Search

Chapter 10. Operational attributes and object classes

download PDF

Operational attributes are attributes used to perform directory operations and are available for every entry in the directory, regardless of whether they are defined for the object class of the entry. Operational attributes are only returned in an ldapsearch operation if specifically requested. To return all operational attributes of an object, specify +.

Operational attributes are created and managed by Directory Server on entries, such as the time the entry is created or modified and the creator’s name. These attributes can be set on any entry, regardless of other attributes or object classes on the entry.

10.1. accountUnlockTime

The accountUnlockTime attribute contains the date and time in GMT-format at which the account will become unlocked. A value of 0 means that the account must be unlocked by an administrator.

OID

2.16.840.1.113730.3.1.95

Syntax

DirectoryString

Multi- or Single-Valued

Multi-valued

Defined in

Directory Server

10.2. aci

This attribute is used by Directory Server to evaluate what rights are granted or denied when it receives an LDAP request from a client.

OID

2.16.840.1.113730.3.1.55

Syntax

IA5String

Multi- or Single-Valued

Multi-valued

Defined in

Directory Server

10.3. altServer

The values of this attribute are URLs of other servers which may be contacted when this server becomes unavailable. If the server does not know of any other servers which could be used, this attribute is absent. This information can be cached in case the preferred LDAP server later becomes unavailable.

OID

1.3.6.1.4.1.1466.101.120.6

Syntax

IA5String

Multi- or Single-Valued

Multi-valued

Defined in

RFC 2252

10.4. createTimestamp

This attribute contains the date and time that the entry was initially created.

OID

2.5.18.1

Syntax

GeneralizedTime

Multi- or Single-Valued

Single-valued

Defined in

RFC 1274

10.5. creatorsName

This attribute contains the name of the user which created the entry.

OID

2.5.18.3

Syntax

DN

Multi- or Single-Valued

Single-valued

Defined in

RFC 1274

10.6. dITContentRules

This attribute defines the DIT content rules which are in force within a subschema. Each value defines one DIT content rule. Each value is tagged by the object identifier of the structural object class to which it pertains.

OID

2.5.21.2

Syntax

DirectoryString

Multi- or Single-Valued

Multi-valued

Defined in

RFC 2252

10.7. dITStructureRules

This attribute defines the DIT structure rules which are in force within a subschema. Each value defines one DIT structure rule.

OID

2.5.21.1

Syntax

DirectoryString

Multi- or Single-Valued

Multi-valued

Defined in

RFC 2252

10.8. entryusn

When the USN Plug-in is enabled, the server automatically assigns an update sequence number to entries every time a write operation (add, modify, modrdn, or delete) is performed. The USN is stored in the entryUSN operational attribute on the entry; the entryUSN, then, shows the number for the most recent change on any entry.

Note

The entryUSN attribute increments only with operations performed by LDAP clients. It does not count internal operations.

By default, the entryUSN is unique per back end database instance, so entries in other databases may have the same USN. The nsslapd-entryusn-global parameter changes the assignment of USNs from local to global, that is, from being counted on a single database to being counted for all databases in the topology. The parameter is turned off by default.

A corresponding entry, lastusn, is kept in the root DSE entry, which shows the most recently- assigned USN. In local mode, lastusn shows the most recently- assigned USN per back end database. In global mode, lastusn shows the most recently assigned USN for the entire topology.

OID

2.16.840.1.113730.3.1.606

Syntax

Integer

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.9. glue

The glue object class defines an entry in a special state: resurrected due to a replication conflict.

This object class is defined by Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.30

Table 10.1. Required Attributes
AttributeDefinition

objectClass

Gives the object classes assigned to the entry.

10.10. hasSubordinates

This attribute indicates whether the entry has subordinate entries.

OID

1.3.6.1.4.1.1466.115.121.1.7

Syntax

Boolean

Multi- or Single-Valued

Single-valued

Defined in

numSubordinates Internet Draft

10.11. internalCreatorsName

For entries which were created by a plug-in or by the server, rather than a Directory Server user, this attribute records what internal user (by plug-in DN) created the entry.

The internalCreatorsname attributes always show a plug-in as the identity. This plug-in could be an additional plug-in, such as the MemberOf Plug-in. If the change is made by the core Directory Server, then the plug-in is the database plug-in, cn=ldbm database,cn=plugins,cn=config.

OID

2.16.840.1.113730.3.1.2114

Syntax

DN

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.12. internalModifiersName

If an entry is edited by a plug-in or by the server, rather than a Directory Server user, this attribute records what internal user (by plug-in DN) modified the entry.

