.1.2.2 Attribute Syntax
An attribute syntax is the basic building block of an attribute. Every attribute is assigned a syntax that defines the attribute value's data format. For example, attribute syntaxes determine whether an attribute stores an integer, string, or binary data. The syntax also defines the matching rules that control the type of comparison operations you can perform on the attribute value.
Oracle Internet Directory recognizes attribute syntax as specified in RFC 2252, that is, it enables you to associate the attribute syntax described in that document with an attribute. Oracle Internet Directory enforces attribute syntax for the following types:
-
DN
-
OID (object identifier)
-
Telephone Number
The following table describes the attribute syntax most commonly used in Oracle Internet Directory:
Table 6-1 Attribute Syntax Commonly Used in Oracle Internet Directory
| Syntax and Object ID | Description |
|---|---|
|
ACI Item 1.3.6.1.4.1.1466.115.121.1.1 |
Values for this attribute are access control identifier items. |
|
Binary 1.3.6.1.4.1.1466.115.121.1.5 |
Values for this attribute are binary. |
|
Boolean 1.3.6.1.4.1.1466.115.121.1.7 |
The attribute can contain only one of two values: true (1) or false (0). |
|
Directory String 1.3.6.1.4.1.1466.115.121.1.15 |
Values for this attribute are strings which are not case-sensitive. |
|
DN 1.3.6.1.4.1.1466.115.121.1.12 |
Values for this attribute are DNs (distinguished names). |
|
Generalized Time 1.3.6.1.4.1.1466.115.121.1.24 |
Values for this attribute are encoded as printable strings. A time zone must be specified (such as GMT). |
|
IA5String 1.3.6.1.4.1.1466.115.121.1.26 |
International Reference Alphabet Reference Alphabet No. 5 string. Values for this attribute are case-sensitive. |
|
Integer 1.3.6.1.4.1.1466.115.121.1.27 |
Valid values for this attribute are numbers. |
|
JPEG 1.3.6.1.4.1.1466.115.121.1.28 |
Valid values for this attribute are JPEG files. |
|
Name 1.3.6.1.4.1.1466.115.121.1.34 |
Valid values for this attribute are names or optional UIDs. |
|
OID 1.3.6.1.4.1.1466.115.121.1.38 |
A unique object identifier. |
|
Printable String 1.3.6.1.4.1.1466.115.121.1.44 |
A string that does NOT allow extended characters. Values for this attribute are not case-sensitive. |
|
Telephone Number 1.3.6.1.4.1.1466.115.121.1.50 |
Values for this attribute are in the form of telephone numbers. |
6.1.2.3 Attribute Aliases
As of 11g Release 1 (11.1.1.0.0), you can create aliases for attribute names. For example. you could create the user-friendly alias surname for the attribute sn. Once you create an alias for an attribute name, a user can specify the alias instead of the attribute name in an LDAP operation.
You define an alias for an attribute in the LDAP schema definition of the attribute. The directory schema operational attribute attributeTypes has been enhanced to allow you to include aliases in the attribute name list. In previous releases, the format for an attribute name list was:
attributeTypes=( ObjectIdentifier NAME 'AttributeName' ... )
As of 11g Release 1 (11.1.1.0.0), you may optionally specify:
attributeTypes=( ObjectIdentifier NAME ( 'AttributeName' 'Alias1' 'Alias2' ...) ... )
This is consistent with the LDAP protocol as specified by RFC 2251 and RFC 2252. In the attribute name list, the first item is recognized as the name of the attribute and rest of the items in the list are recognized as attribute aliases. For example, to specify the alias surname for the attribute sn, you would change the schema definition for sn from:
attributeTypes=( 2.5.4.4 NAME 'sn' SUP name )
to:
attributeTypes=( 2.5.4.4 NAME ( 'sn' 'surname' ) SUP name )
See Also:
For more information regarding attribute alias rules, managing attribute aliases using command-line tools, and using attribute aliases refer to the "Understanding Attribute Aliases section in Administering Oracle Internet Directory.
6.1.2.4 Attribute Values Matching Rules
Matching rules are the rules for matching two attribute values that comply with the same attribute syntax. Oracle Internet Directory recognizes the following matching rule definitions in the schema.
