Chapter 6. Operational Attributes and Object Classes

Operational attributes are attributes used to perform directory operations and are available for every entry in the directory, regardless of whether they are defined for the object class of the entry. Operational attributes are only returned in an ldapsearch operation if specifically requested. To return all operational attributes of an object, specify +.

Operational attributes are created and managed by Directory Server on entries, such as the time the entry is created or modified and the creator’s name. These attributes can be set on any entry, regardless of other attributes or object classes on the entry.

6.1. accountUnlockTime

The accountUnlockTime attribute contains the date and time in GMT-format at which the account will become unlocked. A value of 0 means that the account must be unlocked by an administrator.

OID

2.16.840.1.113730.3.1.95

Syntax

DirectoryString

Multi- or Single-Valued

Multi-valued

Defined in

Directory Server

6.2. aci

This attribute is used by the Directory Server to evaluate what rights are granted or denied when it receives an LDAP request from a client.

OID

2.16.840.1.113730.3.1.55

Syntax

IA5String

Multi- or Single-Valued

Multi-valued

Defined in

Directory Server

6.3. altServer

The values of this attribute are URLs of other servers which may be contacted when this server becomes unavailable. If the server does not know of any other servers which could be used, this attribute is absent. This information can be cached in case the preferred LDAP server later becomes unavailable.

OID

1.3.6.1.4.1.1466.101.120.6

Syntax

IA5String

Multi- or Single-Valued

Multi-valued

Defined in

RFC 2252

6.4. createTimestamp

This attribute contains the date and time that the entry was initially created.

OID

2.5.18.1

Syntax

GeneralizedTime

Multi- or Single-Valued

Single-valued

Defined in

RFC 1274

6.5. creatorsName

This attribute contains the name of the user which created the entry.

OID

2.5.18.3

Syntax

DN

Multi- or Single-Valued

Single-valued

Defined in

RFC 1274

6.6. dITContentRules

This attribute defines the DIT content rules which are in force within a subschema. Each value defines one DIT content rule. Each value is tagged by the object identifier of the structural object class to which it pertains.

OID

2.5.21.2

Syntax

DirectoryString

Multi- or Single-Valued

Multi-valued

Defined in

RFC 2252

6.7. dITStructureRules

This attribute defines the DIT structure rules which are in force within a subschema. Each value defines one DIT structure rule.

OID

2.5.21.1

Syntax

DirectoryString

Multi- or Single-Valued

Multi-valued

Defined in

RFC 2252

6.8. entryusn

When the USN Plug-in is enabled, the server automatically assigns an update sequence number to entries every time a write operation (add, modify, modrdn, or delete) is performed. The USN is stored in the entryUSN operational attribute on the entry; the entryUSN, then, shows the number for the most recent change on any entry.

Note

The entryUSN attribute increments only with operations performed by LDAP clients. It does not count internal operations.

By default, the entryUSN is unique per back end database instance, so entries in other databases may have the same USN. The nsslapd-entryusn-global parameter changes the assignment of USNs from local to global, that is, from being counted on a single database to being counted for all databases in the topology. The parameter is turned off by default.

A corresponding entry, lastusn, is kept in the root DSE entry, which shows the most recently- assigned USN. In local mode, lastusn shows the most recently- assigned USN per back end database. In global mode, lastusn shows the most recently assigned USN for the entire topology.

OID

2.16.840.1.113730.3.1.606

Syntax

Integer

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.9. internalCreatorsName

For entries which were created by a plug-in or by the server, rather than a Directory Server user, this attribute records what internal user (by plug-in DN) created the entry.

The internalCreatorsname attributes always show a plug-in as the identity. This plug-in could be an additional plug-in, such as the MemberOf Plug-in. If the change is made by the core Directory Server, then the plug-in is the database plug-in, cn=ldbm database,cn=plugins,cn=config.

OID

2.16.840.1.113730.3.1.2114

Syntax

DN

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.10. internalModifiersName

If an entry is edited by a plug-in or by the server, rather than a Directory Server user, this attribute records what internal user (by plug-in DN) modified the entry.

The internalModifiersname attributes always show a plug-in as the identity. This plug-in could be an additional plug-in, such as the MemberOf Plug-in. If the change is made by the core Directory Server, then the plug-in is the database plug-in, cn=ldbm database,cn=plugins,cn=config.

OID

2.16.840.1.113730.3.1.2113

Syntax

DN

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.11. hasSubordinates

This attribute indicates whether the entry has subordinate entries.