The internalModifiersname attributes always show a plug-in as the identity. This plug-in could be an additional plug-in, such as the MemberOf Plug-in. If the change is made by the core Directory Server, then the plug-in is the database plug-in, cn=ldbm database,cn=plugins,cn=config.

OID

2.16.840.1.113730.3.1.2113

Syntax

DN

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.13. lastLoginTime

The lastLoginTime attribute contains a timestamp of the last time that the given account authenticated to the directory, in the format YYYMMDDHHMMSSZ. For example:

lastLoginTime: 20200527001051Z

This is used to evaluate account lockout policies based on account inactivity.

OID

2.16.840.1.113719.1.1.4.1.35

Syntax

GeneralizedTime

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.14. lastModifiedBy

The lastModifiedBy attribute contains the distinguished name (DN) of the user who last edited the entry. For example:

lastModifiedBy: cn=Barbara Jensen,ou=Engineering,dc=example,dc=com

OID

0.9.2342.19200300.100.1.24

Syntax

DN

Multi- or Single-Valued

Multi-valued

Defined in

RFC 1274

10.15. lastModifiedTime

The lastModifiedTime attribute contains the time, in UTC format, an entry was last modified. For example:

lastModifiedTime: Thursday, 22-Sep-93 14:15:00 GMT

OID

0.9.2342.19200300.100.1.23

Syntax

DirectyString

Multi- or Single-Valued

Multi-valued

Defined in

RFC 1274

10.16. ldapSubEntry

These entries hold operational data. This object class is defined in the LDAP Subentry Internet Draft.

Superior Class

top

OID

2.16.840.1.113719.2.142.6.1.1

Table 10.2. Required Attributes
AttributeDefinition

objectClass

Gives the object classes assigned to the entry.

Table 10.3. Allowed Attributes
AttributeDefinition

commonName

Specifies the common name of the entry.

10.17. ldapSyntaxes

This attribute identifies the syntaxes implemented, with each value corresponding to one syntax.

OID

1.3.6.1.4.1.1466.101.120.16

Syntax

DirectoryString

Multi- or Single-Valued

Multi-valued

Defined in

RFC 2252

10.18. matchingRules

This attribute defines the matching rules used within a subschema. Each value defines one matching rule.

OID

2.5.21.4

Syntax

DirectoryString

Multi- or Single-Valued

Multi-valued

Defined in

RFC 2252

10.19. matchingRuleUse

This attribute indicates the attribute types to which a matching rule applies in a subschema.

OID

2.5.21.8

Syntax

DirectoryString

Multi- or Single-Valued

Multi-valued

Defined in

RFC 2252

10.20. modifiersName

This attribute contains the name of the user which last modified the entry.

OID

2.5.18.4

Syntax

DN

Multi- or Single-Valued

Single-valued

Defined in

RFC 1274

10.21. modifyTimestamp

This attribute contains the date and time that the entry was most recently modified.

OID

2.5.18.2

Syntax

GeneralizedTime

Multi- or Single-Valued

Single-valued

Defined in

RFC 1274

10.22. nameForms

This attribute defines the name forms used in a subschema. Each value defines one name form.

OID

2.5.21.7

Syntax

DirectoryString

Multi- or Single-Valued

Multi-valued

Defined in

RFC 2252

10.23. nsAccountLock

This attribute shows whether the account is active or inactive.

OID

2.16.840.1.113730.3.1.610

Syntax

DirectoryString

Multi- or Single-Valued

Multi-valued

Defined in

Directory Server

10.24. nsAIMStatusGraphic

This attribute contains a path pointing to the graphic which illustrates the AIM user status.

OID

2.16.840.1.113730.3.1.2018

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.25. nsAIMStatusText

This attribute contains the text which indicates the current AIM user status.

OID

2.16.840.1.113730.3.1.2017

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.26. nsBackendSuffix

This contains the suffix used by the back end.

OID

2.16.840.1.113730.3.1.803

Syntax

DirectoryString

Multi- or Single-Valued

Multi-valued

Defined in

Directory Server

10.27. nscpEntryDN

This attribute contains the (former) entry DN for a tombstone entry.

OID

2.16.840.1.113730.3.1.545

Syntax

DN

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.28. nsDS5ReplConflict

This attribute is included on entries that have a change conflict that cannot be resolved automatically by the synchronization or replication process. The value of the nsDS5ReplConflict contains information about which entries are in conflict, usually by referring to them by their nsUniqueID for both current entries and tombstone entries.