-
accessDirectiveMatch -
IntegerMatch -
bitStringMatch -
numericStringMatch -
caseExactMatch -
objectIdentifierFirstComponentMatch -
caseExactIA5Match -
ObjectIdentifierMatch -
caseIgnoreIA5Match -
OctetStringMatch -
caseIgnoreListMatch -
presentationAddressMatch -
caseIgnoreMatch -
protocolInformationMatch -
caseIgnoreOrderingMatch -
telephoneNumberMatch -
distinguishedNameMatch -
uniqueMemberMatch -
generalizedTimeMatch -
generalizedTimeOrderingMatch -
orclpkimatchingrule
Of the matching rules in the previous list, Oracle Internet Directory actually enforces the following when it compares attribute values:
-
distinguishedNameMatch -
caseExactMatch -
caseIgnoreMatch -
numericStringMatch -
IntegerMatch -
telephoneNumberMatch -
orclpkimatchingrule
6.1.2.5 Sizing Attribute Values
Attribute syntax does not put any specific size constraint on attribute values. You can, however, specify the size of the attribute value when defining the attribute. Some attributes in Oracle Internet Directory may have size constraints defined, however length characteristics of an attribute are not enforced.
For example, this syntax limits the attribute foo size to 64, but this size limit is not enforced in Oracle Internet Directory:
(object_identifier_of_attribute NAME 'foo' EQUALITY caseIgnoreMatch SYNTAX 'object_identifier_of_syntax{64}' )
6.1.2.6 About Single-Valued and Multi-Valued Attributes
By default, most attributes are multi-valued. This means that an entry can contain the same attribute with multiple values. For single-valued attributes, only one instance of the attribute can be specified in an entry. For example, the attribute orclObjectGUID attribute can only have one possible value.
6.1.2.7 Attribute Usage
Attribute Usage defines how the attribute is used in the directory. The attribute usage types are:
-
User applications attribute–Default attribute usage if not explicitly defined for the attribute.
-
System Operational attribute–Attributes that control operation of the directory itself.
See Also:
Managing System Configuration Attributes in Administering Oracle Internet Directory
6.1.3 LDAP Controls
As an LDAP Version 3 directory, Oracle Internet Directory extends the standard LDAP operations by using controls. These are extra pieces of information carried along with existing operations, altering the behavior of the operation.
When a client application passes a control along with the standard LDAP command, the behavior of the commanded operation is altered accordingly. The controls supported by Oracle Internet Directory 12c Release 2 (12.1.2.3.0) are listed in the following sections:
6.1.3.1 Request Controls Supported by Oracle Internet Directory
Table 6-2 Request Controls Supported by Oracle Internet Directory
| Object Identifier | Name | Description |
|---|---|---|
|
2.16.840.1.113730.3.4.18 |
Proxy Authorization |
Allows an LDAP client application to bind to Oracle Internet Directory server with its own identity and then to perform operations on behalf of another user or on behalf of multiple users. This control can improve performance especially for proxy operations performed on behalf of multiple users. The LDAP operation does not require a rebind for each user. For example, consider this scenario:
Considerations for the Proxy Authorization control are:
|
|
1.3.6.1.4.1.42.2.27.8.5.1 |
Password Policy |
Allows an LDAP client to request information from Oracle Internet Directory server about the current password policy state for a user. If a password policy is applicable, a client can send this control with these operations:
Other operations such as The password policy request control does not have a The password policy is typically applied to the single-valued attribute For more information, see "Password Policy for LDAP Directories" at this location:
|
|
2.16.840.1.113730.3.4.3 |
Persistent Search |
Allows an LDAP client to send a persistent search request to Oracle Internet Directory server. A persistent search operation is an enhanced search that continues after the initial search results are returned by the server to the client. After the initial search is finished, the connection to the server is kept alive until the client unbinds or abandons the operation. The client can track changes for entries in the search scope and receive an Entry Change Notification response control if an entry is modified. The definition for this control is: PersistentSearch ::= SEQUENCE {
controlType 2.16.840.1.113730.3.4.3
changeTypes INTEGER,
changesOnly BOOLEAN,
returnECs BOOLEAN
}
For a description of these fields, see: |
|
2.16.840.1.113894.1.8.39 |
Computed Attribute Value Uniqueness |
Allows computed attribute value uniqueness for an entry-based combination of multiple attribute values. Usually, attribute uniqueness is configured only for a single attribute. An application that requires uniqueness for a combination of attribute values can send this control, and Oracle Internet Directory server ensures that the computed attribute value is unique across the directory during an operation such as If an entry with the computed value already exists, Oracle Internet Directory server returns the LDAP error code: LDAP_ALREADY_EXISTS = 0x44. For example, in a multi-tenant environment, the UID attribute of a user must be unique for a specific tenant but not necessarily unique across the directory. An application creates an LDAP entry with a computed attribute named TenantID_UID, where TenantID is the identifier of the tenant and UID is the attribute. The application that creates the LDAP entry sends this control, and if an entry with the computed attribute already value already exists, Oracle Internet Directory server returns the LDAP_ALREADY_EXISTS error code. |
