Chapter 4. Operational Attributes and Object Classes

Operational attributes are attributes used to perform directory operations and are available for every entry in the directory, regardless of whether they are defined for the object class of the entry. Operational attributes are only returned in an ldapsearch operation if specifically requested.
Operational attributes are created and managed by Directory Server on entries, such as the time the entry is created or modified and the creator's name. These attributes can be set on any entry, regardless of other attributes or object classes on the entry.
This chapter contains information about attributes object classes that are operational. However, this reference does not cover core schema used to configure the Directory Server itself. The directory service is also configured as directory entries within the cn=config subtree. For descriptions of those configuration attributes, see the Configuration, Command, and File Reference.

4.1. accountUnlockTime

This refers to the amount of time that must pass after an account lockout before the user can bind to the directory again.
OID 2.16.840.1.113730.3.1.95
Syntax DirectoryString
Multi- or Single-Valued Multi-valued
Defined in Directory Server

4.2. aci

This attribute is used by the Directory Server to evaluate what rights are granted or denied when it receives an LDAP request from a client.
OID 2.16.840.1.113730.3.1.55
Syntax IA5String
Multi- or Single-Valued Multi-valued
Defined in Directory Server

4.3. altServer

The values of this attribute are URLs of other servers which may be contacted when this server becomes unavailable. If the server does not know of any other servers which could be used, this attribute is absent. This information can be cached in case the preferred LDAP server later becomes unavailable.
OID 1.3.6.1.4.1.1466.101.120.6
Syntax IA5String
Multi- or Single-Valued Multi-valued
Defined in RFC 2252

4.4. copiedFrom

This attribute is used by a read-only replica to recognize a master data source. Contains a reference to the server that holds the master data. This attribute is only used for legacy replication. It is not used for multi-master replication.
OID 2.16.840.1.113730.3.1.613
Syntax DirectoryString
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.5. copyingFrom

This attribute is used by a read-only replica to recognize a master data source while replication is in progress. Contains a reference to the server that holds the master data. This attribute is only used for legacy replication. It is not used for multi-master replication.
OID 2.16.840.1.113730.3.1.614
Syntax DirectoryString
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.6. createTimestamp

This attribute contains the date and time that the entry was initially created.
OID 2.5.18.1
Syntax GeneralizedTime
Multi- or Single-Valued Single-valued
Defined in RFC 1274

4.7. creatorsName

This attribute contains the name of the user which created the entry.
OID 2.5.18.3
Syntax DN
Multi- or Single-Valued Single-valued
Defined in RFC 1274

4.8. dITContentRules

This attribute defines the DIT content rules which are in force within a subschema. Each value defines one DIT content rule. Each value is tagged by the object identifier of the structural object class to which it pertains.
OID 2.5.21.2
Syntax DirectoryString
Multi- or Single-Valued Multi-valued
Defined in RFC 2252

4.9. dITStructureRules

This attribute defines the DIT structure rules which are in force within a subschema. Each value defines one DIT structure rule.
OID 2.5.21.1
Syntax DirectoryString
Multi- or Single-Valued Multi-valued
Defined in RFC 2252

4.10. hasSubordinates

This attribute indicates whether the entry has subordinate entries.
OID 1.3.6.1.4.1.1466.115.121.1.7
Syntax Boolean
Multi- or Single-Valued Single-valued
Defined in numSubordinates Internet Draft

4.11. LDAPsubentry

These entries hold operational data. This object class is defined in the LDAP Subentry Internet Draft.
Superior Class
top
OID
2.16.840.1.113719.2.142.6.1.1
Required Attributes
Attribute
Definition
objectClass
Gives the object classes assigned to the entry.
Allowed Attributes
Attribute
Definition
cn (commonName)
Specifies the common name of the entry.

