HP-UX Directory Server schema reference HP-UX Directory Server Version 8.
© Copyright 2009 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents 1 About Directory Server schema....................................................................................9 1.1 Schema definitions............................................................................................................................9 1.1.1 Object classes.............................................................................................................................9 1.1.1.1 Required and allowed attributes...........................................
2.37 documentPublisher........................................................................................................................24 2.38 documentStore...............................................................................................................................24 2.39 documentTitle................................................................................................................................24 2.40 documentVersion..................................................
2.92 ntUserDomainId............................................................................................................................38 2.93 ntUserHomeDir.............................................................................................................................38 2.94 ntUserLastLogoff...........................................................................................................................38 2.95 ntUserLastLogon.....................................................
2.147 telexNumber................................................................................................................................50 2.148 textEncodedORAddress..............................................................................................................51 2.149 title...............................................................................................................................................51 2.150 ttl (TimeToLive)..............................................
3.36 ntUser............................................................................................................................................78 3.37 organization...................................................................................................................................79 3.38 organizationalPerson.....................................................................................................................80 3.39 organizationalRole.......................................
4.1.36 passwordResetFailureCount (pwdFailureCountInterval)..................................................101 4.1.37 passwordRetryCount...........................................................................................................101 4.1.38 passwordStorageScheme.....................................................................................................101 4.1.39 passwordUnlock..............................................................................................................
1 About Directory Server schema This document provides a reference for the HP-UX Directory Server schema. This chapter provides an overview of some of the basic concepts of the directory schema and lists the files in which the schema is described. It describes object classes, attributes, and object identifiers (OIDs) and briefly discusses extending server schema and schema checking. 1.1 Schema definitions The directory schema is a set of rules that defines how data can be stored in the directory.
As in Example 1-1 “Object class schema entry for person”, the person object class requires the cn, sn, and objectClass attributes and allows the description, seeAlso, telephoneNumber, and userPassword attributes. NOTE: All entries require the objectClass attribute, which lists the object classes assigned to the entry. 1.1.1.2 Object class inheritance An entry can have more than one object class.
1.1.2.1 Attribute syntax The attribute's syntax defines the format of the values which the attribute allows; as with other schema elements, the syntax is defined for an attribute using the syntax's OID, as listed in Table 1-1 “LDAP attribute syntax”. The Directory Server uses the attribute's syntax to perform sorting and pattern matching on entries. Table 1-1 LDAP attribute syntax Syntax method OID Definition Binary 1.3.6.1.4.1.1466.115.121.1.5 Indicates that values for this attribute are binary.
1.1.2.2 Single- and multivalued attributes By default, most attributes are multivalued. This means that an entry can contain the same attribute multiple times, with different values. For example: dn: uid=jsmith, ou=marketing, ou=people, dc=example, dc=com ou: marketing ou: people The cn, tel, and objectclass attributes, for example, all can have more than one value.
Table 1-2 Schema files (continued) Schema file Purpose 50ns-certificate.ldif Schemas used by Certificate System. 50ns-directory.ldif Schema used by legacy Directory Server 4.x servers. 50ns-mail.ldif Schema for mail servers. 50ns-value.ldif Schema for value items in Directory Server. 50ns-web.ldif Schema for web servers. 60autofs.ldif Object classes for automount configuration; this is one of several schema files used for NIS servers. 60eduperson.
1.4 Extending the schema The Directory Server schema includes hundreds of object classes and attributes that can be used to meet most of directory requirements. This schema can be extended with new object classes and attributes that meet evolving requirements for the directory service in the enterprise by creating custom schema files. When adding new attributes to the schema, a new object class should be created to contain them.
2 Directory Server attribute reference This chapter contains reference information about HP-UX Directory Server (Directory Server) attributes. The attributes are listed in alphabetical order with their definition, syntax, and OID. For information on replication and synchronization attributes, see the HP-UX Directory Server configuration, command, and file reference. 2.1 abstract The abstract attribute contains an abstract for a document entry. OID 0.9.2342.19200300.102.1.
associatedName: c=us OID 0.9.2342.19200300.100.1.38 Syntax DN Multi- or Single-Valued Multivalued Defined in RFC 1274 2.5 audio The audio attribute contains a sound file using a binary format. This attribute uses a u-law encoded sound data. For example: audio:: AAAAAA== OID 0.9.2342.19200300.100.1.55 Syntax Binary Multi- or Single-Valued Multivalued Defined in RFC 1274 2.6 authorCn The authorCn attribute contains the common name of the document's author.
authorityrevocationlist;binary:: AAAAAA== OID 2.5.4.38 Syntax Binary Multi- or Single-Valued Multivalued Defined in RFC 2256 2.9 buildingName The buildingName attribute contains the building name associated with the entry. For example: buildingName: 14 OID 0.9.2342.19200300.100.1.48 Syntax DirectoryString Multi- or Single-Valued Multivalued Defined in RFC 1274 2.10 businessCategory The businessCategory attribute identifies the type of business in which the entry is engaged.
cACertificate;binary:: AAAAAA== OID 2.5.4.37 Syntax Binary Multi- or Single-Valued Multivalued Defined in RFC 2256 2.13 carLicense The carLicense attribute contains an entry's automobile license plate number. For example: carLicense: 6ABC246 OID 2.16.840.1.113730.3.1.1 Syntax DirectoryString Multi- or Single-Valued Multivalued Defined in RFC 2798 2.14 certificateRevocationList The certificateRevocationList attribute contains a list of revoked user certificates.
2.16 co (friendlyCountryName) The friendlyCountryName attribute contains a country name; this can be any string. Often, the country is used with the ISO-designated two-letter country code, while the co attribute contains a readable country name. For example: friendlyCountryName: Ireland co: Ireland OID 0.9.2342.19200300.100.1.43 Syntax DirectoryString Multi- or Single-Valued Multivalued Defined in RFC 1274 2.
