terms and conditions set forth in the Open Publication License, V1.0 or later (the latest version is presently available at
http://www.opencontent.org/openpub/).
Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder.
Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is
obtained from the copyright holder.
Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat, Inc. in the United States and other countries.
All other trademarks referenced herein are the property of their respective owners.
The GPG fingerprint of the security@redhat.com key is:
CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E
10Red Hat Directory Server Schema Reference • May 2005
About This Reference Guide
Red Hat Directory Server (Directory Server) is a powerful and scalable distributed
directory server based on the industry-standard Lightweight Directory Access
Protocol (LDAP). Directory Server is the cornerstone for building a centralized and
distributed data repository that can be used in your intranet, over your extranet
with your trading partners, or over the public Internet to reach your customers.
This preface contains the following sections:
•Purpose of This Guide (page 11)
•Directory Server Overview (page 11)
•Contents of This Guide (page 12)
•Prerequisite Reading (page 12)
•Conventions Used in This Book (page 13)
•Related Information (page 13)
Purpose of This Guide
This Schema Reference guide describes the standard directory schema for Directory
Server and lists all the object classes and attributes defined by the standard schema.
The information provided here is intended for the administrator who manages and
maintains the schema.
Directory Server Overview
The major components of Directory Server include:
•An LDAP server — The core of the directory service, provided by the
ns-slapd
daemon, and compliant with the LDAP v3 Internet standards.
11
Contents of This Guide
•Directory Server Console — An improved management console that
dramatically reduces the effort of setting up and maintaining your directory
service. The directory console is part of Red Hat Console, the common
management framework for LDAP directory services.
•SNMP Agent — Permits you to monitor your Directory Server in real time
using the Simple Network Management Protocol (SNMP).
•Online backup and restore — Allows you to create backups and restore from
backups while the server is running.
Contents of This Guide
•Chapter 1, “About Schema” — Provides an overview of some of the basic
concepts of the directory schema and lists the files in which the schema is
described. It describes object classes, attributes, and Object Identifiers (OIDs)
and briefly discusses schema checking and extending server schema.
•Chapter 2, “Object Class Reference”— Contains an alphabetical list of the
object classes accepted by the default schema. It gives a definition of each
object class and gives the list of required and allowed attributes specific to the
particular object class. However, any mandatory and optional attributes
inherited from superior object classes are not listed.
•Chapter 3, “Attribute Reference” — Contains an alphabetic list of the
standard attributes. It gives a definition of each attribute and gives the
attribute syntax.
•Chapter 4, “Operational Attributes, Special Attributes, and Special Object Classes” — Contains operational attributes used by Directory Server. The
chapter also describes some special attributes and object classes that are used
by the server.
Prerequisite Reading
This guide describes the standard schema and the standard object classes and
attributes. However, this guide does not describe how to design, customize or
maintain your schema, nor does it give any information on replication. Those
concepts are described in the Red Hat Directory Server Deployment Guide. You
should read that book before continuing with this manual.
12Red Hat Directory Server Schema Reference • May 2005
When you are familiar with Directory Server schema concepts and have done some
preliminary planning for your directory service, you can install the Directory
Server. The instructions for installing the various Directory Server components are
contained in the Red Hat Directory Server Installation Guide.
Preliminary planning includes deciding how to represent the data you store. You
should chose predefined schema elements to meet as many of your needs as
possible. These predefined schema elements are listed in this guide.
Conventions Used in This Book
This section explains the conventions used in this book.
•
Monospaced font
computer screen or text that you should type. It is also used for filenames,
functions, and examples.
•Throughout this book, you will see path references of the form:
— This typeface is used for any text that appears on the
Conventions Used in This Book
serverRoot
serverRoot is the installation directory. The default installation directory is
/opt/redhat-ds/servers
location, you should adapt the path accordingly.
serverID is the ID or identifier you assigned to an instance of Directory Server
when you installed it. For example, if you gave the server an identifier of
•In examples/sample code, paths assume that the Directory Server is installed
in the default location
Directory Server in a different location, adapt the paths accordingly. Also, all
examples use
/slapd-
, then the actual path would look like this:
phonebook
Related Information
The document set for Directory Server also contains the following guides:
•Red Hat Directory Server Deployment Guide. Provides an overview for planning
your deployment of the Directory Server. Includes deployment examples.
serverID
/opt/redhat-ds/servers
/...
. If you have installed Directory Server in a different
. If you have installed your
for the server identifier where appropriate.
13
Related Information
•Red Hat Directory Server Installation Guide. Procedures for installing your
Directory Server as well as procedures for migrating your Directory Server.
•Red Hat Directory Server Administrator’s Guide. Procedures for the day-to-day
maintenance of your Directory Server. Includes information on configuring
server-side plug-ins.
