3.2. Configuration Object Classes

Many configuration entries simply use the extensibleObject object class, but some require other object classes. These configuration object classes are listed here.

3.2.1. changeLogEntry (Object Class)

This object class is used for entries which store changes made to the Directory Server entries.
To configure Directory Server to maintain a changelog that is compatible with the changelog implemented in Directory Server 4.1x, enable the Retro Changelog Plug-in. Each entry in the changelog has the changeLogEntry object class.
This object class is defined in Changelog Internet Draft.
Superior Class

top

OID

2.16.840.1.113730.3.2.1

Required Attributes

objectClass Defines the object classes for the entry.
changeNumber Contains a number assigned arbitrarily to the changelog.
changeTime The time at which a change took place.
changeType The type of change performed on an entry.
targetDn The distinguished name of an entry added, modified or deleted on a supplier server.

Allowed Attributes

changes Changes made to the Directory Server.
deleteOldRdn A flag that defines whether the old Relative Distinguished Name (RDN) of the entry should be kept as a distinguished attribute of the entry or should be deleted.
newRdn New RDN of an entry that is the target of a modRDN or modDN operation.
newSuperior Name of the entry that becomes the immediate superior of the existing entry when processing a modDN operation.

3.2.2. directoryServerFeature (Object Class)

This object class is used specifically for entries which identify a feature of the directory service. This object class is defined by Directory Server.
Superior Class

top

OID

2.16.840.1.113730.3.2.40

Required Attributes

Attribute
Definition
objectClass Gives the object classes assigned to the entry.

Allowed Attributes

Attribute Definition
cn Specifies the common name of the entry.
multiLineDescription Gives a text description of the entry.
oid Specifies the OID of the feature.

3.2.3. nsBackendInstance (Object Class)

This object class is used for the Directory Server back end, or database, instance entry. This object class is defined in Directory Server.
Superior Class

top

OID

2.16.840.1.113730.3.2.109

Required Attributes

Attribute
Definition
objectClass
Defines the object classes for the entry.
cn
Gives the common name of the entry.

3.2.4. nsChangelog4Config (Object Class)

In order for Directory Server 10.3 to replicate between Directory Server 4.x servers, the Directory Server 10.3 instance must have a special changelog configured. This object class defines the configuration for the retro changelog.
This object class is defined for the Directory Server.
Superior Class

top

OID

2.16.840.1.113730.3.2.82

Allowed Attributes

Attribute
Definition
cn (common Name)
Gives the common name of the entry.

3.2.5. nsDS5Replica (Object Class)

This object class is for entries which define a replica in database replication. Many of these attributes are set within the back end and cannot be modified.
Information on the attributes for this object class are listed with the core configuration attributes in chapter 2 of the Directory Server Configuration, Command, and File Reference.
This object class is defined in Directory Server.
Superior Class

top

OID

2.16.840.1.113730.3.2.108

Required Attributes

objectClass Defines the object classes for the entry.
nsDS5ReplicaId Specifies the unique ID for suppliers in a replication environment.
nsDS5ReplicaRoot Specifies the suffix DN at the root of a replicated area.

Allowed Attributes

cn Gives the name for the replica.
nsDS5Flags Specifies information that has been previously set in flags.
nsDS5ReplicaAutoReferral Sets whether the server will follow configured referrals for the Directory Server database.
nsDS5ReplicaBindDN Specifies the DN to use when a supplier server binds to a consumer.
nsDS5ReplicaChangeCount Gives the total number of entries in the changelog and whether they have been replicated.
nsDS5ReplicaLegacyConsumer Specifies whether the replica is a legacy consumer.
nsDS5ReplicaName Specifies the unique ID for the replica for internal operations.
nsDS5ReplicaPurgeDelay Specifies the time in seconds before the changelog is purged.
nsDS5ReplicaReferral Specifies the URLs for user-defined referrals.
nsDS5ReplicaReleaseTimeout Specifies a timeout after which a master will release a replica, whether or not it has finished sending its updates.
nsDS5ReplicaTombstonePurgeInterval Specifies the time interval in seconds between purge operation cycles.
nsDS5ReplicaType Defines the type of replica, such as a read-only consumer.
nsDS5Task Launches a replication task, such as dumping the database contents to LDIF; this is used internally by the Directory Server supplier.
nsState Stores information on the clock so that proper change sequence numbers are generated.