4.12. ldapSyntaxes

This attribute identifies the syntaxes implemented, with each value corresponding to one syntax.
OID 1.3.6.1.4.1.1466.101.120.16
Syntax DirectoryString
Multi- or Single-Valued Multi-valued
Defined in RFC 2252

4.13. matchingRules

This attribute defines the matching rules used within a subschema. Each value defines one matching rule.
OID 2.5.21.4
Syntax DirectoryString
Multi- or Single-Valued Multi-valued
Defined in RFC 2252

4.14. matchingRuleUse

This attribute indicates the attribute types to which a matching rule applies in a subschema.
OID 2.5.21.8
Syntax DirectoryString
Multi- or Single-Valued Multi-valued
Defined in RFC 2252

4.15. modifyTimestamp

This attribute contains the date and time that the entry was most recently modified.
OID 2.5.18.2
Syntax GeneralizedTime
Multi- or Single-Valued Single-valued
Defined in RFC 1274

4.16. modifiersName

This attribute contains the name of the user which last modified the entry.
OID 2.5.18.4
Syntax DN
Multi- or Single-Valued Single-valued
Defined in RFC 1274

4.17. nameForms

This attribute defines the name forms used in a subschema. Each value defines one name form.
OID 2.5.21.7
Syntax DirectoryString
Multi- or Single-Valued Multi-valued
Defined in RFC 2252

4.18. namingContexts

Corresponds to a naming context the server is mastering or shadowing. When the Directory Server does not master any information (such as when it is an LDAP gateway to a public X.500 directory), this attribute is absent. When the Directory Server believes it contains the entire directory, the attribute has a single value, and that value is the empty string (indicating the null DN of the root).This attribute permits a client contacting a server to choose suitable base objects for searching.
OID 1.3.6.1.4.1.1466.101.120.5
Syntax DN
Multi- or Single-Valued Multi-valued
Defined in RFC 2252

4.19. nsAccountLock

This attribute shows whether the account is active or inactive.
OID 2.16.840.1.113730.3.1.610
Syntax DirectoryString
Multi- or Single-Valued Multi-valued
Defined in Directory Server

4.20. nsAIMStatusGraphic

This attribute contains a path pointing to the graphic which illustrates the AIM user status.
OID 2.16.840.1.113730.3.1.2018
Syntax DirectoryString
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.21. nsAIMStatusText

This attribute contains the text which indicates the current AIM user status.
OID 2.16.840.1.113730.3.1.2017
Syntax DirectoryString
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.22. nsBackendSuffix

This contains the suffix used by the backend.
OID 2.16.840.1.113730.3.1.803
Syntax DirectoryString
Multi- or Single-Valued Multi-valued
Defined in Directory Server

4.23. nscpEntryDN

This attribute contains the (former) entry DN for a tombstone entry.
OID 2.16.840.1.113730.3.1.545
Syntax DN
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.24. nsDS5ReplConflict

This attribute is included on entries that have a change conflict that cannot be resolved automatically by the synchronization or replication process. The value of the nsDS5ReplConflict contains information about which entries are in conflict, usually by referring to them by their nsUniqueID for both current entries and tombstone entries.
OID 2.16.840.1.113730.3.1.973
Syntax DirectoryString
Multi- or Single-Valued Multi-valued
Defined in Directory Server

4.25. nsICQStatusGraphic

This attribute contains a path pointing to the graphic which illustrates the ICQ user status.
OID 2.16.840.1.113730.3.1.2022
Syntax DirectoryString
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.26. nsICQStatusText

This attribute contains the text for the current ICQ user status.
OID 2.16.840.1.113730.3.1.2021
Syntax DirectoryString
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.27. nsIdleTimeout

This attribute identifies the binder-based connection idle timeout period, in seconds.
OID 2.16.840.1.113730.3.1.573
Syntax Integer
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.28. nsLookThroughLimit

This attribute sets the maximum number of entries for that user through which the server is allowed to look during a search operation. This attribute is configured in the server itself and applied to a user when he initiates a search.
OID 2.16.840.1.113730.3.1.570
Syntax Integer
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.29. nsParentUniqueId

For tombstone (deleted) entries stored in replication, the nsParentUniqueId attribute contains the DN or entry ID for the parent of the original entry.
OID 2.16.840.1.113730.3.1.544
Syntax DirectoryString
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.30. nsRole

This attribute is a computed attribute that is not stored with the entry itself. It identifies to which roles an entry belongs.
OID 2.16.840.1.113730.3.1.574
Syntax DN
Multi- or Single-Valued Multi-valued
Defined in Directory Server