•Red Hat Directory Server Configuration, Command, and File Reference.
Information about the command-line scripts, configuration attributes, and log
files shipped with Directory Server.
•Red Hat Directory Server Plug-in Programmer’s Guide. Describes how to write
server plug-ins in order to customize and extend the capabilities of Directory
Server.
•Red Hat Directory Server Gateway Customization Guide. Introduces Directory
Server Gateway and explains how to implement a gateway instance with basic
directory look-up functionality. Also contains information useful for
implementing a more powerful gateway instance with directory
authentication and administration capability.
•Red Hat Directory Server Org Chart. Introduces the Red Hat Directory Server
Org Chart application and explains how to integrate it with an instance of
Directory Server.
•Red Hat Directory Server DSML Gateway Guide. Introduces the Red Hat
Directory Server DSML Gateway function and explains how to customize it
for use as an independent gateway.
For a list of documentation installed with Directory Server, open the
server_root/manual/en/slapd/index.htm
file, where
server_root
is the directory in
which you installed Directory Server.
For the latest information about Directory Server, including current release notes,
complete product documentation, technical notes, and deployment information,
check this site:
http://www.redhat.com/docs/manuals/dir-server/
14Red Hat Directory Server Schema Reference • May 2005
Chapter1
About Schema
This chapter provides an overview of some of the basic concepts of the directory
schema and lists the files in which the schema is described. It describes object
classes, attributes, and object identifiers (OIDs) and briefly discusses extending
server schema and schema checking.
This chapter contains the following sections:
•Schema Definition (page 15)
•Schema Supported by Directory Server (page 19)
•Object Identifiers (OIDs) (page 21)
•Extending Server Schema (page 22)
•Schema Checking (page 22)
Schema Definition
The directory schema is a set of rules that defines how the data can be stored in the
directory. The data is stored in the form of directory entries. Each entry is a set of
attributes and their values. Each entry must have an object class. The object class
specifies the kind of object the entry describes and defines the set of attributes it
contains. The schema defines the type of entries allowed, their attribute structure,
and the syntax of the attributes.The schema can be modified and extended if it does
not meet your required needs.
To find detailed information about object classes, attributes, and how the Red Hat
Directory Server (Directory Server) uses the schema, refer to the Red Hat Directory Server Deployment Guide.
15
Schema Definition
CAUTIONDirectory Server fails to start if schema definitions include too few or
too many space characters.
Use exactly one space in those places where the LDAP standards
allow the use of zero or many spaces; for example, the place between
the NAME keyword and the name of an attribute type.
Object Classes
In LDAP, an object class defines the set of attributes that can be used to define an
entry. The LDAP standard provides some basic types of object classes, including:
•Groups, including unordered lists of individual objects or groups of objects.
•Locations, such as the country name and description
•Organizations
•People
•Devices
Required and Allowed Attributes
Every object class includes a number of required attributes and of allowed
attributes. Required attributes are the attributes that must be present in entries
using the specified object class, while allowed attributes are permissible and
available for the entry to use, but are not require for the entry to be validated.
All entries require the
objectClass
attribute, which lists the object classes
assigned to the entry.
For example, the
attributes and allows the
userPassword
person
.
object class requires the cn, sn, and
description, seeAlso, telephoneNumber
objectClass
, and
Object Class Inheritance
An entry can have more than one object class. For example, the entry for a person
is defined by the
inetOrgPerson, groupOfNames
person
object class but may also be defined by attributes in the
, and
organizationPerson
object classes.
The server’s object class structure determines the list of required and allowed
attributes for a particular entry. For example, a person entry is usually defined
with the following object class structure:
16Red Hat Directory Server Schema Reference • May 2005
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgperson
Schema Definition
In this structure, the
person
object classes. Therefore, when you assign the
inetOrgperson
inherits from the
organizationalPerson
inetOrgperson
object class
and
to an entry, it automatically inherits the required and allowed attributes from the
superior object class.
Attributes
Directory data is represented as attribute-value pairs. Any piece of information in
the directory is associated with a descriptive attribute.
For instance, the
person named Jonas Salk can be represented in the directory as
cn: Jonas Salk
Each person entered in the directory can be defined by the collection of attributes
in the
inetOrgperson
include:
givenname: Jonas
surname: Salk
mail: jonass@example.com
commonName
, or cn, attribute is used to store a person’s name. A
object class. Other attributes used to define this entry could
Attribute Syntax
Each attribute has a syntax definition that describes the type of information
provided by the attribute.
Attribute syntax is used by the Directory Server to perform sorting and pattern
matching.
Table 1-1 lists the different syntax methods that can be applied to attributes and
gives an OID and a definition for each syntax method.