3.2.6. nsDS5ReplicationAgreement (Object Class)

Entries with the nsDS5ReplicationAgreement object class store the information set in a replication agreement. Information on the attributes for this object class are in chapter 2 of the Directory Server Configuration, Command, and File Reference.
This object class is defined in Directory Server.
Superior Class

top

OID

2.16.840.1.113730.3.2.103

Required Attributes

objectClass Defines the object classes for the entry.
cn Used for naming the replication agreement.

Allowed Attributes

description Contains a free text description of the replication agreement.
nsDS5BeginReplicaRefresh Initializes a replica manually.
nsds5debugreplicatimeout Gives an alternate timeout period to use when the replication is run with debug logging.
nsDS5ReplicaBindDN Specifies the DN to use when a supplier server binds to a consumer.
nsDS5ReplicaBindMethod Specifies the method (SSL or simple authentication) to use for binding.
nsDS5ReplicaBusyWaitTime Specifies the amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access.
nsDS5ReplicaChangesSentSinceStartup The number of changes sent to this replica since the server started.
nsDS5ReplicaCredentials Specifies the password for the bind DN.
nsDS5ReplicaHost Specifies the host name for the consumer replica.
nsDS5ReplicaLastInitEnd States when the initialization of the consumer replica ended.
nsDS5ReplicaLastInitStart States when the initialization of the consumer replica started.
nsDS5ReplicaLastInitStatus The status for the initialization of the consumer.
nsDS5ReplicaLastUpdateEnd States when the most recent replication schedule update ended.
nsDS5ReplicaLastUpdateStart States when the most recent replication schedule update started.
nsDS5ReplicaLastUpdateStatus Provides the status for the most recent replication schedule updates.
nsDS5ReplicaPort Specifies the port number for the remote replica.
nsDS5ReplicaRoot Specifies the suffix DN at the root of a replicated area.
nsDS5ReplicaSessionPauseTime Specifies the amount of time in seconds a supplier should wait between update sessions.
nsDS5ReplicatedAttributeList Specifies any attributes that will not be replicated to a consumer server.
nsDS5ReplicaTimeout Specifies the number of seconds outbound LDAP operations will wait for a response from the remote replica before timing out and failing.
nsDS5ReplicaTransportInfo Specifies the type of transport used for transporting data to and from the replica.
nsDS5ReplicaUpdateInProgress States whether a replication schedule update is in progress.
nsDS5ReplicaUpdateSchedule Specifies the replication schedule.
nsDS50ruv Manages the internal state of the replica using the replication update vector.
nsruvReplicaLastModified Contains the most recent time that an entry in the replica was modified and the changelog was updated.
nsds5ReplicaStripAttrs With fractional replication, an update to an excluded attribute still triggers a replication event, but that event is empty. This attribute sets attributes to strip from the replication update. This prevents changes to attributes like internalModifyTimestamp from triggering an empty replication update.

3.2.7. nsDSWindowsReplicationAgreement (Object Class)

Stores the synchronization attributes that concern the synchronization agreement. Information on the attributes for this object class are in chapter 2 of the Red Hat Directory Server Configuration, Command, and File Reference.
This object class is defined in Directory Server.
Superior Class

top

OID

2.16.840.1.113730.3.2.503

Required Attributes

objectClass Defines the object classes for the entry.
cn Gives the name of the synchronization agreement.