2.20 cosSpecifier The cosSpecifier attribute contains the attribute value used by a classic CoS, which, along with the template entry's DN, identifies the template entry. OID 2.16.840.1.113730.3.1.551 Syntax DirectoryString Multi- or Single-Valued Single-valued Defined in Directory Server 2.21 cosTargetTree The cosTargetTree attribute defines the subtrees to which the CoS schema applies.
dc: example domainComponent: example OID 0.9.2342.19200300.100.1.25 Syntax DirectoryString Multi- or Single-Valued Single-valued Defined in RFC 2247 2.25 deltaRevocationList The deltaRevocationList attribute contains a certificate revocation list (CRL). The attribute value is requested and stored in binary format, such as deltaRevocationList;binary. OID 2.5.4.53 Syntax Binary Multi- or Single-Valued Multivalued Defined in RFC 2256 2.
destinationIndicator: Stow, Ohio, USA OID 2.5.4.27 Syntax DirectoryString Multi- or Single-Valued Multivalued Defined in RFC 2256 2.29 displayName The displayName attributes contains the preferred name of a person to use when displaying that person's entry. This is especially useful for showing the preferred name for an entry in a one-line summary list. Because other attribute types, such as cn, are multivalued, they can not be used to display a preferred name.
dn: uid=Barbara Jensen,ou=Quality Control,dc=example,dc=com OID 2.5.4.49 Syntax DN Defined in RFC 2256 2.33 dNSRecord The dNSRecord attribute contains DNS resource records, including type A (Address), type MX (Mail Exchange), type NS (Name Server), and type SOA (Start of Authority) resource records. For example: dNSRecord: IN NS ns.uu.net OID 0.9.2342.19200300.100.1.26 Syntax IA5String Multi- or Single-Valued Multivalued Defined in Internet Directory Pilot 2.
Multi- or Single-Valued Multivalued Defined in RFC 1274 2.37 documentPublisher The documentPublisher attribute contains the person or organization who published a document. For example: documentPublisher: Southeastern Publishing OID 0.9.2342.19200300.100.1.56 Syntax DirectoryString Multi- or Single-Valued Single-valued Defined in RFC 1274 2.38 documentStore The documentStore attribute contains information on where the document is stored. OID 0.9.2342.19200300.102.1.
favouriteDrink: iced tea drink: cranberry juice OID 0.9.2342.19200300.100.1.5 Syntax DirectoryString Multi- or Single-Valued Multivalued Defined in RFC 1274 2.42 dSAQuality The dSAQuality attribute contains the rating of the directory system agents' (DSA) quality. This attribute allows a DSA manager to indicate the expected level of availability of the DSA. For example: dSAQuality: high OID 0.9.2342.19200300.100.1.
Multi- or Single-Valued Multivalued Defined in RFC 2798 2.46 fax (facsimileTelephoneNumber) The facsimileTelephoneNumber attribute contains the entry's facsimile number; this attribute can be abbreviated as fax. For example: facsimileTelephoneNumber: +1 415 555 1212 fax: +1 415 555 1212 OID 2.5.4.23 Syntax TelephoneNumber Multi- or Single-Valued Multivalued Defined in RFC 2256 2.47 gecos The gecos attribute is used to determine the GECOS field for the user.
Multi- or Single-Valued Single-valued Defined in RFC 2307 2.50 givenName The givenName attribute contains an entry's given name, which is usually the first name. For example: givenName: Rachel OID 2.5.4.42 Syntax DirectoryString Multi- or Single-Valued Multivalued Defined in RFC 2256 2.51 homeDirectory The homeDirectory attribute contains the path to the user's home directory. homeDirectory: /home/jsmith OID 1.3.6.1.1.1.1.
The dollar (\24) value can be found$in the c:\c5cost file. OID 0.9.2342.19200300.100.1.39 Syntax DirectoryString Multi- or Single-Valued Multivalued Defined in RFC 1274 2.54 host The host contains the host name of a computer. For example: host: labcontroller01 OID 0.9.2342.19200300.100.1.9 Syntax DirectoryString Multi- or Single-Valued Multivalued Defined in RFC 1274 2.55 houseIdentifier The houseIdentifier contains an identifier for a specific building at a location.
when it is synchronized. There is no information written to the error log to indicate that synchronization changed the attribute value, either. OID 2.5.4.43 Syntax DirectoryString Multi- or Single-Valued Multivalued Defined in RFC 2256 2.58 internationalISDNNumber The internationalISDNNumber attribute contains the ISDN number of a document entry. This attribute uses the internationally recognized format for ISDN addresses given in CCITT Rec. E. 164. OID 2.5.4.
Multi- or Single-Valued Multivalued Defined in Internet White Pages Pilot 2.62 knowledgeInformation This attribute is no longer used. OID 2.5.4.2 Syntax DirectoryString Multi- or Single-Valued Multivalued Defined in RFC 2256 2.63 l (localityName) The localityName, or l, attribute contains the county, city, or other geographical designation associated with the entry. For example: localityName: Santa Clara l: Santa Clara OID 2.5.4.
2.66 lastModifiedTime The lastModifiedTime attribute contains the time, in UTC format, an entry was last modified. For example: lastModifiedTime: Thursday, 22-Sep-93 14:15:00 GMT OID 0.9.2342.19200300.100.1.23 Syntax DirectyString Multi- or Single-Valued Multivalued Defined in RFC 1274 2.67 loginShell The loginShell attribute contains the path to a script that is launched automatically when a user logs into the domain. loginShell: c:\scripts\jsmith.bat OID 1.3.6.1.1.1.1.
2.70 mailHost The mailHost attribute contains the host name of a mail server. For example: mailHost: mail.example.com OID 2.16.840.1.113730.3.1.18 Syntax DirectyString Multi- or Single-Valued Multivalued Defined in Netscape Messaging Server 2.71 mailPreferenceOption The mailPreferenceOption defines whether a user should be included on a mailing list, both electronic and physical. There are three options. 0 Does not appear in mailing lists. 1 Add to any mailing lists.
