Chapter 3. Configuration object classes

Many configuration entries simply use the extensibleObject object class, but some require other object classes. These configuration object classes are listed here.

3.1. changeLogEntry

This object class is used for entries which store changes made to the Directory Server entries.

To configure Directory Server to maintain a changelog that is compatible with the changelog implemented in Directory Server 4.1x, enable the Retro Changelog plug-in. Each entry in the changelog has the changeLogEntry object class.

This object class is defined in Changelog Internet Draft.

Superior Class

top

OID

2.16.840.1.113730.3.2.1

Table 3.1. Required Attributes

objectClass

Defines the object classes for the entry.

changeNumber

Contains a number assigned arbitrarily to the changelog.

changeTime

The time at which a change took place.

changeType

The type of change performed on an entry.

targetDn

The distinguished name of an entry added, modified or deleted on a supplier server.

Table 3.2. Allowed Attributes

changes

Changes made to the Directory Server.

deleteOldRdn

A flag that defines whether the old Relative Distinguished Name (RDN) of the entry should be kept as a distinguished attribute of the entry or should be deleted.

newRdn

New RDN of an entry that is the target of a modRDN or modDN operation.

newSuperior

Name of the entry that becomes the immediate superior of the existing entry when processing a modDN operation.

3.2. directoryServerFeature

This object class is used specifically for entries which identify a feature of the directory service. This object class is defined by Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.40

Table 3.3. Required Attributes

AttributeDefinition

objectClass

Gives the object classes assigned to the entry.

Table 3.4. Allowed Attributes

AttributeDefinition

cn

Specifies the common name of the entry.

multiLineDescription

Gives a text description of the entry.

oid

Specifies the OID of the feature.

3.3. nsBackendInstance

This object class is used for the Directory Server back end, or database, instance entry. This object class is defined in Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.109

Table 3.5. Required Attributes

AttributeDefinition

objectClass

Defines the object classes for the entry.

cn

Gives the common name of the entry.

3.4. nsDS5Replica

This object class is for entries which define a replica in database replication. Many of these attributes are set within the back end and cannot be modified.

Information on the attributes for this object class are listed with the core configuration attributes in chapter 2 of the Directory Server Configuration, Command, and File Reference.

This object class is defined in Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.108

Table 3.6. Required Attributes

objectClass

Defines the object classes for the entry.

nsDS5ReplicaId

Specifies the unique ID for suppliers in a replication environment.

nsDS5ReplicaRoot

Specifies the suffix DN at the root of a replicated area.

Table 3.7. Allowed Attributes

cn

Gives the name for the replica.

nsDS5Flags

Specifies information that has been previously set in flags.

nsDS5ReplicaAutoReferral

Sets whether the server will follow configured referrals for the Directory Server database.

nsDS5ReplicaBindDN

Specifies the DN to use when a supplier server binds to a consumer.

nsDS5ReplicaChangeCount

Gives the total number of entries in the changelog and whether they have been replicated.

nsDS5ReplicaLegacyConsumer

Specifies whether the replica is a legacy consumer.

nsDS5ReplicaName

Specifies the unique ID for the replica for internal operations.

nsDS5ReplicaPurgeDelay

Specifies the time in seconds before the changelog is purged.

nsDS5ReplicaReferral

Specifies the URLs for user-defined referrals.

nsDS5ReplicaReleaseTimeout

Specifies a timeout after which a supplier will release a replica, whether or not it has finished sending its updates.

nsDS5ReplicaTombstonePurgeInterval

Specifies the time interval in seconds between purge operation cycles.

nsDS5ReplicaType

Defines the type of replica, such as a read-only consumer.

nsDS5Task

Launches a replication task, such as dumping the database contents to LDIF; this is used internally by the Directory Server supplier.

nsState

Stores information on the clock so that proper change sequence numbers are generated.

3.5. nsDS5ReplicationAgreement

Entries with the nsDS5ReplicationAgreement object class store the information set in a replication agreement. Information on the attributes for this object class are in chapter 2 of the Directory Server Configuration, Command, and File Reference.

