Chapter 6. Operational Attributes and Object Classes
Operational attributes are attributes used to perform directory operations and are available for every entry in the directory, regardless of whether they are defined for the object class of the entry. Operational attributes are only returned in an ldapsearch
operation if specifically requested. To return all operational attributes of an object, specify +
.
Operational attributes are created and managed by Directory Server on entries, such as the time the entry is created or modified and the creator’s name. These attributes can be set on any entry, regardless of other attributes or object classes on the entry.
6.1. accountUnlockTime
The accountUnlockTime
attribute contains the date and time in GMT-format at which the account will become unlocked. A value of 0
means that the account must be unlocked by an administrator.
OID | 2.16.840.1.113730.3.1.95 |
Syntax | DirectoryString |
Multi- or Single-Valued | Multi-valued |
Defined in | Directory Server |
6.2. aci
This attribute is used by the Directory Server to evaluate what rights are granted or denied when it receives an LDAP request from a client.
OID | 2.16.840.1.113730.3.1.55 |
Syntax | IA5String |
Multi- or Single-Valued | Multi-valued |
Defined in | Directory Server |
6.3. altServer
The values of this attribute are URLs of other servers which may be contacted when this server becomes unavailable. If the server does not know of any other servers which could be used, this attribute is absent. This information can be cached in case the preferred LDAP server later becomes unavailable.
OID | 1.3.6.1.4.1.1466.101.120.6 |
Syntax | IA5String |
Multi- or Single-Valued | Multi-valued |
Defined in |
6.4. createTimestamp
This attribute contains the date and time that the entry was initially created.
OID | 2.5.18.1 |
Syntax | GeneralizedTime |
Multi- or Single-Valued | Single-valued |
Defined in |
6.5. creatorsName
This attribute contains the name of the user which created the entry.
OID | 2.5.18.3 |
Syntax | DN |
Multi- or Single-Valued | Single-valued |
Defined in |
6.6. dITContentRules
This attribute defines the DIT content rules which are in force within a subschema. Each value defines one DIT content rule. Each value is tagged by the object identifier of the structural object class to which it pertains.
OID | 2.5.21.2 |
Syntax | DirectoryString |
Multi- or Single-Valued | Multi-valued |
Defined in |
6.7. dITStructureRules
This attribute defines the DIT structure rules which are in force within a subschema. Each value defines one DIT structure rule.
OID | 2.5.21.1 |
Syntax | DirectoryString |
Multi- or Single-Valued | Multi-valued |
Defined in |
6.8. entryusn
When the USN Plug-in is enabled, the server automatically assigns an update sequence number to entries every time a write operation (add, modify, modrdn, or delete) is performed. The USN is stored in the entryUSN
operational attribute on the entry; the entryUSN
, then, shows the number for the most recent change on any entry.
The entryUSN
attribute increments only with operations performed by LDAP clients. It does not count internal operations.
By default, the entryUSN
is unique per back end database instance, so entries in other databases may have the same USN. The nsslapd-entryusn-global
parameter changes the assignment of USNs from local to global, that is, from being counted on a single database to being counted for all databases in the topology. The parameter is turned off by default.
A corresponding entry, lastusn
, is kept in the root DSE entry, which shows the most recently- assigned USN. In local mode, lastusn
shows the most recently- assigned USN per back end database. In global mode, lastusn
shows the most recently assigned USN for the entire topology.
OID | 2.16.840.1.113730.3.1.606 |
Syntax | Integer |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.9. internalCreatorsName
For entries which were created by a plug-in or by the server, rather than a Directory Server user, this attribute records what internal user (by plug-in DN) created the entry.
The internalCreatorsname
attributes always show a plug-in as the identity. This plug-in could be an additional plug-in, such as the MemberOf Plug-in. If the change is made by the core Directory Server, then the plug-in is the database plug-in, cn=ldbm database,cn=plugins,cn=config
.
OID | 2.16.840.1.113730.3.1.2114 |
Syntax | DN |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.10. internalModifiersName
If an entry is edited by a plug-in or by the server, rather than a Directory Server user, this attribute records what internal user (by plug-in DN) modified the entry.
The internalModifiersname
attributes always show a plug-in as the identity. This plug-in could be an additional plug-in, such as the MemberOf Plug-in. If the change is made by the core Directory Server, then the plug-in is the database plug-in, cn=ldbm database,cn=plugins,cn=config
.
OID | 2.16.840.1.113730.3.1.2113 |
Syntax | DN |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.11. hasSubordinates
This attribute indicates whether the entry has subordinate entries.