Multi- or Single-Valued Multivalued Defined in RFC 2256 2.74 memberCertificateDescription This attribute is a multivalued attribute where each value is a description, a pattern, or a filter matching the subject DN of a certificate, usually a certificate used for SSL client authentication. memberCertificateDescription matches any certificate that contains a subject DN with the same attribute-value assertions (AVAs) as the description. The description may contain multiple ou AVAs.
2.76 memberUid The memberUid attribute contains the login name of the member of a group; this can be different than the DN identified in the member attribute. homeDirectory: /home/jsmith OID 1.3.6.1.1.1.1.12 Syntax IA5String Multi- or Single-Valued Single-valued Defined in RFC 2307 2.77 memberURL This attribute identifies a URL associated with each member of a group. Any type of labeled URL can be used. memberURL: ldap://cn=jsmith,ou=people,dc=example,dc=com OID 2.16.840.1.113730.3.1.
2.80 nsLicensedFor The nsLicensedFor attribute identifies the server the user is licensed to use. Administration Server expects each nsLicenseUser entry to contain zero or more instances of this attribute. Valid keywords for this attribute include the following: • • • • slapd for a licensed Directory Server client. mail for a licensed mail server client. news for a licensed news server client. cal for a licensed calender server client. For example: nsLicensedFor: slapd OID 2.16.840.1.113730.3.1.
2.84 ntGroupDeleteGroup The ntGroupDeleteGroup attribute is used by Windows Sync to determine whether the Directory Server should delete a group entry when the group is deleted on a Windows sync peer server. true means the account is deleted; false ignores the deletion. OID 2.16.840.1.113730.3.1.46 Syntax Case-insensitive string Multi- or Single-Valued Single-valued Defined in Netscape NT Synchronization 2.85 ntGroupDomainId The ntGroupDomainID contains the domain ID string for a group.
Multi- or Single-Valued Single-valued Defined in Netscape NT Synchronization 2.88 ntUserAcctExpires This attribute indicates when the entry's Windows account will expire. This value is stored as a string in GMT format. For example: ntUserAcctExpires: 20081015203415 OID 2.16.840.1.113730.3.1.528 Syntax Case-insensitive string Multi- or Single-Valued Single-valued Defined in Netscape NT Synchronization 2.
2.92 ntUserDomainId The ntUserDomainID attribute contains the Windows domain login ID. For example: ntUserDomainId: jsmith OID 2.16.840.1.113730.3.1.41 Syntax Case-insensitive string Multi- or Single-Valued Single-valued Defined in Netscape NT Synchronization 2.93 ntUserHomeDir The ntUserHomeDir attribute contains an ASCII string representing the Windows user's home directory. This attribute can be null. For example: ntUserHomeDir: c:\jsmith OID 2.16.840.1.113730.3.1.
2.96 ntUserMaxStorage The ntUserMaxStorage attribute contains the maximum amount of disk space available for the user. ntUserMaxStorage: 4294967295 OID 2.16.840.1.113730.3.1.529 Syntax Binary Multi- or Single-Valued Single-valued Defined in Netscape NT Synchronization 2.97 ntUserParms The ntUserParms attribute contains a Unicode string reserved for use by applications. OID 2.16.840.1.113730.3.1.
ntUserWorkstations: firefly OID 2.16.840.1.113730.3.1.525 Syntax Case-insensitive string Multi- or Single-Valued Single-valued Defined in Netscape NT Synchronization 2.101 o (organizationName) The organizationName, or o, attribute contains the organization name. For example: organizationName: Example Corporation o: Example Corporation OID 2.5.4.10 Syntax DirectoryString Multi- or Single-Valued Multivalued Defined in RFC 2256 2.
2.105 organizationalStatus The organizationalStatus identifies the person's category within an organization. organizationalStatus: researcher OID 0.9.2342.19200300.100.1.45 Syntax DirectoryString Multi- or Single-Valued Multivalued Defined in RFC 1274 2.106 otherMailbox The otherMailbox attribute contains values for email types other than X.400 and RFC 822. otherMailbox: internet $ jsmith@example.com OID 0.9.2342.19200300.100.1.
pagerTelephoneNumber: 415-555-6789 pager: 415-555-6789 OID 0.9.2342.19200300.100.1.42 Syntax TelephoneNumber Multi- or Single-Valued Multivalued Defined in RFC 1274 2.110 personalSignature The personalSignature attribute contains the entry's signature file, in binary format. personalSignature:: AAAAAA== OID 0.9.2342.19200300.100.1.53 Syntax Binary Multi- or Single-Valued Multivalued Defined in RFC 1274 2.111 personalTitle The personalTitle attribute contains a person's honorific, such as Ms.
Multi- or Single-Valued Multivalued Defined in RFC 2256 2.114 postalAddress The postalAddress attribute identifies the entry's mailing address. This field is intended to include multiple lines. When represented in LDIF format, each line should be separated by a dollar sign ($). To represent an actual dollar sign ($) or backslash (\) within the entry text, use the escaped hex values \24 and \5c respectively. For example, to represent the string: The dollar ($) value can be found in the c:\cost file.
preferredDeliveryMethod: telephone OID 2.5.4.28 Syntax DirectoryString Multi- or Single-Valued Multivalued Defined in RFC 2256 2.118 preferredLanguage The preferredLanguage attribute contains a person's preferred written or spoken language. The value should conform to the syntax for HTTP Accept-Language header values. OID 2.16.840.1.113730.3.1.39 Syntax DirectoryString Multi- or Single-Valued Single-valued Defined in RFC 2798 2.
ref: ldap://server.example.com:389/ou=People, dc=example,dc=com OID 2.16.840.1.113730.3.1.34 Syntax IA5String Multi- or Single-Valued Multivalued Defined in LDAPv3 Referrals Internet Draft 2.122 registeredAddress This attribute contains a postal address for receiving telegrams or expedited documents. The recipient's signature is usually required on delivery. OID 2.5.4.26 Syntax DirectoryString Multi- or Single-Valued Multivalued Defined in RFC 2256 2.