This object class is defined in Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.103

Table 3.8. Required Attributes

objectClass

Defines the object classes for the entry.

cn

Used for naming the replication agreement.

Table 3.9. Allowed Attributes

description

Contains a free text description of the replication agreement.

nsDS5BeginReplicaRefresh

Initializes a replica manually.

nsds5debugreplicatimeout

Gives an alternate timeout period to use when the replication is run with debug logging.

nsDS5ReplicaBindDN

Specifies the DN to use when a supplier server binds to a consumer.

nsDS5ReplicaBindMethod

Specifies the method (SSL or simple authentication) to use for binding.

nsDS5ReplicaBusyWaitTime

Specifies the amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access.

nsDS5ReplicaChangesSentSinceStartup

The number of changes sent to this replica since the server started.

nsDS5ReplicaCredentials

Specifies the password for the bind DN.

nsDS5ReplicaHost

Specifies the host name for the consumer replica.

nsDS5ReplicaLastInitEnd

States when the initialization of the consumer replica ended.

nsDS5ReplicaLastInitStart

States when the initialization of the consumer replica started.

nsDS5ReplicaLastInitStatus

The status for the initialization of the consumer.

nsDS5ReplicaLastUpdateEnd

States when the most recent replication schedule update ended.

nsDS5ReplicaLastUpdateStart

States when the most recent replication schedule update started.

nsDS5ReplicaLastUpdateStatus

Provides the status for the most recent replication schedule updates.

nsDS5ReplicaPort

Specifies the port number for the remote replica.

nsDS5ReplicaRoot

Specifies the suffix DN at the root of a replicated area.

nsDS5ReplicaSessionPauseTime

Specifies the amount of time in seconds a supplier should wait between update sessions.

nsDS5ReplicatedAttributeList

Specifies any attributes that will not be replicated to a consumer server.

nsDS5ReplicaTimeout

Specifies the number of seconds outbound LDAP operations will wait for a response from the remote replica before timing out and failing.

nsDS5ReplicaTransportInfo

Specifies the type of transport used for transporting data to and from the replica.

nsDS5ReplicaUpdateInProgress

States whether a replication schedule update is in progress.

nsDS5ReplicaUpdateSchedule

Specifies the replication schedule.

nsDS50ruv

Manages the internal state of the replica using the replication update vector.

nsruvReplicaLastModified

Contains the most recent time that an entry in the replica was modified and the changelog was updated.

nsds5ReplicaStripAttrs

With fractional replication, an update to an excluded attribute still triggers a replication event, but that event is empty. This attribute sets attributes to strip from the replication update. This prevents changes to attributes like internalModifyTimestamp from triggering an empty replication update.

3.6. nsDSWindowsReplicationAgreement

Stores the synchronization attributes that concern the synchronization agreement. Information on the attributes for this object class are in chapter 2 of the {PRODUCT} Configuration, Command, and File Reference.

This object class is defined in Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.503

Table 3.10. Required Attributes

objectClass

Defines the object classes for the entry.

cn

Gives the name of the synchronization agreement.

Table 3.11. Allowed Attributes

description

Contains a text description of the synchronization agreement.

nsDS5BeginReplicaRefresh

Initiates a manual synchronization.

nsds5debugreplicatimeout

Gives an alternate timeout period to use when the synchronization is run with debug logging.

nsDS5ReplicaBindDN

Specifies the DN to use when Directory Server binds to the Windows server.

nsDS5ReplicaBindMethod

Specifies the method (SSL or simple authentication) to use for binding.

nsDS5ReplicaBusyWaitTime

Specifies the amount of time in seconds Directory Server should wait after the Windows server sends back a busy response before making another attempt to acquire access.

nsDS5ReplicaChangesSentSinceStartup

Shows the number of changes sent since Directory Server started.

nsDS5ReplicaCredentials

Specifies the credentials for the bind DN.

nsDS5ReplicaHost

Specifies the host name for the Windows domain controller of the Windows server being synchronized.

nsDS5ReplicaLastInitEnd

States when the last total update (resynchronization) of the Windows server ended.