OID | 1.3.6.1.4.1.1466.115.121.1.7 |
Syntax | Boolean |
Multi- or Single-Valued | Single-valued |
Defined in | numSubordinates Internet Draft |
6.12. lastLoginTime
The lastLoginTime
attribute contains a timestamp of the last time that the given account authenticated to the directory, in the format YYYMMDDHHMMSSZ
. For example:
lastLoginTime: 20200527001051Z
This is used to evaluate account lockout policies based on account inactivity.
OID | 2.16.840.1.113719.1.1.4.1.35 |
Syntax | GeneralizedTime |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.13. lastModifiedBy
The lastModifiedBy
attribute contains the distinguished name (DN) of the user who last edited the entry. For example:
lastModifiedBy: cn=Barbara Jensen,ou=Engineering,dc=example,dc=com
OID | 0.9.2342.19200300.100.1.24 |
Syntax | DN |
Multi- or Single-Valued | Multi-valued |
Defined in |
6.14. lastModifiedTime
The lastModifiedTime
attribute contains the time, in UTC format, an entry was last modified. For example:
lastModifiedTime: Thursday, 22-Sep-93 14:15:00 GMT
OID | 0.9.2342.19200300.100.1.23 |
Syntax | DirectyString |
Multi- or Single-Valued | Multi-valued |
Defined in |
6.15. ldapSubEntry
These entries hold operational data. This object class is defined in the LDAP Subentry Internet Draft.
Superior Class
top
OID
2.16.840.1.113719.2.142.6.1.1
Attribute | Definition |
---|---|
Gives the object classes assigned to the entry. |
Attribute | Definition |
---|---|
Specifies the common name of the entry. |
6.16. ldapSyntaxes
This attribute identifies the syntaxes implemented, with each value corresponding to one syntax.
OID | 1.3.6.1.4.1.1466.101.120.16 |
Syntax | DirectoryString |
Multi- or Single-Valued | Multi-valued |
Defined in |
6.17. matchingRules
This attribute defines the matching rules used within a subschema. Each value defines one matching rule.
OID | 2.5.21.4 |
Syntax | DirectoryString |
Multi- or Single-Valued | Multi-valued |
Defined in |
6.18. matchingRuleUse
This attribute indicates the attribute types to which a matching rule applies in a subschema.
OID | 2.5.21.8 |
Syntax | DirectoryString |
Multi- or Single-Valued | Multi-valued |
Defined in |
6.19. modifyTimestamp
This attribute contains the date and time that the entry was most recently modified.
OID | 2.5.18.2 |
Syntax | GeneralizedTime |
Multi- or Single-Valued | Single-valued |
Defined in |
6.20. modifiersName
This attribute contains the name of the user which last modified the entry.
OID | 2.5.18.4 |
Syntax | DN |
Multi- or Single-Valued | Single-valued |
Defined in |
6.21. nameForms
This attribute defines the name forms used in a subschema. Each value defines one name form.
OID | 2.5.21.7 |
Syntax | DirectoryString |
Multi- or Single-Valued | Multi-valued |
Defined in |
6.22. nsAccountLock
This attribute shows whether the account is active or inactive.
OID | 2.16.840.1.113730.3.1.610 |
Syntax | DirectoryString |
Multi- or Single-Valued | Multi-valued |
Defined in | Directory Server |
6.23. nsAIMStatusGraphic
This attribute contains a path pointing to the graphic which illustrates the AIM user status.
OID | 2.16.840.1.113730.3.1.2018 |
Syntax | DirectoryString |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.24. nsAIMStatusText
This attribute contains the text which indicates the current AIM user status.
OID | 2.16.840.1.113730.3.1.2017 |
Syntax | DirectoryString |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.25. nsBackendSuffix
This contains the suffix used by the back end.
OID | 2.16.840.1.113730.3.1.803 |
Syntax | DirectoryString |
Multi- or Single-Valued | Multi-valued |
Defined in | Directory Server |
6.26. nscpEntryDN
This attribute contains the (former) entry DN for a tombstone entry.
OID | 2.16.840.1.113730.3.1.545 |
Syntax | DN |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.27. nsDS5ReplConflict
This attribute is included on entries that have a change conflict that cannot be resolved automatically by the synchronization or replication process. The value of the nsDS5ReplConflict
contains information about which entries are in conflict, usually by referring to them by their nsUniqueID
for both current entries and tombstone entries.
OID | 2.16.840.1.113730.3.1.973 |
Syntax | DirectoryString |
Multi- or Single-Valued | Multi-valued |
Defined in | Directory Server |
6.28. nsICQStatusGraphic
This attribute contains a path pointing to the graphic which illustrates the ICQ user status.