Multi- or Single-Valued Multivalued Defined in RFC 2256 2.126 secretary The secretary attribute identifies an entry's secretary or administrative assistant. secretary: cn=John Smith, dc=example,dc=com OID 0.9.2342.19200300.100.1.21 Syntax DN Multi- or Single-Valued Multivalued Defined in RFC 1274 2.127 seeAlso The seeAlso attribute identifies another Directory Server entry that may contain information related to this entry.
shadowFlag: 150 OID 1.3.6.1.1.1.1.11 Syntax Integer Multi- or Single-Valued Single-valued Defined in RFC 2307 2.131 shadowInactive The shadowInactive attribute sets how long, in days, the shadow account can be inactive. shadowInactive: 15 OID 1.3.6.1.1.1.1.9 Syntax Integer Multi- or Single-Valued Single-valued Defined in RFC 2307 2.132 shadowLastChange The shadowLastChange attribute contains the time and date of the last modification to the shadow account.
Multi- or Single-Valued Single-valued Defined in RFC 2307 2.135 shadowWarning The shadowWarning attribute sets how may days in advance of password expiration to send a warning to the user. shadowWarning: 2 OID 1.3.6.1.1.1.1.8 Syntax Integer Multi- or Single-Valued Single-valued Defined in RFC 2307 2.136 singleLevelQuality The singleLevelQuality specifies the purported data quality at the level immediately below in the directory tree. OID 0.9.2342.19200300.100.1.
2.139 street The streetAddress, or street, attribute contains an entry's street name and residential address. streetAddress: 1234 Ridgeway Drive street: 1234 Ridgeway Drive OID 2.5.4.9 Syntax DirectoryString Multi- or Single-Valued Multivalued Defined in RFC 2256 2.140 subject The subject attribute contains information about the subject matter of the document entry. subject: employee option grants OID 0.9.2342.19200300.102.1.
supportedAlgorithms:: AAAAAA== OID 2.5.4.52 Syntax Binary Multi- or Single-Valued Multivalued Defined in RFC 2256 2.144 supportedApplicationContext This attribute contains the identifiers of OSI application contexts. OID 2.5.4.30 Syntax DirectoryString Multi- or Single-Valued Multivalued Defined in RFC 2256 2.145 telephoneNumber The telephoneNumber contains an entry's phone number. For example: telephoneNumber: 415-555-2233 OID 2.5.4.
• • • actual-number is the syntactic representation of the number portion of the telex number being encoded. country is the TELEX country code. answerback is the answerback code of a TELEX terminal. OID 2.5.4.21 Syntax DirectoryString Multi- or Single-Valued Multivalued Defined in RFC 2256 2.148 textEncodedORAddress The textEncodedORAddress attribute defines the text-encoded Originator/Recipient (X.400) address of the entry as defined in RFC 987.
userid: jsmith uid: jsmith OID 0.9.2342.19200300.100.1.1 Syntax DirectoryString Multi- or Single-Valued Multivalued Defined in RFC 1274 2.152 uidNumber The uidNumber attribute contains a unique numberic identifier for a user entry. This is analogous to the user number in Unix. uidNumber: 120 OID 1.3.6.1.1.1.1.0 Syntax Integer Multi- or Single-Valued Single-valued Defined in RFC 2307 2.
2.155 updatedByDocument The updatedByDocument attribute contains the distinguished name of a document that is an updated version of the document entry. OID 0.9.2342.19200300.102.1.6 Syntax DN Multi- or Single-Valued Multivalued Defined in Internet White Pages Pilot 2.156 updatesDocument The updatesDocument attribute contains the distinguished name of a document for which this document is an updated version. OID 0.9.2342.19200300.102.1.
Transferring cleartext passwords is strongly discouraged where the underlying transport service cannot guarantee confidentiality. Transferring in cleartext may result in disclosure of the password to unauthorized parties. OID 2.5.4.35 Syntax Binary Multi- or Single-Valued Multivalued Defined in RFC 2256 2.160 userPKCS12 This attribute provides a format for the exchange of personal identity information. The attribute is stored and requested in binary form, as userPKCS12;binary.
Multi- or Single-Valued Multivalued Defined in RFC 2256 2.
3 Directory Server object class reference This chapter contains an alphabetical list of the object classes accepted by the default schema. It gives a definition of each object class and lists its required and allowed attributes. The object classes listed in this chapter are available to support entry information in the HP-UX Directory Server (Directory Server).
NOTE: Aliasing entries is not supported in HP-UX Directory Server. Superior Class OID top 2.5.6.1 Required Attributes Attribute Definition objectClass Defines the object classes for the entry. aliasedObjectName Gives the distinguished name of the entry for which this entry is an alias. 3.
Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry. Allowed Attributes Attribute Definition aci Evaluates what rights are granted or denied when the Directory Server receives an LDAP request from a client. cn (commonName) Gives the common name of the entry. cosAttribute Provides the name of the attribute for which the CoS generates a value. There can be more than one cosAttribute value specified.
Superior Class OID cosSuperDefinition 2.16.840.1.113730.3.2.101 Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry. cosAttribute Provides the name of the attribute for which the CoS generates a value. There can be more than one cosAttribute value specified. Allowed Attributes Attribute Definition cn (commonName) Gives the common name of the entry. cosTemplateDn Provides the DN of the template entry which is associated with the CoS definition.
Allowed Attributes Attribute Definition cn (commonName) Gives the common name of the entry. cosPriority Specifies which template provides the attribute value when CoS templates compete to provide an attribute value. 3.9 country The country object class defines entries which represent countries. This object class is defined in RFC 2256. Superior Class OID top 2.5.6.2 Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry.
3.11 device The device object class sstore information about network devices, such as printers, in the directory. This object class is defined in RFC 2247. Superior Class OID top 2.5.6.14 Required Attributes Attribute Definition objectClass Gives the object classes assigned to the device. cn (commonName) Gives the common name of the device. Allowed Attributes Attribute Definition description Gives a text description of the entry.
Attribute Definition dITRedirect Contains the DN (distinguished name) of the entry to use as a redirect for the document entry. documentAuthor Contains the DN (distinguished name) of the author. documentLocation Gives the location of the original document. documentPublisher Identifies the person or organization that published the document. documentStore documentTitle Contains the title of the document. documentVersion Gives the version number of the document.
Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry. cn (commonName) Gives the common name of the entry. Allowed Attributes Attribute Definition description Gives a text description of the entry. l (localityName) Gives the place where the document series is physically located. o (organizatonName) Gives the organization to which the document series belongs.
Attribute Definition l (localityName) Gives the city or geographical location of the entry. o (organizatonName) Gives the organization to which the entry belongs. physicalDeliveryOfficeName Gives a location where physical deliveries can be made. postOfficeBox Gives the post office box number for the domain. postalAddress Contains the mailing address for the domain. postalCode Gives the postal code for the domain, such as the zip code in the United States.
Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry. cn (commonName) Gives the common name of the entry. presentationAddress Contains the entry's OSI presentation address. Allowed Attributes Attribute Definition description Gives a text description of the entry. knowledgeInformation l (localityName) Gives the city or geographical location of the entry. o (organizatonName) Gives the organization to which the entry belongs.
Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry. co (friendlyCountryName) Stores the human-readable country name. c (countryName) Contains the two-character code representing country names, as defined by ISO, in the directory. Allowed Attributes Attribute Definition description Gives a text description of the entry.
NOTE: The definition for this object class in Directory Server differs from the standard definition. In the standard definition, member is a required attribute, while in Directory Server it is an allowed attribute. Directory Server, therefore, allows a group to have no members. Superior Class OID top 2.5.6.9 Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry. cn (commonName) Gives the common name of the entry.
Allowed Attributes Attribute Definition businessCategory Gives the type of business in which the entry is engaged. description Gives a text description of the entry. o (organizatonName) Gives the organization to which the entry belongs. ou (organizationalUnitName) Gives the organizational unit or division to which the entry belongs. owner Contains the DN (distinguished name) of the person responsible for the group. seeAlso Contains a URL to another entry or site with related information.
Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry. cn (commonName) Gives the common name of the entry. sn (surname) Gives the person's family name or last name. Allowed Attributes 70 Attribute Definition audio Stores a sound file in binary format. businessCategory Gives the type of business in which the entry is engaged. carLicense Gives the license plate number of the person's vehicle.
Attribute Definition postalCode Gives the postal code for the entry, such as the zip code in the United States. preferredDeliveryMethod Shows the person's preferred method of contact or message delivery. preferredLanguage Gives the person's preferred written or spoken language. registeredAddress Gives a postal address suitable to receive expedited documents when the recipient must verify delivery. roomNumber Gives the room number where the person is located.
3.25 locality The locality object class defines entries that represent localities or geographic areas. This object class is defined in RFC 2256. Superior Class OID top 2.5.6.3 Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry. Allowed Attributes Attribute Definition description Gives a text description of the entry. l (localityName) Gives the city or geographical location of the entry.
3.27 newPilotPerson The newPilotPerson object class is a subclass of the person to allow additional attributes to be assigned to entries of the person object class. This object class inherits the cn (commonName) and sn (surname) attributes from the person object class. This object class is defined in Internet White Pages Pilot. Superior Class OID person 0.9.2342.19200300.100.4.4 Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry.
Attribute Definition uid (userID) Contains the person's user ID (usually his logon ID). userClass Describes the type of computer user this entry is. userPassword Stores the password with which the entry can bind to the directory. 3.28 nsComplexRoleDefinition Any role that is not a simple role is, by definition, a complex role. This object class is defined by Directory Server. Superior Class OID nsRoleDefinition 2.16.840.1.113730.3.2.
manage the contents of this object class through the Users and Groups area of the Administration Server. This object class is defined in the Administration Server schema. Superior Class OID top 2.16.840.1.113730.3.2.7 Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry. Allowed Attributes Attribute Definition nsLicensedFor Identifies the server that the user is licensed to use. nsLicensedEndTime Reserved for future use.
Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry. nsRoleDn Specifies the roles assigned to an entry. Allowed Attributes Attribute Definition cn (commonName) Gives the common name of the entry. description Gives a text description of the entry. 3.33 nsRoleDefinition All role definition object classes inherit from the nsRoleDefinition object class. This object class is defined by Directory Server. Superior Class OID ldapSubEntry 2.16.840.1.
Allowed Attributes Attribute Definition cn (commonName) Gives the common name of the entry. description Gives a text description of the entry. 3.35 ntGroup The ntGroup object class holds data for a group entry stored in a Windows Active Directory server. Several Directory Server attributes correspond directly to or are mapped to match Windows group attributes.
Attribute Definition ou (organizationalUnitName) Gives the organizational unit or division to which the entry belongs. seeAlso Contains a URL to another entry or site with related information. 3.36 ntUser The ntUser entry holds data for a user entry stored in a Windows Active Directory server. Several Directory Server attributes correspond directly to or are mapped to match Windows user account fields.
Attribute Definition ntUserDeleteAccount Specifies whether a Windows account should be deleted when this entry is deleted in the Directory Server. ntUserHomeDir Gives the path to the user's home directory. ntUserLastLogoff Gives the time of the user's last logoff from the Windows server. ntUserLastLogon Gives the time of the user's last logon to the Windows server. ntUserMaxStorage Shows the maximum disk space available to the user in the Windows server.
Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry. o (organizatonName) Gives the organization to which the entry belongs. Allowed Attributes Attribute Definition businessCategory Gives the type of business in which the entry is engaged. description Gives a text description of the entry. destinationIndicator Gives the country and city associated with the entry; this was once required to provide public telegram service.
OID 2.5.6.7 Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry. cn (commonName) Gives the common name of the entry. sn (surname) Gives the person's family name or last name. Allowed Attributes Attribute Definition description Gives a text description of the entry. destinationIndicator Gives the country and city associated with the entry; this was once required to provide public telegram service.
OID 2.5.6.8 Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry. cn (commonName) Gives the common name of the entry. Allowed Attributes Attribute Definition description Gives a text description of the entry. destinationIndicator Gives the country and city associated with the entry; this was once required to provide public telegram service. fax (facsimileTelephoneNumber) Contains the fax number for the entry.
Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry. ou (organizationalUnitName) Gives the organizational unit or division to which the entry belongs. Allowed Attributes Attribute Definition businessCategory Gives the type of business in which the entry is engaged. description Gives a text description of the entry. destinationIndicator Gives the country and city associated with the entry; this was once required to provide public telegram service.
Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry. cn (commonName) Gives the common name of the entry. sn (surname) Gives the person's family name or last name. Allowed Attributes Attribute Definition description Gives a text description of the entry. seeAlso Contains a URL to another entry or site with related information. telephoneNumber Gives the telephone number for the entry.
3.43 pilotOrganization The pilotOrganization object class is a subclass used to add attributes to organization and organizationalUnit object class entries. This object class is defined in RFC 1274. Superior Class OID top 0.9.2342.19200300.100.4.20 Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry. o (organizatonName) Gives the organization to which the entry belongs.
Attribute Definition userPassword Stores the password with which the entry can bind to the directory. x121Address Gives the X.121 address for the entry. 3.44 posixAccount The posixAccount object class defines network accounts which use POSIX attributes. This object class is defined in RFC 2307, which defines object classes and attributes to use LDAP as a network information service. Superior Class OID top 1.3.6.1.1.1.2.
Required Attributes Attribute Definition cn (commonName) Gives the common name of the entry. gidNumber Contains the path to a script that is launched automatically when a user logs into the domain. objectClass Gives the object classes assigned to the entry. Allowed Attributes Attribute Definition description Gives a text description of the entry. memberUID Gives the login name of the group member; this possibly may not be the same as the member's DN.
Attribute Definition preferredDeliveryMethod Shows the person's preferred method of contact or message delivery. registeredAddress Gives a postal address suitable to receive expedited documents when the recipient must verify delivery. seeAlso Contains a URL to another entry or site with related information. st (stateOrProvinceName) Gives the state or province where the person is located. street (streetAddress) Gives the street name and address number for the persons's physical location.
Attribute Definition postalCode Gives the postal code for the entry, such as the zip code in the United States. postOfficeBox Gives the post office box number for the entry. preferredDeliveryMethod Shows the person's preferred method of contact or message delivery. registeredAddress Gives a postal address suitable to receive expedited documents when the recipient must verify delivery.
This object class is defined in RFC 2307, which defines object classes and attributes to use LDAP as a network information service. Superior Class OID top 1.3.6.1.1.1.2.1 Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry. uid (userID) Gives the defined account's user ID. Allowed Attributes Attribute Definition description Gives a text description of the entry. shadowExpire Contains the date that the shadow account expires.
Required Attributes Attribute Definition objectClass Gives the object classes assigned to the entry. userCertificate Stores a user's certificate, usually in binary form. 3.
4 Operational attributes, special attributes, and special object classes This chapter provides definitions, syntax, and OIDs used by the HP-UX Directory Server. Operational attributes are attributes used to perform directory operations and are available for every entry in the directory, regardless of whether they are defined for the object class of the entry. Operational attributes are only returned in an ldapsearch operation if specifically requested.
4.1.4 attributeTypes This attribute is used in a schema file to identify an attribute defined wthin the subschema. OID 2.5.21.5 Syntax DirectoryString Multi- or Single-Valued Multivalued Defined in RFC 2252 4.1.5 copiedFrom This attribute is used by a read-only replica to recognize a master data source. Contains a reference to the server that holds the master data. This attribute is only used for legacy replication. It is not used for multi-master replication. OID 2.16.840.1.113730.3.1.
Multi- or Single-Valued Multivalued Defined in RFC 2252 4.1.9 ldapSyntaxes This attribute identifies the syntaxes implemented, with each value corresponding to one syntax. OID 1.3.6.1.4.1.1466.101.120.16 Syntax DirectoryString Multi- or Single-Valued Multivalued Defined in RFC 2252 4.1.10 matchingRules This attribute defines the matching rules used within a subschema. Each value defines one matching rule. OID 2.5.21.
DN of the root).This attribute permits a client contacting a server to choose suitable base objects for searching. OID 1.3.6.1.4.1.1466.101.120.5 Syntax DN Multi- or Single-Valued Multivalued Defined in RFC 2252 4.1.14 nsRole This attribute is a computed attribute that is not stored with the entry itself. It identifies to which roles an entry belongs. OID 2.16.840.1.113730.3.1.574 Syntax DN Multi- or Single-Valued Multivalued Defined in Directory Server 4.1.
4.1.16 nsRoleFilter This attribute sets the filter identifies entries which belong to the role. OID 2.16.840.1.113730.3.1.576 Syntax IA5String Multi- or Single-Valued Single-valued Defined in RFC 2252 4.1.17 numSubordinates This attribute indicates now many immediate subordinates an entry has. For example, numSubordinates=0 in a leaf entry. OID 1.3.1.1.4.1.453.16.2.103 Syntax Integer Multi- or Single-Valued Single-valued Defined in numSubordinates Internet Draft 4.1.
4.1.21 passwordCheckSyntax (pwdCheckSyntax) This attribute specifies whether the password syntax will be checked before the password is saved. The password syntax checking mechanism checks that the password meets or exceeds the password minimum length requirement and that the string does not contain any trivial words, such as the user’s name or ID or any attribute value stored in the uid, cn, sn, givenName, ou, or mail attributes of the user’s directory entry. OID 2.16.840.1.113730.3.1.
Multi- or Single-Valued Single-valued Defined in Directory Server 4.1.26 passwordGraceUserTime This attribute counts the number of attempts the user has made with the expired password. OID 2.16.840.1.113730.3.1.998 Syntax DirectoryString Multi- or Single-Valued Single-valued Defined in Directory Server 4.1.27 passwordHistory This attribute contains the history of the user’s previous passwords. OID 2.16.840.1.113730.3.1.