OID

2.16.840.1.113730.3.1.973

Syntax

DirectoryString

Multi- or Single-Valued

Multi-valued

Defined in

Directory Server

10.29. nsICQStatusGraphic

This attribute contains a path pointing to the graphic which illustrates the ICQ user status.

OID

2.16.840.1.113730.3.1.2022

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.30. nsICQStatusText

This attribute contains the text for the current ICQ user status.

OID

2.16.840.1.113730.3.1.2021

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.31. nsIdleTimeout

This attribute identifies the user-based connection idle timeout period, in seconds.

OID

2.16.840.1.113730.3.1.573

Syntax

Integer

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.32. nsIDListScanLimit

This attribute specifies the number of entry IDs that are searched during a search operation. Keep the default value to improve search performance.

OID

2.16.840.1.113730.3.1.2106

Syntax

Integer

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.33. nsLookThroughLimit

This attribute sets the maximum number of entries for that user through which the server is allowed to look during a search operation. This attribute is configured in the server itself and applied to a user when he initiates a search.

OID

2.16.840.1.113730.3.1.570

Syntax

Integer

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.34. nsPagedIDListScanLimit

This attribute specifies the number of entry IDs that are searched, specifically, for a search operation using the simple paged results control. This attribute works the same as the nsIDListScanLimit attribute, except that it only applies to searches with the simple paged results control.

If this attribute is not present or is set to zero, then the nsIDListScanLimit is used to paged searches as well as non-paged searches.

OID

2.16.840.1.113730.3.1.2109

Syntax

Integer

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.35. nsPagedLookThroughLimit

This attribute specifies the maximum number of entries that Directory Server will check when examining candidate entries for a search which uses the simple paged results control. This attribute works the same as the nsLookThroughLimit attribute, except that it only applies to searches with the simple paged results control.

If this attribute is not present or is set to zero, then the nsLookThroughLimit is used to paged searches as well as non-paged searches.

OID

2.16.840.1.113730.3.1.2108

Syntax

Integer

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.36. nsPagedSizeLimit

This attribute sets the maximum number of entries to return from a search operation specifically which uses the simple paged results control. This overrides the nsSizeLimit attribute for paged searches.

If this value is set to zero, then the nsSizeLimit attribute is used for paged searches as well as non-paged searches for the user, or the global configuration settings are used.

OID

2.16.840.1.113730.3.1.2107

Syntax

Integer

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.37. nsParentUniqueId

For tombstone (deleted) entries stored in replication, the nsParentUniqueId attribute contains the DN or entry ID for the parent of the original entry.

OID

2.16.840.1.113730.3.1.544

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.38. nsRole

This attribute is a computed attribute that is not stored with the entry itself. It identifies to which roles an entry belongs.

OID

2.16.840.1.113730.3.1.574

Syntax

DN

Multi- or Single-Valued

Multi-valued

Defined in

Directory Server

10.39. nsRoleDn

This attribute contains the distinguished name of all roles that apply to an entry. Membership of a managed role is granted upon an entry by adding the role’s DN to the entry’s nsRoleDN attribute. For example:

dn: cn=staff,ou=employees,dc=example,dc=com
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsSimpleRoleDefinition
objectclass: nsManagedRoleDefinition

dn: cn=userA,ou=users,ou=employees,dc=example,dc=com
objectclass: top
objectclass: person
sn: uA
userpassword: secret
nsroledn: cn=staff,ou=employees,dc=example,dc=com

A nested role specifies containment of one or more roles of any type. In that case, nsRoleDN defines the DN of the contained roles. For example:

dn: cn=everybody,ou=employees,dc=example,dc=com
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsComplexRoleDefinition
objectclass: nsNestedRoleDefinition
nsroledn: cn=manager,ou=employees,dc=example,dc=com
nsroledn: cn=staff,ou=employees,dc=example,dc=com

OID

2.16.840.1.113730.3.1.575

Syntax

DN

Multi- or Single-Valued

Multi-valued

Defined in

Directory Server

10.40. nsRoleFilter

This attribute sets the filter identifies entries which belong to the role.

OID

2.16.840.1.113730.3.1.576

Syntax

IA5String

Multi- or Single-Valued

Single-valued

Defined in

RFC 2252

10.41. nsSchemaCSN

This attribute is one of the subschema DSE attribute types.