Table 1-1Attribute Syntax
Syntax MethodOIDDefinition
Binary1.3.6.1.4.1.1466.115.121.1.5Indicates that values for this attribute are binary.
Boolean1.3.6.1.4.1.1466.115.121.1.7Indicates that this attribute has one of only two
values: True or False.
Chapter 1About Schema17
Schema Definition
Table 1-1Attribute Syntax (Continued)
Syntax MethodOIDDefinition
Country String1.3.6.1.4.1.1466.115.121.1.11Indicates that values for this attribute are limited
to exactly two printable string characters; for
example, US.
DN1.3.6.1.4.1.1466.115.121.1.12Indicates that values for this attribute are DNs.
DirectoryString1.3.6.1.4.1.1466.115.121.1.15Indicates that values for this attribute are not
case sensitive.
GeneralizedTime1.3.6.1.4.1.1466.115.121.1.24Indicates that values for this attribute are
encoded as printable strings. The time zone
must be specified. It is strongly recommended to
use GMT time.
IA5String1.3.6.1.4.1.1466.115.121.1.26Indicates that values for this attribute are case
sensitive.
INTEGER1.3.6.1.4.1.1466.115.121.1.27Indicates that valid values for this attribute are
numbers.
OctetString1.3.6.1.4.1.1466.115.121.1.40Same behavior as binary.
Postal Address1.3.6.1.4.1.1466.115.121.1.41Indicates that values for this attribute are
encoded according to
postal-address = dstring * ("$"
dstring)
where each dstring component is encoded as a
value of type DirectoryString syntax.
Backslashes and dollar characters, if they occur,
are quoted, so that they will not be mistaken for
line delimiters. Many servers limit the postal
address to 6 lines of up to thirty characters. For
example:
1234 Main St.$Anytown, TX 1234$USA
TelephoneNumber1.3.6.1.4.1.1466.115.121.1.50Indicates that values for this attribute are in the
form of telephone numbers. It is recommended
to use telephone numbers in international form.
URI-Indicates that the values for this attribute are in
the form of a URL, introduced by a string such
as http://, https://, ftp://, ldap://,
and ldaps://. The URI has the same behavior
as IA5String. See RFC 2396.
18Red Hat Directory Server Schema Reference • May 2005
Single-Valued and Multi-Valued Attributes
By default, most attributes are multi-valued. This means that an entry can contain
the same attribute with multiple values. For example, cn,
are all attributes that can have more than one value. Attributes that are
single-valued — that is, only one instance of the attribute can be specified — are
noted as such. For example,
uidNumber
can only have one possible value.
Schema Supported by Directory Server
The schema provided with Directory Server is described in a set of files stored in
the serverRoot
You can modify the schema by creating new object classes and attributes. These
modifications are stored in a separate file called
modify the standard files provided with the Directory Server because you incur the
risk of breaking compatibility with other products or of causing interoperability
problems with directory servers from vendors other than Red Hat, Inc.
/slapd-
serverID
/config/schema
directory.
99user.ldif
Schema Supported by Directory Server
tel
, and
objectclass
. You should not
For more information about how the Directory Server stores information and
suggestions for planning directory schema, refer to the Red Hat Directory Server Deployment Guide.
The following tables list the schema files that are provided with Directory Server.
Table 1-2 lists the schema files that are used by the Directory Server. Table 1-3 lists
the schema files that are used by other Red Hat products, and Table 1-4 lists
schema files used by legacy server products.
Table 1-2Schema Files Used by Directory Server
Schema FilenamePurpose
00core.ldifRecommended core schema from the X.500 and LDAP
standards (RFCs) and schema used by the Directory
Server itself.
05rfc2247.ldifSchema from RFC 2247 and related pilot schema
“Using Domains in LDAP/X.500 Distinguished
Names.”
05rfc2927.ldifSchema from RFC 2927 “MIME Directory Profile for
LDAP Schema.”
10rfc2307.ldifSchema from RFC 2307, “An Approach for Using
LDAP as a Network Information Service.”
Chapter 1About Schema19
Schema Supported by Directory Server
Table 1-2Schema Files Used by Directory Server (Continued)
Schema FilenamePurpose
20subscriber.ldifCommon schema elements for Red Hat-Nortel
subscriber interoperability.
25java-object.ldifSchema from RFC 2713, “Schema for Representing
Java(tm) Objects in an LDAP Directory.”
28pilot.ldifSchema from the pilot RFCs, especially RFC 1274, that
are no longer recommended for use in new
deployments.
30ns-common.ldifCommon schema.
50ns-directory.ldifAdditional schema used by Directory Server 4.x.