OID

1.3.6.1.4.1.1466.115.121.1.7

Syntax

Boolean

Multi- or Single-Valued

Single-valued

Defined in

numSubordinates Internet Draft

6.12. lastLoginTime

The lastLoginTime attribute contains a timestamp of the last time that the given account authenticated to the directory, in the format YYYMMDDHHMMSSZ. For example:

lastLoginTime: 20200527001051Z

This is used to evaluate account lockout policies based on account inactivity.

OID

2.16.840.1.113719.1.1.4.1.35

Syntax

GeneralizedTime

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.13. lastModifiedBy

The lastModifiedBy attribute contains the distinguished name (DN) of the user who last edited the entry. For example:

lastModifiedBy: cn=Barbara Jensen,ou=Engineering,dc=example,dc=com

OID

0.9.2342.19200300.100.1.24

Syntax

DN

Multi- or Single-Valued

Multi-valued

Defined in

RFC 1274

6.14. lastModifiedTime

The lastModifiedTime attribute contains the time, in UTC format, an entry was last modified. For example:

lastModifiedTime: Thursday, 22-Sep-93 14:15:00 GMT

OID

0.9.2342.19200300.100.1.23

Syntax

DirectyString

Multi- or Single-Valued

Multi-valued

Defined in

RFC 1274

6.15. ldapSubEntry

These entries hold operational data. This object class is defined in the LDAP Subentry Internet Draft.

Superior Class

top

OID

2.16.840.1.113719.2.142.6.1.1

Table 6.1. Required Attributes

AttributeDefinition

Section 5.2.284, “objectClass”

Gives the object classes assigned to the entry.

Table 6.2. Allowed Attributes

AttributeDefinition

Section 5.2.25, “cn (commonName)”

Specifies the common name of the entry.

6.16. ldapSyntaxes

This attribute identifies the syntaxes implemented, with each value corresponding to one syntax.

OID

1.3.6.1.4.1.1466.101.120.16

Syntax

DirectoryString

Multi- or Single-Valued

Multi-valued

Defined in

RFC 2252

6.17. matchingRules

This attribute defines the matching rules used within a subschema. Each value defines one matching rule.

OID

2.5.21.4

Syntax

DirectoryString

Multi- or Single-Valued

Multi-valued

Defined in

RFC 2252

6.18. matchingRuleUse

This attribute indicates the attribute types to which a matching rule applies in a subschema.

OID

2.5.21.8

Syntax

DirectoryString

Multi- or Single-Valued

Multi-valued

Defined in

RFC 2252

6.19. modifyTimestamp

This attribute contains the date and time that the entry was most recently modified.

OID

2.5.18.2

Syntax

GeneralizedTime

Multi- or Single-Valued

Single-valued

Defined in

RFC 1274

6.20. modifiersName

This attribute contains the name of the user which last modified the entry.

OID

2.5.18.4

Syntax

DN

Multi- or Single-Valued

Single-valued

Defined in

RFC 1274

6.21. nameForms

This attribute defines the name forms used in a subschema. Each value defines one name form.

OID

2.5.21.7

Syntax

DirectoryString

Multi- or Single-Valued

Multi-valued

Defined in

RFC 2252

6.22. nsAccountLock

This attribute shows whether the account is active or inactive.

OID

2.16.840.1.113730.3.1.610

Syntax

DirectoryString

Multi- or Single-Valued

Multi-valued

Defined in

Directory Server

6.23. nsAIMStatusGraphic

This attribute contains a path pointing to the graphic which illustrates the AIM user status.

OID

2.16.840.1.113730.3.1.2018

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.24. nsAIMStatusText

This attribute contains the text which indicates the current AIM user status.

OID

2.16.840.1.113730.3.1.2017

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.25. nsBackendSuffix

This contains the suffix used by the back end.

OID

2.16.840.1.113730.3.1.803

Syntax

DirectoryString

Multi- or Single-Valued

Multi-valued

Defined in

Directory Server

6.26. nscpEntryDN

This attribute contains the (former) entry DN for a tombstone entry.

OID

2.16.840.1.113730.3.1.545

Syntax

DN

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.27. nsDS5ReplConflict

This attribute is included on entries that have a change conflict that cannot be resolved automatically by the synchronization or replication process. The value of the nsDS5ReplConflict contains information about which entries are in conflict, usually by referring to them by their nsUniqueID for both current entries and tombstone entries.

OID

2.16.840.1.113730.3.1.973

Syntax

DirectoryString

Multi- or Single-Valued

Multi-valued

Defined in

Directory Server

6.28. nsICQStatusGraphic

This attribute contains a path pointing to the graphic which illustrates the ICQ user status.

OID

2.16.840.1.113730.3.1.2022

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.29. nsICQStatusText

This attribute contains the text for the current ICQ user status.

OID

2.16.840.1.113730.3.1.2021

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.30. nsIdleTimeout

This attribute identifies the user-based connection idle timeout period, in seconds.