|
2.16.840.1.113730.3.4.9 |
OID_SEARCH_VLV_REQ_CONTROL |
Allows a client to specify that the server return, for a given LDAP search, a contiguous subset of a large search result set. It can be used to go through the search results one page at a time, which allows a client to retrieve results more quickly and prevents the client from needing to store too many search results at a time. The server returns the OID_SEARCH_VLV_RES_CONTROL 2.16.840.1.113730.3.4.10. The OID_SEARCH_VLV_REQ_CONTROL works only in conjunction with the SORT control (ldapsearch -T argument). If you do not include a SORT control, the request returns LDAP error code 53 - Search operation with VLV request control is missing SORT request control. The SORT control can contain any sort specification valid for the server. When the SORT control is used with the OID_SEARCH_VLV_REQ_CONTROL, the server does not return the complete set of sorted search results, but instead returns a contiguous subset of those entries specified in the control using a target entry as a reference point for results. For more information, see "LDAP Extensions for Scrolling View Browsing of Search Results" at |
|
1.2.840.113556.1.4.319 |
OID_SEARCH_PAGING_CONTROL |
See the Extensions to the LDAP Protocol in Application Developer's Guide for Oracle Identity Management |
|
1.2.840.113556.1.4.473 |
OID_SEARCH_SORTING_REQUEST_CONTROL |
See the Extensions to the LDAP Protocol in Application Developer's Guide for Oracle Identity Management |
|
2.16.840.1.113730.3.4.2 |
GSL_MANAGE_DSA_CONTROL |
Used to manage referrals, dynamic groups, and alias objects in Oracle Internet Directory. For more information, please see RFC 3296, "Named Subordinate References in Lightweight Directory Access Protocol (LDAP) Directories," at |
|
2.16.840.1.113894.1.8.1 |
OID_RESET_PROXYCONTROL_IDENTITY |
Used to perform a proxy switch of an identity on an established LDAP connection. For example, suppose that Application A connects to the directory server and then wishes to switch to Application B. It can simply do a rebind by supplying the credentials of Application B. However, there are times when the proxy mechanism for the application to switch identities could be used even when the credentials are not available. With this control, Application A can switch to Application B provided Application A has the privilege in Oracle Internet Directory to proxy as Application B. |
|
2.16.840.1.113894.1.8.2 |
OID_APPLYUSEPASSWORD_POLICY |
Sent by applications that require Oracle Internet Directory to check for account lockout before sending the verifiers of the user to the application. If Oracle Internet Directory detects this control in the verifier search request and the user account is locked, then Oracle Internet Directory does not send the verifiers to the application. It sends an appropriate password policy error. |
|
2.16.840.1.113894.1.8.3 |
CONNECT_BY |
See the Extensions to the LDAP Protocol in Application Developer's Guide for Oracle Identity Management |
|
2.16.840.1.113894.1.8.4 |
OID_CLIENT_IP_ADDRESS |
Intended for a client to send the end user IP address if IP lockout is to be enforced by Oracle Internet Directory. |
|
2.16.840.1.113894.1.8.5 |
GSL_REQDATTR_CONTROL |
Used with dynamic groups. Directs the directory server to read the specific attributes of the members rather than the membership lists. |
|
2.16.840.1.113894.1.8.6 |
PasswordStatusRequestControl |
When packaged as part of the LDAP Bind/Compare operation request, this control causes the server to generate a password policy response control. The actual response control depends on the situation. Cases include imminent password expiration, number of grace logins remaining, password expired, and account locked. |
|
2.16.840.1.113894.1.8.14 |
OID_DYNAMIC_VERIFIER_REQUEST_CONTROL |
The request control that the client sends when it wants the server to create a dynamic password verifier. The server uses the parameters in the request control to construct the verifier. |
|
2.16.840.1.113894.1.8.16 |
AccountStatusRequestControl |
When packaged with the LDAP search operation associated with the authentication process, the Oracle Internet Directory returns a password policy response control to inform the client application of account state related information like account lockout, password expiration etc. The application can then parse and enforce the results. |
|
2.16.840.1.113894.1.8.23 |
GSL_CERTIFICATE_CONTROL" |
Certificate search control. The request control that the client sends to specify how to search for a user certificate. See the appendix Searching the Directory for User Certificates in Administering Oracle Internet Directory. |
|