OID

2.5.21.82.16.840.1.113730.3.1.804

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.42. nsSizeLimit

This attribute shows the default size limit for a database or database link in bytes.

OID

2.16.840.1.113730.3.1.571

Syntax

Integer

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.43. nsTimeLimit

This attribute shows the default search time limit for a database or database link.

OID

2.16.840.1.113730.3.1.572

Syntax

Integer

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.44. nsTombstone (object class)

Tombstone entries are entries which have been deleted from Directory Server. For replication and restore operations, these deleted entries are saved so that they can be resurrected and replaced if necessary. Each tombstone entry has the nsTombstone object class, automatically.

This object class is defined in Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.113

Table 10.4. Required Attributes
AttributeDefinition

objectClass

Gives the object classes assigned to the entry.

Table 10.5. Allowed Attributes
AttributeDefinition

nsParentUniqueId

Identifies the unique ID of the parent entry of the original entry.

nscpEntryDN

Identifies the orignal entry DN in a tombstone entry.

10.45. nsUniqueId

This attribute identifies or assigns a unique ID to a server entry.

OID

2.16.840.1.113730.3.1.542

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.46. nsYIMStatusGraphic

This attribute contains a path pointing to the graphic which illustrates the Yahoo IM user status.

OID

2.16.840.1.113730.3.1.2020

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.47. nsYIMStatusText

This attribute contains the text for the current Yahoo IM user status.

OID

2.16.840.1.113730.3.1.2019

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.48. numSubordinates

This attribute indicates now many immediate subordinates an entry has. For example, numSubordinates=0 in a leaf entry.

OID

1.3.1.1.4.1.453.16.2.103

Syntax

Integer

Multi- or Single-Valued

Single-valued

Defined in

numSubordinates Internet Draft

10.49. passwordGraceUserTime

This attribute counts the number of attempts the user has made with the expired password.

OID

2.16.840.1.113730.3.1.998

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.50. passwordObject (object class)

This object class is used for entries which store password information for a user in the directory.

This object class is defined in Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.12

Table 10.6. Required Attributes

objectClass

Defines the object classes for the entry.

Table 10.7. Allowed Attributes

accountUnlockTime

Refers to the amount of time that must pass after an account lockout before the user can bind to the directory again.

passwordAllowChangeTime

Specifies the length of time that must pass before users are allowed to change their passwords.

password_ExpirationTime

Specifies the length of time that passes before the user’s password expires.

password_ExpWarned

Indicates that a password expiration warning has been sent to the user.

passwordGrace_UserTime

Specifies the number of login attempts that are allowed to a user after the password has expired.

cnconfig-passwordHistory_Password_History

Contains the history of the user’s previous passwords.

password_RetryCount

Counts the number of consecutive failed attempts at entering the correct password.

pwdpolicy_subentry

Points to the entry DN of the new password policy.

retryCountResetTime

Specifies the length of time that passes before the passwordRetryCount attribute is reset.

10.51. passwordRetryCount

This attribute counts the number of consecutive failed attempts at entering the correct password.

OID

2.16.840.1.113730.3.1.93

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.52. pwdpolicysubentry

This attribute value points to the entry DN of the new password policy.

OID

2.16.840.1.113730.3.1.997

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.53. pwdUpdateTime

This attribute value stores the time of the most recent password change for the account.

OID

2.16.840.1.113730.3.1.2133

Syntax

GeneralizedTime

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

10.54. subschema (object class)

This identifies an auxiliary object class subentry which administers the subschema for the subschema administrative area. It holds the operational attributes representing the policy parameters which express the subschema.

This object class is defined in RFC 2252.

Superior Class

top

OID

2.5.20.1

Table 10.8. Required Attributes

objectClass

Defines the object classes for the entry.

Table 10.9. Allowed Attributes

attributeTypes

Attribute types used within a subschema.

dITContentRules

Defines the DIT content rules which are in force within a subschema.

dITStructureRules

Defines the DIT structure rules which are in force within a subschema.

matchingRuleUse

Indicates the attribute types to which a matching rule applies in a subschema.

matchingRules

Defines the matching rules used within a subschema.

nameForms

Defines the name forms used in a subschema.

objectClasses

Defines the object classes used in a subschema.

10.55. subschemaSubentry

This attribute contains the DN of an entry that contains schema information. For example:

subschemaSubentry: cn=schema

OID

2.5.18.10

Syntax

DN

Multi- or Single-Valued

Single-valued

Defined in

RFC 2252

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.