OID

2.16.840.1.113730.3.1.573

Syntax

Integer

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.31. nsIDListScanLimit

This attribute specifies the number of entry IDs that are searched during a search operation. Keep the default value to improve search performance. For a more detailed explanation of the effect of ID lists on search performance, see the "Overview of the Searching Algorithm" section of the "Managing Indexes" chapter in the Red Hat Directory Server Administration Guide.

OID

2.16.840.1.113730.3.1.2106

Syntax

Integer

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.32. nsLookThroughLimit

This attribute sets the maximum number of entries for that user through which the server is allowed to look during a search operation. This attribute is configured in the server itself and applied to a user when he initiates a search.

OID

2.16.840.1.113730.3.1.570

Syntax

Integer

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.33. nsPagedIDListScanLimit

This attribute specifies the number of entry IDs that are searched, specifically, for a search operation using the simple paged results control. This attribute works the same as the nsIDListScanLimit attribute, except that it only applies to searches with the simple paged results control.

If this attribute is not present or is set to zero, then the nsIDListScanLimit is used to paged searches as well as non-paged searches.

OID

2.16.840.1.113730.3.1.2109

Syntax

Integer

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.34. nsPagedLookThroughLimit

This attribute specifies the maximum number of entries that the Directory Server will check when examining candidate entries for a search which uses the simple paged results control. This attribute works the same as the nsLookThroughLimit attribute, except that it only applies to searches with the simple paged results control.

If this attribute is not present or is set to zero, then the nsLookThroughLimit is used to paged searches as well as non-paged searches.

OID

2.16.840.1.113730.3.1.2108

Syntax

Integer

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.35. nsPagedSizeLimit

This attribute sets the maximum number of entries to return from a search operation specifically which uses the simple paged results control. This overrides the nsSizeLimit attribute for paged searches.

If this value is set to zero, then the nsSizeLimit attribute is used for paged searches as well as non-paged searches for the user, or the global configuration settings are used.

OID

2.16.840.1.113730.3.1.2107

Syntax

Integer

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.36. nsParentUniqueId

For tombstone (deleted) entries stored in replication, the nsParentUniqueId attribute contains the DN or entry ID for the parent of the original entry.

OID

2.16.840.1.113730.3.1.544

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.37. nsRole

This attribute is a computed attribute that is not stored with the entry itself. It identifies to which roles an entry belongs.

OID

2.16.840.1.113730.3.1.574

Syntax

DN

Multi- or Single-Valued

Multi-valued

Defined in

Directory Server

6.38. nsRoleDn

This attribute contains the distinguished name of all roles that apply to an entry. Membership of a managed role is granted upon an entry by adding the role’s DN to the entry’s nsRoleDN attribute. For example:

dn: cn=staff,ou=employees,dc=example,dc=com
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsSimpleRoleDefinition
objectclass: nsManagedRoleDefinition

dn: cn=userA,ou=users,ou=employees,dc=example,dc=com
objectclass: top
objectclass: person
sn: uA
userpassword: secret
nsroledn: cn=staff,ou=employees,dc=example,dc=com

A nested role specifies containment of one or more roles of any type. In that case, nsRoleDN defines the DN of the contained roles. For example:

dn: cn=everybody,ou=employees,dc=example,dc=com
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsComplexRoleDefinition
objectclass: nsNestedRoleDefinition
nsroledn: cn=manager,ou=employees,dc=example,dc=com
nsroledn: cn=staff,ou=employees,dc=example,dc=com

OID

2.16.840.1.113730.3.1.575

Syntax

DN

Multi- or Single-Valued

Multi-valued

Defined in

Directory Server

6.39. nsRoleFilter

This attribute sets the filter identifies entries which belong to the role.

OID

2.16.840.1.113730.3.1.576

Syntax

IA5String

Multi- or Single-Valued

Single-valued

Defined in

RFC 2252

6.40. nsSchemaCSN

This attribute is one of the subschema DSE attribute types.

OID

2.5.21.82.16.840.1.113730.3.1.804

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.41. nsSizeLimit

This attribute shows the default size limit for a database or database link in bytes.

OID

2.16.840.1.113730.3.1.571

Syntax

Integer

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.42. nsTimeLimit

This attribute shows the default search time limit for a database or database link.

OID

2.16.840.1.113730.3.1.572

Syntax

Integer

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.43. nsTombstone (Object Class)

Tombstone entries are entries which have been deleted from Directory Server. For replication and restore operations, these deleted entries are saved so that they can be resurrected and replaced if necessary. Each tombstone entry has the nsTombstone object class, automatically.