2.16.840.1.113894.1.8.29 |
EffectivePolicyControl |
This control is packaged as part of an LDAP base search, where the base DN is that of the user entry being tested. The entry need not exist in the directory at the time. Passing this control results in the return of the LDAP entry describing the applicable password policy, assuming the entity performing the search has the access rights to view the password policy entry. If the desired password is provided as the optional testPassword parameter, the directory server returns the response control 2.16.840.1.113894.1.8.32. |
|
2.16.840.1.113894.1.8.36 |
DelSubtreeControl |
When this control is sent with a delete operation, it causes the deletion of the entire subtree below the DN provided. Any user having necessary privileges can perform this operation. |
|
1.2.840.113556.1.4.805 |
DelSubtreeControl |
When this control is sent with a delete operation, it causes the deletion of the entire subtree below the DN provided. Any user having necessary privileges can perform this operation. |
|
1.3.6.1.1.21.2 |
Transaction Specification Control |
This is an LDAPControl indicating association of an operation to a transaction by means of the transaction identifier, which is the value of this control. Its criticality is |
6.1.3.2 Response Controls Supported by Oracle Internet Directory
Table 6-3 Response Controls Supported by Oracle Internet Directory
| Object Identifier | Name | Description |
|---|---|---|
|
1.3.6.1.4.1.42.2.27.8.5.1 |
Password Policy |
Response control that the Oracle Internet Directory server returns to an LDAP client in response to the Password Policy request control. The response control value is encoded as follows: PasswordPolicyResponseValue ::= SEQUENCE {
warning [0] CHOICE {
timeBeforeExpiration [0] INTEGER (0 .. maxInt),
graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL,
error [1] ENUMERATED {
passwordExpired (0),
accountLocked (1),
changeAfterReset (2),
passwordModNotAllowed (3),
mustSupplyOldPassword (4),
insufficientPasswordQuality (5),
passwordTooShort (6),
passwordTooYoung (7),
passwordInHistory (8) } OPTIONAL }The server sends either an error or warning in the password policy response control (but not both). Error codes are described in:
Control criticality is not returned in the response. For a non violation of the password policy, the server does not send a response. |
|
2.16.840.1.113730.3.4.7 |
Entry Change Notification |
Returned by the Oracle Internet Directory server to an LDAP client in response to a Persistent Search control that has the The definition for this control is: EntryChangeNotification ::= SEQUENCE {
controlType 2.16.840.1.113730.3.4.7
changeType ENUMERATED {
add (1),
delete (2),
modify (4),
modDN (8)
},
previousDN LDAPDN OPTIONAL, -- modifyDN ops. only
changeNumber INTEGER OPTIONAL -- if supported
}
For a description of these fields, see: |
|
2.16.840.1.113730.3.4.10 |
OID_SEARCH_VLV_RES_CONTROL |
The server sends this control in response to an OID_SEARCH_VLV_REQ_CONTROL 2.16.840.1.113730.3.4.9. |
|
2.16.840.1.113894.1.8.7 |
OID_PASSWORD_EXPWARNING_CONTROL |
Password policy control. Response control that the server sends when the pwdExpireWarning attribute is enabled and the client sends the request control. The response control value contains the time in seconds to password expiration. |
|
2.16.840.1.113894.1.8.8 |
OID_PASSWORD_GRACELOGIN_CONTROL |
Password policy control. The response control that the server sends when grace logins are configured and the client sends a request control. The response control value contains the remaining number of grace logins. |
|
2.16.840.1.113894.1.8.20 |
OID_PWDEXPIRED_CONTROL |
Password policy control. The response control that the server sends when the password has expired, there are no grace logins remaining, and the client sends a request control. |
|
2.16.840.1.113894.1.8.9 |
OID_PASSWORD_MUSTCHANGE_CONTROL |
Password policy control. The response control that the server sends when forced password reset is enabled and the client sends the request control. The client must force the user to change the password upon receipt of this control. |
|
2.16.840.1.113894.1.8.15 |
OID_DYNAMIC_VERIFIER_RESPONSE_CONTROL |
The response control that the server sends to the client when an error occurs. The response control contains the error code. |
|
2.16.840.1.113894.1.8.32 |
PasswordValidationControl |
The server sends this in response to control 2.16.840.1.113894.1.8.29 when the desired password is provided as the optional testPassword parameter. A client application can parse the validationResult to determine whether the password can be accepted by the server ("Success") or the reason it has been rejected. The same type of error message generated during a failed LDAP modify operation on userpassword is returned as the value. |
|
2.16.840.1.113894.1.8.37 |
OID_SEARCH_DYNGRP_STATIC_UMEM |
When you send a query with filter |
6.2 Overview of Oracle Identity Management Schema Elements
Oracle Identity Management schema elements are listed by category. Each category contains a list of applicable LDAP object classes and attributes that link to the detailed information for the specified attribute or object class.