nsDS5ReplicaLastInitStart

States when the last total update (resynchronization) of the Windows server started.

nsDS5ReplicaLastInitStatus

The status for the total update (resynchronization) of the Windows server.

nsDS5ReplicaLastUpdateEnd

States when the most recent update ended.

nsDS5ReplicaLastUpdateStart

States when the most recent update started.

nsDS5ReplicaLastUpdateStatus

Provides the status for the most recent updates.

nsDS5ReplicaPort

Specifies the port number for the Windows server.

nsDS5ReplicaRoot

Specifies the root suffix DN of Directory Server.

nsDS5ReplicaSessionPauseTime

Specifies the amount of time in seconds Directory Server should wait between update sessions.

nsDS5ReplicaTimeout

Specifies the number of seconds outbound LDAP operations will wait for a response from the Windows server before timing out and failing.

nsDS5ReplicaTransportInfo

Specifies the type of transport used for transporting data to and from the Windows server.

nsDS5ReplicaUpdateInProgress

States whether an update is in progress.

nsDS5ReplicaUpdateSchedule

Specifies the synchronization schedule.

nsDS50ruv

Manages the internal state of Directory Server sync peer using the replication update vector (RUV).

nsds7DirectoryReplicaSubtree

Specifies Directory Server suffix (root or sub) that is synced.

nsds7DirsyncCookie

Contains a cookie set by the sync service that functions as an RUV.

nsds7NewWinGroupSyncEnabled

Specifies whether new Windows group accounts are automatically created on Directory Server.

nsds7NewWinUserSyncEnabled

Specifies whether new Windows user accounts are automatically created on Directory Server.

nsds7WindowsDomain

Identifies the Windows domain being synchronized; analogous to nsDS5ReplicaHost in a replication agreement.

nsds7WindowsReplicaSubtree

Specifies the Windows server suffix (root or sub) that is synced.

nsruvReplicaLastModified

Contains the most recent time that an entry in Directory Server sync peer was modified and the changelog was updated.

winSyncInterval

Sets how frequently, in seconds, Directory Server polls the Windows server for updates to write over. If this is not set, the default is 300, which is 300 seconds or five (5) minutes.

winSyncMoveAction

Sets how the sync plug-in handles corresponding entries that are discovered in Active Directory outside of the synced subtree. The sync process can ignore these entries (none, the default) or it can assume that the entries were moved intentionally to remove them from synchronization, and it can then either delete the corresponding Directory Server entry (delete) or remove the synchronization attributes and no longer sync the entry (unsync).

3.7. nsEncryptionConfig

The nsEncryptionConfig object class stores the configuration information for allowed encryption options, such as protocols and cipher suites. This is defined in the Administrative Services.

Superior Class

top

OID

nsEncryptionConfig-oid

Table 3.12. Required Attributes

AttributeDefinition

objectClass

Defines the object classes for the entry.

cn (commonName)

Gives the common name of the device.

Table 3.13. Allowed Attributes

AttributeDefinition

nsSSL3SessionTimeout

Sets the timeout period for an SSLv3 cipher session.

nsSSLClientAuth

Sets how the server handles client authentication. There are three possible values: allow, disallow, or require.

nsSSLSessionTimeout

Sets the timeout period for a cipher session.

nsSSLSupportedCiphers

Contains a list of all ciphers available to be used with secure connections to the server.

nsTLS1

Sets whether TLS version 1 is enabled for the server.

3.8. nsEncryptionModule

The nsEncryptionModule object class stores the encryption module information. This is defined in the Administrative Services.

Superior Class

top

OID

nsEncryptionModule-oid

Table 3.14. Required Attributes

AttributeDefinition

objectClass

Defines the object classes for the entry.

cn (commonName)

Gives the common name of the device.

Table 3.15. Allowed Attributes

AttributeDefinition

nsSSLActivation

Sets whether to enable a cipher family.

nsSSLPersonalitySSL

Contains the name of the certificate used by the server for SSL.

nsSSLToken

Identifies the security token used by the server.