This object class is defined in Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.113

Table 6.3. Required Attributes

AttributeDefinition

Section 5.2.284, “objectClass”

Gives the object classes assigned to the entry.

Table 6.4. Allowed Attributes

AttributeDefinition

Section 6.36, “nsParentUniqueId”

Identifies the unique ID of the parent entry of the original entry.

Section 6.26, “nscpEntryDN”

Identifies the orignal entry DN in a tombstone entry.

6.44. nsUniqueId

This attribute identifies or assigns a unique ID to a server entry.

OID

2.16.840.1.113730.3.1.542

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.45. nsYIMStatusGraphic

This attribute contains a path pointing to the graphic which illustrates the Yahoo IM user status.

OID

2.16.840.1.113730.3.1.2020

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.46. nsYIMStatusText

This attribute contains the text for the current Yahoo IM user status.

OID

2.16.840.1.113730.3.1.2019

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.47. numSubordinates

This attribute indicates now many immediate subordinates an entry has. For example, numSubordinates=0 in a leaf entry.

OID

1.3.1.1.4.1.453.16.2.103

Syntax

Integer

Multi- or Single-Valued

Single-valued

Defined in

numSubordinates Internet Draft

6.48. passwordGraceUserTime

This attribute counts the number of attempts the user has made with the expired password.

OID

2.16.840.1.113730.3.1.998

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.49. passwordRetryCount

This attribute counts the number of consecutive failed attempts at entering the correct password.

OID

2.16.840.1.113730.3.1.93

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.50. pwdpolicysubentry

This attribute value points to the entry DN of the new password policy.

OID

2.16.840.1.113730.3.1.997

Syntax

DirectoryString

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.51. pwdUpdateTime

This attribute value stores the time of the most recent password change for the account.

OID

2.16.840.1.113730.3.1.2133

Syntax

GeneralizedTime

Multi- or Single-Valued

Single-valued

Defined in

Directory Server

6.52. subschemaSubentry

This attribute contains the DN of an entry that contains schema information. For example:

subschemaSubentry: cn=schema

OID

2.5.18.10

Syntax

DN

Multi- or Single-Valued

Single-valued

Defined in

RFC 2252

6.53. glue (Object Class)

The glue object class defines an entry in a special state: resurrected due to a replication conflict.

This object class is defined by Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.30

Table 6.5. Required Attributes

AttributeDefinition

Section 5.2.284, “objectClass”

Gives the object classes assigned to the entry.

6.54. passwordObject (Object Class)

This object class is used for entries which store password information for a user in the directory.

This object class is defined in Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.12

Table 6.6. Required Attributes

Section 5.2.284, “objectClass”

Defines the object classes for the entry.

Table 6.7. Allowed Attributes

Section 6.1, “accountUnlockTime”

Refers to the amount of time that must pass after an account lockout before the user can bind to the directory again.

Section 3.1.1.178, “passwordAllowChangeTime”

Specifies the length of time that must pass before users are allowed to change their passwords.

Section 3.1.1.183, “passwordExpirationTime”

Specifies the length of time that passes before the user’s password expires.

Section 3.1.1.184, “passwordExpWarned”

Indicates that a password expiration warning has been sent to the user.

Section 6.48, “passwordGraceUserTime”

Specifies the number of login attempts that are allowed to a user after the password has expired.

Section 3.1.1.186, “passwordHistory (Password History)”

Contains the history of the user’s previous passwords.

Section 6.49, “passwordRetryCount”

Counts the number of consecutive failed attempts at entering the correct password.

Section 6.50, “pwdpolicysubentry”

Points to the entry DN of the new password policy.

Section 3.1.1.222, “retryCountResetTime”

Specifies the length of time that passes before the passwordRetryCount attribute is reset.

6.55. subschema (Object Class)

This identifies an auxiliary object class subentry which administers the subschema for the subschema administrative area. It holds the operational attributes representing the policy parameters which express the subschema.

This object class is defined in RFC 2252.

Superior Class

top

OID

2.5.20.1

Table 6.8. Required Attributes

Section 5.2.284, “objectClass”

Defines the object classes for the entry.

Table 6.9. Allowed Attributes

Section 5.2.11, “attributeTypes”

Attribute types used within a subschema.

Section 6.6, “dITContentRules”

Defines the DIT content rules which are in force within a subschema.

Section 6.7, “dITStructureRules”

Defines the DIT structure rules which are in force within a subschema.

Section 6.18, “matchingRuleUse”

Indicates the attribute types to which a matching rule applies in a subschema.

Section 6.17, “matchingRules”

Defines the matching rules used within a subschema.

Section 6.21, “nameForms”

Defines the name forms used in a subschema.

Section 5.2.285, “objectClasses”

Defines the object classes used in a subschema.