4.1.30 passwordLockoutDuration (pwdLockoutDuration) This attribute indicates the amount of time in seconds during which users will be locked out of the directory after an account lockout. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user's password. The account lockout is enabled and disabled using the passwordLockout attribute. OID 2.16.840.1.113730.3.1.
password length is at least 6 or 7 characters. This is long enough to be difficult to crack, but short enough that users can remember the password without writing it down. OID 2.16.840.1.113730.3.1.99 Syntax Integer Multi- or Single-Valued Single-valued Defined in Directory Server 4.1.35 passwordMustChange (pwdMustChange) This attirubte sets whether users must change their passwords when they first bind to the Directory Server or when the password has been reset by the Directory Manager. OID 2.16.
Three encryption types are supported by Directory Server: • • • SSHA (Salted Secure Hash Algorithm) is the recommended method as it is the most secure. SHA (Secure Hash Algorithm) is supplied only for compatibility with 4.x legacy servers and should not be used otherwise. CRYPT is the UNIX crypt algorithm. It is provided for compatibility with UNIX passwords. OID 2.16.840.1.113730.3.1.221 Syntax DirectoryString Multi- or Single-Valued Single-valued Defined in Directory Server 4.1.
4.1.42 retryCountResetTime This attribute specifies the length of time that passes before the passwordRetryCount attribute is reset. OID 2.16.840.1.113730.3.1.94 Syntax DirectoryString Multi- or Single-Valued Single-valued Defined in Directory Server 4.1.43 subschemaSubentry This attribute contains the DN of an entry that contains schema information. For example: subschemaSubentry: cn=schema OID 2.5.18.10 Syntax DN Multi- or Single-Valued Single-valued Defined in RFC 2252 4.1.
Multi- or Single-Valued Multivalued Defined in RFC 2252 4.1.47 supportedSASLMechanisms This attribute identifies the names of the SASL mechanisms supported by the server. When the server does not support SASL attributes, this attribute is absent. OID 1.3.6.1.4.1.1466.101.120.14 Syntax DirectoryString Multi- or Single-Valued Multivalued Defined in RFC 2252 4.
Multi- or Single-Valued Multivalued Defined in Changelog Internet Draft 4.2.4 changeTime This attribute defines a time, in a YYMMDDHHMMSS format, when the entry was added. OID 2.16.840.1.113730.3.1.77 Syntax DirectoryString Multi- or Single-Valued Multivalued Defined in Directory Server 4.2.5 changeType This attribute specifies the type of LDAP operation, add, delete, modify, or modrdn. For example: changeType: modify OID 2.16.840.1.113730.3.1.
Multi- or Single-Valued Multivalued Defined in Changelog Internet Draft 4.2.9 nsEncryptionAlgorithm This attribute specifies the encryption cipher for the encrypted attribute in the nsAttributeEncryption object class. A different nsEncryptionAlgorithm attribute is used for every encrypted attribute. OID 2.16.840.1.113730.3.1.2063 Syntax Case-exact string Multi- or Single-Valued Single-valued Defined in Directory Server 4.2.
4.2.13 targetDn This attribute contains the DN of the entry that was affected by the LDAP operation. In the case of a modrdn operation, the targetDn attribute contains the DN of the entry before it was modified or moved. OID 2.16.840.1.113730.3.1.6 Syntax DN Multi- or Single-Valued Multivalued Defined in Changelog Internet Draft 4.3 Special object classes 4.3.1 changeLogEntry This object class is used for entries which store changes made to the Directory Server entries.
OID 2.16.840.1.113730.3.2.316 Required Attributes objectClass Defines the object classes for the entry. cn (commonName) Specifies the attribute being encrypted using its common name. nsEncryptionAlgorithm The encryption cipher used. 4.3.3 nsDS5Replica This object class is for entries which define a replica in database replication. Many of these attributes are set within the backend and cannot be modified.
4.3.4 nsDS5ReplicationAgreement Entries with the nsDS5ReplicationAgreement object class store the information set in a replication agreement. Information on the attributes for this object class are in chapter 2 of the HP-UX Directory Server configuration, command, and file reference. This object class is defined in Directory Server. Superior Class OID top 2.16.840.1.113730.3.2.103 Required Attributes objectClass Defines the object classes for the entry.
nsDS5ReplicaUpdateInProgress States whether a replication schedule update is in progress. nsDS5ReplicaUpdateSchedule Specifies the replication schedule. nsDS50ruv Manages the internal state of the replica via the replication update vector. nsruvReplicaLastModified Contains the most recent time that an entry in the replica was modified and the changelog was updated. 4.3.5 nsDSWindowsReplicationAgreement Stores the synchronization attributes that concern the synchronization agreement.
nsDS5ReplicaPort Specifies the port number for the Windows server. nsDS5ReplicaRoot Specifies the root suffix DN of the Directory Server. nsDS5ReplicaSessionPauseTime Specifies the amount of time in seconds the Directory Server should wait between update sessions. nsDS5ReplicaTimeout Specifies the number of seconds outbound LDAP operations will wait for a response from the Windows server before timing out and failing.
Superior Class OID top 2.16.840.1.113730.3.2.12 Required Attributes objectClass Defines the object classes for the entry. Allowed Attributes accountUnlockTime Refers to the amount of time that must pass after an account lockout before the user can bind to the directory again. passwordAllowChangeTime Specifies the length of time that must pass before users are allowed to change their passwords. passwordExpirationTime Specifies the length of time that passes before the user’s password expires.
nameForms Defines the name forms used in a subschema. objectClasses Defines the object classes used in a subschema. 4.
5 Support and other resources 5.1 Contacting HP 5.1.1 Information to collect before contacting HP Be sure to have the following information available before you call contact HP: • • • • • • Software product name Hardware product model number Operating system type and version Applicable error message Third-party hardware or software Technical support registration number (if applicable) 5.1.
• HP-UX Directory Server administration server guide The Administration Server is a support server that drives access to the Directory Server Console , provides a web server for Directory Server web applications, and stores some Directory Server configuration. This guide covers how to manage the Administration Server through the Console, through the command line, and through the web services. It also covers basic Administration Server concepts.