The schema elements are grouped into the following categories:
6.2.1 System Operational Schema Elements
System operational schema elements are those used by the directory server. System operational object classes are used by the directory server to create entries that pertain to directory server operations. Certain system operational attributes may be available for use on every entry in the directory, regardless of whether they are defined for the object class of the entry.
Table 6-4 lists system operational schema elements and operational attributes:
Table 6-4 Attributes for System Operational Schema Elements
| System Operational Schema Element | Operational Attributes |
|---|---|
|
Directory Schema |
attributeTypes, contentRules, ldapSyntaxes, matchingRules,objectClasses Object Classes: |
|
Access Control |
|
|
Change Logs |
createTimestamp, creatorsName, modifiersName, modifyTimestamp |
|
Password Policy |
orclPwdAccountUnlock, orclPwdIPAccountLockedTime, orclPwdIPFailureTime, orclRevPwd, orclUnsyncRevPwd, pwdAccountLockedTime, pwdChangedTime, pwdExpirationWarned, pwdFailureTime, pwdGraceUseTime, pwdHistory, pwdReset |
6.2.2 Oracle Internet Directory Configuration Schema Elements
Understand about the schema elements that pertain to the various configurations of Oracle Internet Directory.
This section contains the following topics:
6.2.2.1 Attributes for Oracle Internet Directory Server Configuration
This section lists the attributes and object classes that pertain to the configuration of Oracle Internet Directory server.
Attributes
namingContexts, orclAnonymousBindsFlag, orclCatalogEntryDN, orclCompatibleVersion, orclCryptoScheme, orclDBType, orclDebugFlag, orclDebugForceFlush, orclDebugOp, orclDIPRepository, orclDirectoryVersion, orclDITRoot, orclEcacheEnabled, orclEcacheMaxEntries, orclEcacheMaxSize, orclEnableGroupCache, orclEventLevel, orclGUPassword, orclHostname, orclIndexedAttribute, orclIpAddress, orclLDAPConnTimeout, orclMatchDnEnabled, orclMaxCC, orclNonSSLPort, orclNormDN, orclNwrwTimeout, orclPKIMatchingRule, orclPrName, orclPrPassword, orclReplAgreements, orclReplicaID, orclSASLAuthenticationMode, orclSASLCipherChoice, orclSASLMechanism, orclsDumpFlag, orclServerMode, orclServerProcs, orclSizeLimit, orclSkewedAttribute, orclSkipRefInSQL, orclSSLAuthentication, orclSSLCipherSuite, orclSSLEnable, orclSSLPort, orclSSLVersion, orclSSLWalletURL, orclStatsDN, orclStatsFlag, orclStatsLevel, orclStatsOp, orclStatsPeriodicity, orclSUAccountLocked, orclSuffix, orclSULoginFailureCount, orclSUName, orclSUPassword, orclTimeLimit, orclTLimitMode, orclUpgradeInProgress
Object Classes
6.2.2.2 Attributes for Oracle Context Configuration
This section lists the attributes and object classes that pertain to the configuration of the Oracle Context.
Attributes
orclCommonAutoRegEnabled, orclCommonContextMap, orclCommonDefaultUserCreateBase, orclCommonGroupCreateBase, orclCommonNamingAttribute, orclCommonNicknameAttribute, orclCommonSASLRealm, orclCommonUserSearchBase, orclDefaultSubscriber, orclProductVersion, orclSubscriberNickNameAttribute, orclSubscriberSearchBase, orclUserObjectClasses, orclVersion
Object Classes
6.2.2.3 Attributes for Oracle Network Services Configuration
This section lists the attributes and object classes that pertain to the configuration of Oracle Network Services.
Attributes
labeledURI, orclActiveEndDate, orclActiveStartdate, orclAssocDB, orclAssocIasInstance, orclEnabled, orclFlexAttribute1, orclIsEnabled, orclMasterNode, orclNetDescName, orclNetDescString, orclOracleHome, orclServiceInstanceLocation, orclServiceMember, orclServiceSubscriptionLocation, orclServiceSubType, orclServiceType, orclSID, orclSuiteType, orclSystemName, orclVersion
Object Classes
6.2.2.4 Attributes for Garbage Collection Configuration
This section lists the attributes and object classes that pertain to the configuration of garbage collection.
Attributes
orclPurgeBase, orclPurgeDebug, orclPurgeEnable, orclPurgeFileLoc, orclPurgeFileName, orclPurgeFilter, orclPurgeInterval, orclPurgeNow, orclPurgePackage, orclPurgeStart, orclPurgeTargetAge, orclPurgeTranSize
Object Classes
6.2.3 Audit and Error Logging Schema Elements
Understand about the attributes and object classes that pertain to audit logs and error logs.