4.31. nsRoleDn

This attribute contains the distinguished name of all roles that apply to an entry. Membership of a managed role is granted upon an entry by adding the role’s DN to the entry’s nsRoleDn attribute. For example:
dn: cn=staff,ou=employees,dc=example,dc=com
objectclass: LDAPsubentry 
objectclass: nsRoleDefinition 
objectclass: nsSimpleRoleDefinition 
objectclass: nsManagedRoleDefinition

dn: cn=userA,ou=users,ou=employees,dc=example,dc=com
objectclass: top 
objectclass: person
sn: uA 
userPassword: secret 
nsroledn: cn=staff,ou=employees,dc=example,dc=com
A nested role specifies containment of one or more roles of any type. In that case, nsRoleDn defines the DN of the contained roles. For example:
dn: cn=everybody,ou=employees,dc=example,dc=com
objectclass: LDAPsubentry 
objectclass: nsRoleDefinition 
objectclass: nsComplexRoleDefinition 
objectclass: nsNestedRoleDefinition
nsroledn: cn=manager,ou=employees,dc=example,dc=com
nsroledn: cn=staff,ou=employees,dc=example,dc=com
OID 2.16.840.1.113730.3.1.575
Syntax DN
Multi- or Single-Valued Multi-valued
Defined in Directory Server

4.32. nsRoleFilter

This attribute sets the filter identifies entries which belong to the role.
OID 2.16.840.1.113730.3.1.576
Syntax IA5String
Multi- or Single-Valued Single-valued
Defined in RFC 2252

4.33. nsSchemaCSN

This attribute is one of the subschema DSE attribute types.
OID 2.5.21.82.16.840.1.113730.3.1.804
Syntax DirectoryString
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.34. nsSizeLimit

This attribute shows the default size limit for a database or database link in bytes.
OID 2.16.840.1.113730.3.1.571
Syntax Integer
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.35. nsTimeLimit

This attribute shows the default search time limit for a database or database link.
OID 2.16.840.1.113730.3.1.572
Syntax Integer
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.36. nsTombstone (Object Class)

Tombstone entries are entries which have been deleted from Directory Server. For replication and restore operations, these deleted entries are saved so that they can be resurrected and replaced if necessary. Each tombstone entry has the nsTombstone object class, automatically.
This object class is defined in Directory Server.
Superior Class
top
OID
2.16.840.1.113730.3.2.113
Required Attributes
Attribute
Definition
Gives the object classes assigned to the entry.
Allowed Attributes
Attribute Definition
nsParentUniqueId Identifies the unique ID of the parent entry of the original entry.
nscpEntryDN Identifies the original entry DN in a tombstone entry.

4.37. nsUniqueID

This attribute identifies or assigns a unique ID to a server entry.
OID 2.16.840.1.113730.3.1.542
Syntax DirectoryString
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.38. nsYIMStatusGraphic

This attribute contains a path pointing to the graphic which illustrates the Yahoo instance message user status.
OID 2.16.840.1.113730.3.1.2020
Syntax DirectoryString
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.39. nsYIMStatusText

This attribute contains the text for the current Yahoo instance message user status.
OID 2.16.840.1.113730.3.1.2019
Syntax DirectoryString
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.40. numSubordinates

This attribute indicates now many immediate subordinates an entry has. For example, numSubordinates=0 in a leaf entry.
OID 1.3.1.1.4.1.453.16.2.103
Syntax Integer
Multi- or Single-Valued Single-valued
Defined in numSubordinates Internet Draft

4.41. passwordGraceUserTime

This attribute counts the number of attempts the user has made with the expired password.
OID 2.16.840.1.113730.3.1.998
Syntax DirectoryString
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.42. passwordRetryCount

This attribute counts the number of consecutive failed attempts at entering the correct password.
OID 2.16.840.1.113730.3.1.93
Syntax DirectoryString
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.43. pwdpolicysubentry

This attribute value points to the entry DN of the new password policy.
OID 2.16.840.1.113730.3.1.997
Syntax DirectoryString
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.44. subschemaSubentry