Allowed Attributes

description Contains a text description of the synchronization agreement.
nsDS5BeginReplicaRefresh Initiates a manual synchronization.
nsds5debugreplicatimeout Gives an alternate timeout period to use when the synchronization is run with debug logging.
nsDS5ReplicaBindDN Specifies the DN to use when the Directory Server binds to the Windows server.
nsDS5ReplicaBindMethod Specifies the method (SSL or simple authentication) to use for binding.
nsDS5ReplicaBusyWaitTime Specifies the amount of time in seconds the Directory Server should wait after the Windows server sends back a busy response before making another attempt to acquire access.
nsDS5ReplicaChangesSentSinceStartup Shows the number of changes sent since the Directory Server started.
nsDS5ReplicaCredentials Specifies the credentials for the bind DN.
nsDS5ReplicaHost Specifies the host name for the Windows domain controller of the Windows server being synchronized.
nsDS5ReplicaLastInitEnd States when the last total update (resynchronization) of the Windows server ended.
nsDS5ReplicaLastInitStart States when the last total update (resynchronization) of the Windows server started.
nsDS5ReplicaLastInitStatus The status for the total update (resynchronization) of the Windows server.
nsDS5ReplicaLastUpdateEnd States when the most recent update ended.
nsDS5ReplicaLastUpdateStart States when the most recent update started.
nsDS5ReplicaLastUpdateStatus Provides the status for the most recent updates.
nsDS5ReplicaPort Specifies the port number for the Windows server.
nsDS5ReplicaRoot Specifies the root suffix DN of the Directory Server.
nsDS5ReplicaSessionPauseTime Specifies the amount of time in seconds the Directory Server should wait between update sessions.
nsDS5ReplicaTimeout Specifies the number of seconds outbound LDAP operations will wait for a response from the Windows server before timing out and failing.
nsDS5ReplicaTransportInfo Specifies the type of transport used for transporting data to and from the Windows server.
nsDS5ReplicaUpdateInProgress States whether an update is in progress.
nsDS5ReplicaUpdateSchedule Specifies the synchronization schedule.
nsDS50ruv Manages the internal state of the Directory Server sync peer using the replication update vector (RUV).
nsds7DirectoryReplicaSubtree Specifies the Directory Server suffix (root or sub) that is synced.
nsds7DirsyncCookie Contains a cookie set by the sync service that functions as an RUV.
nsds7NewWinGroupSyncEnabled Specifies whether new Windows group accounts are automatically created on the Directory Server.
nsds7NewWinUserSyncEnabled Specifies whether new Windows user accounts are automatically created on the Directory Server.
nsds7WindowsDomain Identifies the Windows domain being synchronized; analogous to nsDS5ReplicaHost in a replication agreement.
nsds7WindowsReplicaSubtree Specifies the Windows server suffix (root or sub) that is synced.
nsruvReplicaLastModified Contains the most recent time that an entry in the Directory Server sync peer was modified and the changelog was updated.
winSyncInterval Sets how frequently, in seconds, the Directory Server polls the Windows server for updates to write over. If this is not set, the default is 300, which is 300 seconds or five (5) minutes.
winSyncMoveAction Sets how the sync plug-in handles corresponding entries that are discovered in Active Directory outside of the synced subtree. The sync process can ignore these entries (none, the default) or it can assume that the entries were moved intentionally to remove them from synchronization, and it can then either delete the corresponding Directory Server entry (delete) or remove the synchronization attributes and no longer sync the entry (unsync).

3.2.8. nsEncryptionConfig

The nsEncryptionConfig object class stores the configuration information for allowed encryption options, such as protocols and cipher suites. This is defined in the Administrative Services.
Superior Class

top

OID

nsEncryptionConfig-oid

Required Attributes

Attribute Definition
objectClass Defines the object classes for the entry.
cn (commonName) Gives the common name of the device.

Allowed Attributes

Attribute Definition
nsSSL2 Sets whether SSL version 2 is enabled for the server.
nsSSL2Ciphers Contains a list of all ciphers available to be used with SSLv2.
nsSSL3 Sets whether SSL version 3 is enabled for the server.
nsSSL3Ciphers Contains a list of all ciphers available to be used with SSLv3.
nsSSL3SessionTimeout Sets the timeout period for an SSLv3 cipher session.
nsSSLClientAuth Sets how the server handles client authentication. There are three possible values: allow, disallow, or require.
nsSSLSessionTimeout Sets the timeout period for a cipher session.
nsSSLSupportedCiphers Contains a list of all ciphers available to be used with secure connections to the server.
nsTLS1 Sets whether TLS version 1 is enabled for the server.

3.2.9. nsEncryptionModule

The nsEncryptionModule object class stores the encryption module information. This is defined in the Administrative Services.
Superior Class

top

OID

nsEncryptionModule-oid

Required Attributes

Attribute Definition
objectClass Defines the object classes for the entry.
cn (commonName) Gives the common name of the device.

Allowed Attributes

Attribute Definition
nsSSLActivation Sets whether to enable a cipher family.
nsSSLPersonalitySSL Contains the name of the certificate used by the server for SSL.
nsSSLToken Identifies the security token used by the server.

3.2.10. nsMappingTree (Object Class)

A mapping tree maps a suffix to the back end. Each mapping tree entry uses the nsMappingTree object class. This object class is defined in Directory Server.
Superior Class

top

OID

2.16.840.1.113730.3.2.110

Required Attributes

Attribute
Definition
objectClass
Gives the object classes assigned to the entry.
cn
Gives the common name of the entry.