Attributes
orclAuditAttribute, orclAuditMessage, orclDBConnCreationFailed, orclDNSUnavailable, orclEventTime, orclEventType, orclFDIncreaseError, orclMaxFDLimitReached, orclMaxProcessLimitReached, orclMemAllocError, orclNWCongested, orclNwUnavailable, orclOpResult, orclORA28error, orclORA3113error, orclORA3114error, orclSequence, orclThreadSpawnFailed, orclUserDN
Object Classes
6.2.4 Server Manageability Schema Elements
Understand about the schema elements for Oracle Internet Directory server manageability statistics.
Attributes
orclACLResultsLatency, orclActiveConn, orclActiveThreads, orclAttrACLEvalLatency, orclAuditMessage, orclBERgenLatency, orclDBLatency, orclDIMEonlyLatency, orclEcacheHitRatio, orclEcacheNumEntries, orclEcacheSize, orclEntryACLEvalLatency, orclEventTime, orclEventType, orclFilterACLEvalLatency, orclFrontLatency, orclGenObjLatency, orclGetNearACLLatency, orclHostname, orclIdleConn, orclIdleThreads, orclInitialServerMemSize, orclIpAddress, orclLDAPInstanceID, orclLDAPProcessID, orclOpAbandoned, orclOpCompleted, orclOpenConn, orclOpFailed, orclOpInitiated, orclOpLatency, orclOpPending, orclOpResult, orclOpSucceeded, orclOpTimedOut, orclQueueDepth, orclQueueLatency, orclReadWaitThreads, orclSequence, orclServerAvgMemGrowth, orclSMSpec, orclSQLexeFetchLatency, orclSQLGenReusedParsed, orclTcpConnToClose, orclTcpConnToShutDown, orclTotFreePhyMem, orclTraceDimesionLevel, orclTraceFileLocation, orclTraceFileSize, orclTraceLevel, orclTraceMode, orclUserDN, orclWriteWaitThreads
Object Classes
6.2.5 Oracle Directory Replication Schema Elements
Understand about the schema elements for directory replication.
Attributes
orclAgreementId, orclChangeLogLife, orclChangeRetryCount, orclCompatibleVersion, orclDirReplGroupAgreement, orclExcludedAttributes, orclHIQSchedule, orclHostname, orclIncludedNamingContexts, orclLastAppliedChangeNumber, orclLDAPConnKeepALive, orclPilotMode, orclPurgeSchedule, orclReplicaDN, orclReplicaID, orclReplicaSecondaryURI, orclReplicaState, orclReplicationProtocol, orclReplicaType, orclReplicaURI, orclReplicaVersion, orclThreadsPerSupplier, orclUpdateSchedule, pilotStartTime
Object Classes
6.2.6 Oracle Directory Integration and Provisioning Schema Elements
Understand about the schema elements for Oracle Directory Integration and Provisioning.
This section contains the following topics:
6.2.6.1 Attributes for Provisioning Applications
This section lists the attributes and object classes for Oracle Directory Integration and Provisioning applications.
Attributes
orclApplicationType, orclInterval, orclODIPAgent, orclODIPApplicationName, orclODIPCommand, orclODIPDbConnectInfo, orclODIPEventSubscriptions, orclOwnerGUID, orclStatus, orclVersion
Object Classes
6.2.6.2 Attributes for Provisioning Change Logs
This section lists the attributes and object classes for Oracle Directory Integration and Provisioning change logs.
Attributes
Object Classes
6.2.6.3 Attributes for Provisioning Events and Objects
This section lists the attributes and object classes for Oracle Directory Integration and Provisioning events and objects.
Attributes
orclODIPAttributeMappingRules, orclODIPEventFilter, orclODIPFilterAttrCriteria, orclODIPMustAttrCriteria, orclODIPObjectCriteria, orclODIPObjectEvents, orclODIPObjectName, orclODIPObjectSyncBase, orclODIPOperationMode, orclODIPOptAttrCriteria, orclODIPProvEventCriteria, orclODIPProvEventLDAPChangeType, orclODIPProvEventObjectType, orclODIPProvEventRule, orclODIPProvEventRuleDTD, orclStatus
Object Classes
6.2.6.4 Attributes for Provisioning Plug-ins and Interfaces
This section lists the attributes and object classes for Oracle Directory Integration and Provisioning plug-ins and interfaces.