This attribute contains the DN of an entry that contains schema information. For example:
subschemaSubentry: cn=schema
OID 2.5.18.10
Syntax DN
Multi- or Single-Valued Single-valued
Defined in RFC 2252

4.45. supportedControl

The values of this attribute are the object identifiers (OIDs) that identify the controls supported by the server. When the server does not support controls, this attribute is absent.
OID 1.3.6.1.4.1.1466.101.120.13
Syntax DirectoryString
Multi- or Single-Valued Multi-valued
Defined in RFC 2252

4.46. supportedExtension

The values of this attribute are the object identifiers (OIDs) that identify the extended operations supported by the server. When the server does not support extended operations, this attribute is absent.
OID 1.3.6.1.4.1.1466.101.120.7
Syntax DirectoryString
Multi- or Single-Valued Multi-valued
Defined in RFC 2252

4.47. supportedFeatures

This attribute contains features supported by the current version of Red Hat Directory Server.
OID 1.3.6.1.4.1.4203.1.3.5
Syntax OID
Multi- or Single-Valued Multi-valued
Defined in RFC 3674

4.48. supportedLDAPVersion

This attribute identifies the versions of the LDAP protocol implemented by the server.
OID 1.3.6.1.4.1.1466.101.120.15
Syntax Integer
Multi- or Single-Valued Multi-valued
Defined in RFC 2252

4.49. supportedSASLMechanisms

This attribute identifies the names of the SASL mechanisms supported by the server. When the server does not support SASL attributes, this attribute is absent.
OID 1.3.6.1.4.1.1466.101.120.14
Syntax DirectoryString
Multi- or Single-Valued Multi-valued
Defined in RFC 2252

4.50. vendorName

This attribute contains the name of the server vendor.
OID 1.3.6.1.1.4
Syntax DirectoryString
Multi- or Single-Valued Single-valued
Defined in RFC 3045

4.51. vendorVersion

This attribute shows the vendor's version number for the server.
OID 1.3.6.1.1.5
Syntax DirectoryString
Multi- or Single-Valued Single-valued
Defined in RFC 3045

4.52. glue (Object Class)

The glue object class defines an entry in a special state: resurrected due to a replication conflict.
This object class is defined by Directory Server.
Superior Class
top
OID
2.16.840.1.113730.3.2.30
Required Attributes
Attribute
Definition
objectClass
Gives the object classes assigned to the entry.

4.53. passwordObject (Object Class)

This object class is used for entries which store password information for a user in the directory.
This object class is defined in Directory Server.
Superior Class
top
OID
2.16.840.1.113730.3.2.12
Required Attributes
objectClass Defines the object classes for the entry.
Allowed Attributes
accountUnlockTime Refers to the amount of time that must pass after an account lockout before the user can bind to the directory again.
passwordAllowChangeTime Specifies the length of time that must pass before users are allowed to change their passwords.
passwordExpirationTime Specifies the length of time that passes before the user’s password expires.
passwordExpWarned Indicates that a password expiration warning has been sent to the user.
passwordGraceUserTime Specifies the number of login attempts that are allowed to a user after the password has expired.
passwordHistory Contains the history of the user’s previous passwords.
passwordRetryCount Counts the number of consecutive failed attempts at entering the correct password.
pwdpolicysubentry Points to the entry DN of the new password policy.
retryCountResetTime Specifies the length of time that passes before the passwordRetryCount attribute is reset.

4.54. subschema (Object Class)

This identifies an auxiliary object class subentry which administers the subschema for the subschema administrative area. It holds the operational attributes representing the policy parameters which express the subschema.
This object class is defined in RFC 2252.
Superior Class
top
OID
2.5.20.1
Required Attributes
objectClass Defines the object classes for the entry.
Allowed Attributes
attributetypes Attribute types used within a subschema.
dITContentRules Defines the DIT content rules which are in force within a subschema.
dITStructureRules Defines the DIT structure rules which are in force within a subschema.
matchingRuleUse Indicates the attribute types to which a matching rule applies in a subschema.
matchingRules Defines the matching rules used within a subschema.
nameForms Defines the name forms used in a subschema.
objectClasses Defines the object classes used in a subschema.