OID | 2.16.840.1.113730.3.1.2022 |
Syntax | DirectoryString |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.29. nsICQStatusText
This attribute contains the text for the current ICQ user status.
OID | 2.16.840.1.113730.3.1.2021 |
Syntax | DirectoryString |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.30. nsIdleTimeout
This attribute identifies the user-based connection idle timeout period, in seconds.
OID | 2.16.840.1.113730.3.1.573 |
Syntax | Integer |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.31. nsIDListScanLimit
This attribute specifies the number of entry IDs that are searched during a search operation. Keep the default value to improve search performance. For a more detailed explanation of the effect of ID lists on search performance, see the "Overview of the Searching Algorithm" section of the "Managing Indexes" chapter in the Red Hat Directory Server Administration Guide.
OID | 2.16.840.1.113730.3.1.2106 |
Syntax | Integer |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.32. nsLookThroughLimit
This attribute sets the maximum number of entries for that user through which the server is allowed to look during a search operation. This attribute is configured in the server itself and applied to a user when he initiates a search.
OID | 2.16.840.1.113730.3.1.570 |
Syntax | Integer |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.33. nsPagedIDListScanLimit
This attribute specifies the number of entry IDs that are searched, specifically, for a search operation using the simple paged results control. This attribute works the same as the nsIDListScanLimit
attribute, except that it only applies to searches with the simple paged results control.
If this attribute is not present or is set to zero, then the nsIDListScanLimit
is used to paged searches as well as non-paged searches.
OID | 2.16.840.1.113730.3.1.2109 |
Syntax | Integer |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.34. nsPagedLookThroughLimit
This attribute specifies the maximum number of entries that the Directory Server will check when examining candidate entries for a search which uses the simple paged results control. This attribute works the same as the nsLookThroughLimit
attribute, except that it only applies to searches with the simple paged results control.
If this attribute is not present or is set to zero, then the nsLookThroughLimit
is used to paged searches as well as non-paged searches.
OID | 2.16.840.1.113730.3.1.2108 |
Syntax | Integer |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.35. nsPagedSizeLimit
This attribute sets the maximum number of entries to return from a search operation specifically which uses the simple paged results control. This overrides the nsSizeLimit
attribute for paged searches.
If this value is set to zero, then the nsSizeLimit
attribute is used for paged searches as well as non-paged searches for the user, or the global configuration settings are used.
OID | 2.16.840.1.113730.3.1.2107 |
Syntax | Integer |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.36. nsParentUniqueId
For tombstone (deleted) entries stored in replication, the nsParentUniqueId
attribute contains the DN or entry ID for the parent of the original entry.
OID | 2.16.840.1.113730.3.1.544 |
Syntax | DirectoryString |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.37. nsRole
This attribute is a computed attribute that is not stored with the entry itself. It identifies to which roles an entry belongs.
OID | 2.16.840.1.113730.3.1.574 |
Syntax | DN |
Multi- or Single-Valued | Multi-valued |
Defined in | Directory Server |
6.38. nsRoleDn
This attribute contains the distinguished name of all roles that apply to an entry. Membership of a managed role is granted upon an entry by adding the role’s DN to the entry’s nsRoleDN
attribute. For example:
dn: cn=staff,ou=employees,dc=example,dc=com objectclass: LDAPsubentry objectclass: nsRoleDefinition objectclass: nsSimpleRoleDefinition objectclass: nsManagedRoleDefinition dn: cn=userA,ou=users,ou=employees,dc=example,dc=com objectclass: top objectclass: person sn: uA userpassword: secret nsroledn: cn=staff,ou=employees,dc=example,dc=com
A nested role specifies containment of one or more roles of any type. In that case, nsRoleDN
defines the DN of the contained roles. For example:
dn: cn=everybody,ou=employees,dc=example,dc=com objectclass: LDAPsubentry objectclass: nsRoleDefinition objectclass: nsComplexRoleDefinition objectclass: nsNestedRoleDefinition nsroledn: cn=manager,ou=employees,dc=example,dc=com nsroledn: cn=staff,ou=employees,dc=example,dc=com
OID | 2.16.840.1.113730.3.1.575 |
Syntax | DN |
Multi- or Single-Valued | Multi-valued |
Defined in | Directory Server |
6.39. nsRoleFilter
This attribute sets the filter identifies entries which belong to the role.
OID | 2.16.840.1.113730.3.1.576 |
Syntax | IA5String |
Multi- or Single-Valued | Single-valued |
Defined in |
6.40. nsSchemaCSN
This attribute is one of the subschema DSE attribute types.