3.2.11. nsSaslMapping (Object Class)

This object class is used for entries which contain an identity mapping configuration for mapping SASL attributes to the Directory Server attributes.
This object class is defined in Directory Server.
Superior Class

top

OID

2.16.840.1.113730.3.2.317

Required Attributes

objectClass Defines the object classes for the entry.
cn Gives the name of the SASL mapping entry.
nsSaslMapBaseDNTemplate Contains the search base DN template.
nsSaslMapFilterTemplate Contains the search filter template.
nsSaslMapRegexString Contains a regular expression to match SASL identity strings.

3.2.12. nsslapdConfig (Object Class)

The nsslapdConfig object class defines the configuration object, cn=config, for the Directory Server instance.
This object class is defined in Directory Server.
Superior Class

top

OID

2.16.840.1.113730.3.2.39

Required Attributes

Attribute
Definition
objectClass
Gives the object classes assigned to the entry.

Allowed Attributes

Attribute
Definition
cn
Gives the common name of the entry.

3.2.13. passwordPolicy (Object Class)

Both local and global password policies take the passwordPolicy object class. This object class is defined in Directory Server.
Superior Class

top

OID

2.16.840.1.113730.3.2.13

Required Attributes

Attribute
Definition
objectClass
Gives the object classes assigned to the entry.

Allowed Attributes

Attribute
Definition
passwordMaxAge (Password Maximum Age) Sets the number of seconds after which user passwords expire.
passwordExp (Password Expiration) Identifies whether the user's password expires after an interval given by the passwordMaxAge attribute.
passwordMinLength (Password Minimum Length) Sets the minimum number of characters that must be used in passwords.
passwordInHistory (Number of Passwords to Remember) Sets the number of passwords the directory stores in the history.
passwordChange (Password Change) Identifies whether or not users is allowed to change their own password.
passwordWarning (Send Warning) Sets the number of seconds before a warning message is sent to users whose password is about to expire.
passwordLockout (Account Lockout) Identifies whether or not users are locked out of the directory after a given number of failed bind attempts.
passwordMaxFailure (Maximum Password Failures) Sets the number of failed bind attempts after which a user will be locked out of the directory.
passwordUnlock (Unlock Account) Identifies whether a user is locked out until the password is reset by an administrator or whether the user can log in again after a given lockout duration. The default is to allow a user to log back in after the lockout period.
passwordLockoutDuration (Lockout Duration) Sets the time, in seconds, that users will be locked out of the directory.
passwordCheckSyntax (Check Password Syntax) Identifies whether the password syntax is checked by the server before the password is saved.
passwordMustChange (Password Must Change) Identifies whether or not to change their passwords when they first login to the directory or after the password is reset by the Directory Manager.
passwordStorageScheme (Password Storage Scheme) Sets the type of encryption used to store Directory Server passwords.
passwordMinAge (Password Minimum Age) Sets the number of seconds that must pass before a user can change their password.
passwordResetFailureCount (Reset Password Failure Count After) Sets the time, in seconds, after which the password failure counter will be reset. Each time an invalid password is sent from the user's account, the password failure counter is incremented.
passwordGraceLimit (Password Expiration) Sets the number of grace logins permitted when a user's password is expired.
PasswordMinDigits (Password Syntax) Sets the minimum number of numeric characters (0 through 9) which must be used in the password.
passwordMinAlphas (Password Syntax) Sets the minimum number of alphabetic chracters that must be used in the password.
PasswordMinUppers (Password Syntax) Sets the minimum number of upper case alphabetic characters, A to Z, which must be used in the password.
PasswordMinLowers (Password Syntax) Sets the minimum number of lower case alphabetic characters, a to z, which must be used in the password.
PasswordMinSpecials (Password Syntax) Sets the minimum number of special ASCII characters, such as !@#$., which must be used in the password.
passwordMin8Bit (Password Syntax) Sets the minimum number of 8-bit chracters used in the password.
passwordMaxRepeats (Password Syntax) Sets the maximum number of times that the same character can be used in row.
passwordMinCategories (Password Syntax) Sets the minimum number of categories which must be used in the password.
PasswordMinTokenLength (Password Syntax) Sets the length to check for trivial words.