Attributes
orclODIPPluginAddInfo, orclODIPPluginConfigInfo, orclODIPPluginEvents, orclODIPPluginExecData, orclODIPPluginExecName, orclODIPProfileProvSubscriptionMode, orclODIPProfileStatusUpdate, orclODIPProvInterfaceFilter, orclODIPProfileInterfaceType, orclODIPProvInterfaceProcessor, orclStatus
Object Classes
6.2.6.5 Attributes for Provisioning Server Configuration
This section lists the attributes and object classes for configuring the Oracle Directory Integration and Provisioning server.
Attributes
cn, orclCompatibleVersion, orclHostname, orclODIPConfigDNs, orclODIPConfigRefreshFlag, orclODIPInstanceStatus, orclODIPProfileExecGroupID, orclODIPSearchCountLimit, orclODIPSearchTimeLimit, orclODIPServerCommitSize, orclODIPServerDebugLevel, orclODIPServerRefreshIntvl, orclODIPServerSSLMode, orclODIPServerWalletLoc, orclSSLEnable, orclVersion, seeAlso, userPassword
Object Classes
6.2.6.6 Attributes for Provisioning Profiles
This section the attributes and object classes for Oracle Directory Integration and Provisioning synchronization and provisioning profiles.
Attributes
cn, orclODIPAgentConfigInfo, orclODIPAgentControl, orclODIPAgentExeCommand, orclODIPAgentHostName, orclODIPAgentName, orclODIPAgentPassword, orclODIPAttributeMappingRules, orclODIPBootStrapStatus, orclODIPConDirAccessAccount, orclODIPConDirAccessPassword, orclODIPConDirLastAppliedChgNum, orclODIPConDirMatchingFilter, orclODIPConDirURL, orclODIPEncryptedAttrKey, orclODIPInterfaceType, orclODIPLastExecutionTime, orclODIPLastSuccessfulExecutionTime, orclODIPOIDMatchingFilter, orclODIPProfileDebugLevel, orclODIPProfileExecGroupID, orclODIPProfileInterfaceAdditionalInformation, orclODIPProfileInterfaceConnectInformation, orclODIPProfileInterfaceName, orclODIPProfileInterfaceType, orclODIPProfileInterfaceVersion, orclODIPProfileLastAppliedAppEventID, orclODIPProfileLastProcessingTime, orclODIPProfileLastSuccessfulProcessingTime, orclODIPProfileMaxErrors, orclODIPProfileMaxEventsPerInvocation, orclODIPProfileMaxEventsPerSchedule, orclODIPProfileMaxRetries, orclODIPProfileName, orclODIPProfileProcessingErrors, orclODIPProfileProcessingStatus, orclODIPProfileSchedule, orclODIPProvisioningAppGUID, orclODIPProvisioningAppName, orclODIPProvisioningEventMappingRules, orclODIPProvisioningEventPermittedOperations, orclODIPProvisioningEventSubscription, orclODIPProvisioningOrgGUID, orclODIPProvisioningOrgName, orclODIPSchedulingInterval, orclODIPSynchronizationErrors, orclODIPSynchronizationMode, orclODIPSynchronizationStatus, orclODIPSyncRetryCount, orclPasswordAttribute, orclStatus, orclVersion, userPassword
Object Classes
6.2.6.7 Attributes for Provisioning Schema
This section lists the attributes and object classes for Oracle Directory Integration and Provisioning schema information.
Attributes
orclODIPApplicationsLocation, orclODIPInstancesLocation, orclODIPObjectDefnLocation, orclODIPProvProfileLocation, orclODIPRootLocation, orclODIPSchemaVersion, orclODIPServerConfigLocation, orclODIPSyncProfileLocation
Object Classes
6.2.7 Oracle Delegated Administration Services Schema Elements
Understand about the attributes and object classes for Oracle Delegated Administration Services.
Attributes
orclDASAdminModifiable, orclDASAttrDispOrder, orclDASAttrName, orclDASEnableProductLogo, orclDASEnableSubscriberLogo, orclDASIsEnabled, orclDASIsMandatory, orclDASIsPersonal, orclDASLOV, orclDASPublicGroupDNs, orclDASSearchable, orclDASSearchColIndex, orclDASSearchFilter, orclDASSearchSizeLimit, orclDASSelfModifiable, orclDASUIType, orclDASURL, orclDASURLBase, orclDASValidatePwdReset, orclDASViewable
Object Classes
6.2.8 Oracle Application Server Certificate Authority and PKI Schema Elements
Understand about the attributes and object classes that pertain to public key infrastructure (PKI), certificates, and Oracle Application Server Certificate Authority.
Attributes
orclCertExtensionAttribute, orclCertExtensionOID, orclCertificateHash, orclCertificateMatch, orclCertMappingAttribute, orclPKINextUpdate, orclPKIValMecAttr, x509issuer
Object Classes
6.2.9 Application Schema Elements
Understand about the attributes and object classes that pertain to applications.