OID | 2.5.21.82.16.840.1.113730.3.1.804 |
Syntax | DirectoryString |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.41. nsSizeLimit
This attribute shows the default size limit for a database or database link in bytes.
OID | 2.16.840.1.113730.3.1.571 |
Syntax | Integer |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.42. nsTimeLimit
This attribute shows the default search time limit for a database or database link.
OID | 2.16.840.1.113730.3.1.572 |
Syntax | Integer |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.43. nsTombstone (Object Class)
Tombstone entries are entries which have been deleted from Directory Server. For replication and restore operations, these deleted entries are saved so that they can be resurrected and replaced if necessary. Each tombstone entry has the nsTombstone
object class, automatically.
This object class is defined in Directory Server.
Superior Class
top
OID
2.16.840.1.113730.3.2.113
Attribute | Definition |
---|---|
Gives the object classes assigned to the entry. |
Attribute | Definition |
---|---|
Identifies the unique ID of the parent entry of the original entry. | |
Identifies the orignal entry DN in a tombstone entry. |
6.44. nsUniqueId
This attribute identifies or assigns a unique ID to a server entry.
OID | 2.16.840.1.113730.3.1.542 |
Syntax | DirectoryString |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.45. nsYIMStatusGraphic
This attribute contains a path pointing to the graphic which illustrates the Yahoo IM user status.
OID | 2.16.840.1.113730.3.1.2020 |
Syntax | DirectoryString |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.46. nsYIMStatusText
This attribute contains the text for the current Yahoo IM user status.
OID | 2.16.840.1.113730.3.1.2019 |
Syntax | DirectoryString |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.47. numSubordinates
This attribute indicates now many immediate subordinates an entry has. For example, numSubordinates=0
in a leaf entry.
OID | 1.3.1.1.4.1.453.16.2.103 |
Syntax | Integer |
Multi- or Single-Valued | Single-valued |
Defined in | numSubordinates Internet Draft |
6.48. passwordGraceUserTime
This attribute counts the number of attempts the user has made with the expired password.
OID | 2.16.840.1.113730.3.1.998 |
Syntax | DirectoryString |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.49. passwordRetryCount
This attribute counts the number of consecutive failed attempts at entering the correct password.
OID | 2.16.840.1.113730.3.1.93 |
Syntax | DirectoryString |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.50. pwdpolicysubentry
This attribute value points to the entry DN of the new password policy.
OID | 2.16.840.1.113730.3.1.997 |
Syntax | DirectoryString |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.51. pwdUpdateTime
This attribute value stores the time of the most recent password change for the account.
OID | 2.16.840.1.113730.3.1.2133 |
Syntax | GeneralizedTime |
Multi- or Single-Valued | Single-valued |
Defined in | Directory Server |
6.52. subschemaSubentry
This attribute contains the DN of an entry that contains schema information. For example:
subschemaSubentry: cn=schema
OID | 2.5.18.10 |
Syntax | DN |
Multi- or Single-Valued | Single-valued |
Defined in |
6.53. glue (Object Class)
The glue
object class defines an entry in a special state: resurrected due to a replication conflict.
This object class is defined by Directory Server.
Superior Class
top
OID
2.16.840.1.113730.3.2.30
Attribute | Definition |
---|---|
Gives the object classes assigned to the entry. |
6.54. passwordObject (Object Class)
This object class is used for entries which store password information for a user in the directory.
This object class is defined in Directory Server.
Superior Class
top
OID
2.16.840.1.113730.3.2.12
Defines the object classes for the entry. |
Refers to the amount of time that must pass after an account lockout before the user can bind to the directory again. | |
Specifies the length of time that must pass before users are allowed to change their passwords. | |
Specifies the length of time that passes before the user’s password expires. | |
Indicates that a password expiration warning has been sent to the user. | |
Specifies the number of login attempts that are allowed to a user after the password has expired. | |
Contains the history of the user’s previous passwords. | |
Counts the number of consecutive failed attempts at entering the correct password. | |
Points to the entry DN of the new password policy. | |
Specifies the length of time that passes before the |
6.55. subschema (Object Class)
This identifies an auxiliary object class subentry which administers the subschema for the subschema administrative area. It holds the operational attributes representing the policy parameters which express the subschema.
This object class is defined in RFC 2252.
Superior Class
top
OID
2.5.20.1
Defines the object classes for the entry. |
Attribute types used within a subschema. | |
Defines the DIT content rules which are in force within a subschema. | |
Defines the DIT structure rules which are in force within a subschema. | |
Indicates the attribute types to which a matching rule applies in a subschema. | |
Defines the matching rules used within a subschema. | |
Defines the name forms used in a subschema. | |
Defines the object classes used in a subschema. |