3.9. nsMappingTree

A mapping tree maps a suffix to the back end. Each mapping tree entry uses the nsMappingTree object class. This object class is defined in Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.110

Table 3.16. Required Attributes

AttributeDefinition

objectClass

Gives the object classes assigned to the entry.

cn

Gives the common name of the entry.

3.10. nsSaslMapping

This object class is used for entries which contain an identity mapping configuration for mapping SASL attributes to Directory Server attributes.

This object class is defined in Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.317

Table 3.17. Required Attributes

objectClass

Defines the object classes for the entry.

cn

Gives the name of the SASL mapping entry.

nsSaslMapBaseDNTemplate

Contains the search base DN template.

nsSaslMapFilterTemplate

Contains the search filter template.

nsSaslMapRegexString

Contains a regular expression to match SASL identity strings.

3.11. nsslapdConfig

The nsslapdConfig object class defines the configuration object, cn=config, for the Directory Server instance.

This object class is defined in Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.39

Table 3.18. Required Attributes

AttributeDefinition

objectClass

Gives the object classes assigned to the entry.

Table 3.19. Allowed Attributes

AttributeDefinition

cn

Gives the common name of the entry.

3.12. passwordPolicy

Both local and global password policies take the passwordPolicy object class. This object class is defined in Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.13

Table 3.20. Required Attributes

AttributeDefinition

objectClass

Gives the object classes assigned to the entry.

Table 3.21. Allowed Attributes

AttributeDefinition

passwordMaxAge

Sets the number of seconds after which user passwords expire.

passwordExp

Identifies whether the user’s password expires after an interval given by the`passwordMaxAge` attribute.

passwordMinLength

Sets the minimum number of characters that must be used in passwords.

passwordInHistory

Sets the number of passwords the directory stores in the history.

passwordChange

Identifies whether or not users is allowed to change their own password.

passwordWarning

Sets the number of seconds before a warning message is sent to users whose password is about to expire.

passwordLockout

Identifies whether or not users are locked out of the directory after a given number of failed bind attempts.

passwordMaxFailure

Sets the number of failed bind attempts after which a user will be locked out of the directory.

passwordUnlock

Identifies whether a user is locked out until the password is reset by an administrator or whether the user can log in again after a given lockout duration. The default is to allow a user to log back in after the lockout period.

passwordLockoutDuration

Sets the time, in seconds, that users will be locked out of the directory.

passwordCheckSyntax

Identifies whether the password syntax is checked by the server before the password is saved.

passwordMustChange

Identifies whether or not to change their passwords when they first login to the directory or after the password is reset by the Directory Manager.

passwordStorageScheme

Sets the type of encryption used to store Directory Server passwords.

passwordMinAge

Sets the number of seconds that must pass before a user can change their password.

passwordResetFailureCount

Sets the time, in seconds, after which the password failure counter will be reset. Each time an invalid password is sent from the user’s account, the password failure counter is incremented.

passwordGraceLimit

Sets the number of grace logins permitted when a user’s password is expired.

passwordMinDigits

Sets the minimum number of numeric characters (0 through 9) which must be used in the password.

passwordMinAlphas

Sets the minimum number of alphabetic chracters that must be used in the password.

passwordMinUppers

Sets the minimum number of upper case alphabetic characters, A to Z, which must be used in the password.

passwordMinLowers

Sets the minimum number of lower case alphabetic characters, a to z, which must be used in the password.

passwordMinSpecials

Sets the minimum number of special ASCII characters, such as !@#$., which must be used in the password.

passwordMin8Bit

Sets the minimum number of 8-bit chracters used in the password.

passwordMaxRepeats

Sets the maximum number of times that the same character can be used in row.

passwordMinCategories

Sets the minimum number of categories which must be used in the password.

passwordMinTokenLength

Sets the length to check for trivial words.

passwordTPRDelayValidFrom

Sets a delay when temporary passwords become valid.

passwordTPRDelayExpireAt

Sets the number of seconds a temporary password is valid.

passwordTPRMaxUse

Sets the maximum number off attempts a temporary password can be used.