Attributes
authPassword, description, labeledURI, orclAppFullName, orclApplicationCommonName, orclCategory, orclDBSchemaIdentifier, orclOwnerGUID, orclPasswordVerifier, orclResourceIdentifier, orclTrustedApplicationGroup, orclVersion, protocolInformation, seeAlso, userCertificate;binary, userPassword, userPKCS12
Object Classes
6.2.10 Resource Schema Elements
Understand about the attributes and object classes that pertain to resources.
Attributes
description, displayName, javaClassName, orclConnectionFormat, orclFlexAttribute1, orclFlexAttribute2, orclFlexAttribute3, orclOwnerGUID, orclPasswordAttribute, orclResourceName, orclResourceViewers, orclUserIDAttribute, orclUserModifiable
Object Classes
6.2.11 Plug-in Schema Elements
Understand about the attributes and object classes for configuring Plug-ins for Oracle Internet Directory.
Attributes
orclPluginAttributeList, orclPluginCheckEntryExist, orclPluginEnable, orclPluginEntryProperties, orclPluginIsReplace, orclPluginKind, orclPluginLDAPOperation, orclPluginName, orclPluginPort, orclPluginRequestGroup, orclPluginRequestNegGroup, orclPluginResultCode, orclPluginSASLCallBack, orclPluginSearchNotFound, orclPluginShareLibLocation, orclPluginSubscriberDNList, orclPluginTiming, orclPluginType, orclPluginVersion, userPassword
Object Classes
6.2.12 Directory User Agents Schema Elements
Understand about the attributes and object classes for configuring directory user agents (DUAs).
Attributes
attributeMap, authenticationMethod, bindTimeLimit, cn, credentialLevel, defaultSearchBase, defaultSearchScope, defaultServerList, followReferrals, objectClass, objectClassMap, preferredServerList, profileTTL, serviceAuthenticationMethod, serviceCredentialLevel, serviceSearchDescriptor
Object Classes
6.2.13 User, Group, and Subscriber Schema Elements
Understand about the attributes and object classes used for users, groups, and subscribers.
This section contains the following topics:
6.2.13.1 Attributes for Groups
Oracle Internet Directory uses the standard object classes groupOfNames and groupOfUniqueNames as defined in RFC 2256. In addition to the standard attributes and object classes, the following are also used for groups.
Attributes
Object Classes
6.2.13.2 Attributes for Dynamic Groups
This section lists the attributes and object classes for dynamic groups.
Attributes
Object Classes
6.2.13.3 Attributes for Users
Oracle Internet Directory uses the standard object classes person and inetOrgPerson as defined in RFC 2256. In addition to the standard attributes and object classes, the following are also used for users.
Attributes
authPassword, c, jpegPhoto, krbPrincipalName, middleName, orclActiveEndDate, orclActiveStartdate, orclContact, orclDateOfBirth, orclDefaultProfileGroup, orclDisplayPersonalInfo, orclGender, orclHireDate, orclHostedCreditCardExpireDate, orclHostedCreditCardNumber, orclHostedCreditCardType, orclHostedDunsNumber, orclHostedPaymentTerm, orclIsEnabled, orclIsVisible, orclMaidenName, orclPassword, orclPasswordHint, orclPasswordHintAnswer, orclPasswordVerifier, orclPKCS12Hint, orclSAMAccountName, orclSearchFilter, orclSubscriberFullName, orclSubscriberType, orclTimeZone, orclTxnMaxOperations, orclVersion, orclWirelessAccountNumber, orclWorkflowNotificationPref, userPKCS12
Object Classes
6.2.14 Password Policy Schema Elements
Understand about the attributes and object classes that pertain to password policy configuration.
Attributes
cn, displayName, orclPwdAllowHashCompare, orclPwdAlphaNumeric, orclPwdEncryptionEnable, orclPwdIllegalValues, orclPwdIPLockout, orclPwdIPLockoutDuration, orclPwdIPMaxFailure, orclPwdPolicyEnable, pwdAllowUserChange, pwdCheckSyntax, pwdExpireWarning, pwdFailureCountInterval, pwdGraceLoginLimit, pwdInHistory, pwdLockout, pwdLockoutDuration, pwdMaxAge, pwdMaxFailure, pwdMinAge, pwdMustChange, pwdSafeModify
Object Classes
6.2.15 Password Verifier Schema Elements
Understand about the attributes and object classes that pertain to password verifiers.
Attributes
cn, displayName, orclAppId, , owner
Object Classes