5.2.3 Troubleshooting resources • You can search a technical knowledge database available on the HP IT Resource Center (ITRC) website at: http://itrc.hp.com/ • To seek solutions to problems, you can post messages on the ITRC Forums page at the following website (select the HP-UX area in the Areas of peer problem solving section): http://forums.itrc.hp.com/ 5.3 Typographic conventions This document uses the following typographical conventions: Book title The title of a book.
Glossary A access control instruction See ACI. access control list See ACL. access rights In the context of access control, specify the level of access granted or denied. Access rights are related to the type of operation that can be performed on the directory. The following rights can be granted or denied: read, write, add, delete, search, compare, selfwrite, proxy and all.
bind distinguished name See bind DN. bind DN Distinguished name used to authenticate to Directory Server when performing an operation. bind rule In the context of access control, the bind rule specifies the credentials and conditions that a particular user or client must satisfy in order to get access to directory information. branch entry An entry that represents the top of a subtree in the directory.
CoS definition entry Identifies the type of CoS you are using. It is stored as an LDAP subentry below the branch it affects. CoS template entry Contains a list of the shared attribute values. See also template entry. D daemon A background process on a Unix machine that is responsible for a particular system task. Daemon processes do not need human intervention to continue functioning. DAP Directory Access Protocol. The ISO X.500 standard protocol that provides client access to the directory.
file type The format of a given file. For example, graphics files are often saved in GIF format, while a text file is usually saved as ASCII text format. File types are usually identified by the file extension (for example, .GIF or .HTML). filter A constraint applied to a directory query that restricts the information returned. filtered role Allows you to assign entries to the role depending upon the attribute contained by each entry. You do this by specifying an LDAP filter.
L LDAP Lightweight Directory Access Protocol. Directory service protocol designed to run over TCP/IP and across multiple platforms. LDAP client Software used to request and view LDAP entries from an LDAP Directory Server. See also browser. LDAP Data Interchange Format See LDAP Data Interchange Format. LDAP URL Provides the means of locating Directory Servers using DNS, then completing the query through LDAP. A sample LDAP URL is ldap://ldap.example.com.
are automatically replicated to the other server. In case of conflict, a time stamp is used to determine which server holds the most recent version. multiplexor The server containing the database link that communicates with the remote server. N n + 1 directory problem The problem of managing multiple instances of the same information in different directories, resulting in increased hardware and personnel costs. name collisions Multiple entries with the same distinguished name.
presence index Allows searches for entries that contain a specific indexed attribute. protocol A set of rules that describes how devices on a network exchange information. protocol data unit See PDU. proxy authentication A special form of authentication where the user requesting access to the directory does not bind with its own DN but with a proxy DN. proxy DN Used with proxied authorization.
S SASL An authentication framework for clients as they attempt to bind to a directory. Also Simple Authentication and Security Layer . schema Definitions describing what types of information can be stored as entries in the directory. When information that does not match the schema is stored in the directory, clients attempting to access the directory may be unable to display the proper results. schema checking Ensures that entries added or modified in the directory conform to the defined schema.
superuser The most privileged user available on Unix machines. The superuser has complete access privileges to all files on the machine. Also called root. supplier Server containing the master copy of directory trees or subtrees that are replicated to replica servers. supplier server In the context of replication, a server that holds a replica that is copied to a different server is called a supplier for that replica.
Index A account, 57 accountUnlockTime, 93 aci, 93 alias, 57 aliasedObjectName, 15 altServer, 93 associatedDomain, 15 associatedName, 15 attributes allowed, 9 defined, 10 multivalued, 12 required, 9 single-valued, 12 syntax, 11 attributeTypes, 94 audio, 16 authorCn, 16 authorityRevocationList, 16 authorSn, 16 B buildingName, 17 businessCategory, 17 C c, 17 cACertificate, 17 carLicense, 18 certificateRevocationList, 18 changeLog, 104 changeLogEntry, 107 changeNumber, 104 changes, 104 changeTime, 105 changeT
HP authorized resellers, 115 HP technical support, 115 I inetOrgPerson, 69 info, 28 initials, 28 internationalISDNNumber, 29 J janetMailbox, 29 jpegPhoto, 29 K keyWords, 29 L l, 30 labeledURI, 30 labeledURIObject, 71 lastModifiedBy, 30 lastModifiedTime, 31 ldapSyntaxes, 95 locality, 72 loginShell, 31 M mail, 31 mailAlternateAddress, 31 mailGroup, 72 mailPreferenceOption, 32 manager, 32 matchingRules, 95 matchingRuleUse, 95 member, 32 memberCertificateDescription, 33 memberOf, 33 memberUid, 34 memberURL
nameForms, 95 namingContexts, 95 nsRole, 96 nsRoleDn, 96 nsRoleFilter, 97 numSubordinates, 97 objectClasses, 97 passwordAllowChangeTime, 97 passwordChange, 97 passwordCheckSyntax, 98 passwordExp, 98 passwordExpirationTime, 98 passwordExpWarned, 98 passwordGraceLimit, 98 passwordGraceUserTime, 99 passwordHistory, 99 passwordInHistory, 99 passwordLockout, 99 passwordLockoutDuration, 100 passwordMaxAge, 100 passwordMinAge, 100 passwordMinLength, 100 passwordMustChange, 101 passwordResetFailureCount, 101 passwo
special attributes changeLog, 104 changeNumber, 104 changes, 104 changeTime, 105 changeType, 105 deleteOldRdn, 105 newRdn, 105 newSuperior, 105 nsEncryptionAlgorithm, 106 nsSaslMapBaseDNTemplate, 106 nsSaslMapFilterTemplate, 106 nsSaslMapRegexString, 106 targetDn, 107 special object classes changeLogEntry, 107 nsAttributeEncryption, 107 nsDS5Replica, 108 nsDS5ReplicationAgreement, 109 nsDSWindowsReplicationAgreement, 110 nsSaslMapping, 111 passwordObject, 111 subschema, 112 st, 48 street, 49 strongAuthentic