Table 1-3Schema Files Used by Other Red Hat Products
Schema FilenamesPurpose
50ns-admin.ldifSchema used by Red Hat Administration Server.
50ns-certificate.ldifSchema for Red Hat Certificate Management System.
Table 1-4Schema Files Used by Legacy Products
Schema FilenamesPurpose
50ns-calendar.ldifNetscape Calendar Server schema.
50ns-compass.ldifSchema for the Netscape Compass Server.
50ns-delegated-admin
Schema for Netscape Delegated Administrator.
.ldif
50ns-mail.ldifSchema for Netscape Messaging Server.
50ns-mcd-browser.ldifSchema for Netscape Mission Control Desktop - Browser.
20Red Hat Directory Server Schema Reference • May 2005
Table 1-4Schema Files Used by Legacy Products (Continued)
Schema FilenamesPurpose
50ns-mcd-config.ldifSchema for Netscape Mission Control Desktop -
Configuration.
50ns-mcd-li.ldifSchema for Netscape Mission Control Desktop - Location
Independence.
50ns-mcd-mail.ldifSchema for Netscape Mission Control Desktop - Mail.
50ns-media.ldifSchema for Netscape Media Server.
50ns-mlm.ldifSchema for Netscape Mailing List Manager.
50ns-msg.ldifSchema for Netscape Web Mail.
50ns-netshare.ldifSchema for Netscape Netshare.
50ns-news.ldifSchema for Netscape Collabra Server.
50ns-proxy.ldifSchema for Netscape Proxy Server.
50ns-wcal.ldifSchema for Netscape Web Calendaring.
Object Identifiers (OIDs)
50ns-web.ldifSchema for Netscape Web Server.
51ns-calendar.ldifSchema for Netscape Calendar Server.
Object Identifiers (OIDs)
Object identifiers (OIDs) are assigned to all attributes and object classes to conform
to the LDAP and X.500 standards. An OID is a sequence of integers, typically
written as a dot-separated string. When no OID is specified, the Directory Server
automatically uses ObjectClass_name-oid and attribute_name-oid.
The Netscape base OID is
2.16.840.1.113730
The base OID for the Directory Server is
2.16.840.1.113730.3
All Netscape-defined attributes have the base OID of
2.16.840.1.113370.3.1
All Netscape-defined object classes have the base OID of
2.16.840.1.113730.3.2
Chapter 1About Schema21
Extending Server Schema
For more information about OIDs or to request a prefix for your enterprise, please
go to the Internet Assigned Number Authority (IANA) web site at
http://www.iana.org/
.
Extending Server Schema
The Directory Server schema includes hundreds of object classes and attributes
that can be used to meet most of your requirements. This schema can be extended
with new object classes and attributes that meet evolving requirements for the
directory service in the enterprise.
When adding new attributes to the schema, a new object class should be created
to contain them. Adding a new attribute to an existing object class can
compromise the Directory Server’s compatibility with existing LDAP clients that
rely on the standard LDAP schema and may cause difficulties when upgrading
the server.
For more information about extending server schema, refer to the Red Hat Directory Server Deployment Guide.
Schema Checking
You should run Directory Server with schema checking turned on.
The schema checking capability of Directory Server checks entries when you add
them to the directory or when you modify them, to verify that:
•Object classes and attributes used in the entry are defined in the directory
schema.
•Attributes required for an object class are contained in the entry.
•Only attributes allowed by the object class are contained in the entry.
Schema checking also occurs when importing a database using LDIF. For more
information, refer to the Red Hat Directory Server Administrator’s Guide.
22Red Hat Directory Server Schema Reference • May 2005
Chapter2
Object Class Reference
This chapter contains an alphabetical list of the object classes accepted by the
default schema. It gives a definition of each object class and lists its required and
allowed attributes. The object classes listed in this chapter are available for you to
use to support your own information in the Red Hat Directory Server (Directory
Server). Object classes that are used by the Directory Server for internal operations
are not documented here. For information about these object classes, please refer to
the Red Hat Directory Server Configuration, Command, and File Reference. Replication
and synchronization object classes are listed in chapter 4, “Operational Attributes,
Special Attributes, and Special Object Classes.”
account
The required attributes listed for an object class must be present in the entry when
that object class is added to the
class, both of these object classes with all required attributes must be present in the
entry. If required attributes are not listed in the
restart.
NOTEThe LDAP RFCs and X.500 standards allow for an object class to
have more than one superior. This behavior is not currently
supported by Directory Server.
Definition
Used to define entries representing computer accounts.
This object class is defined in RFC 1274.
ldif
file. If an object class has a superior object
ldif
file, than the server will not
Chapter 2Object Class Reference23
Superior Class
top
OID
0.9.2342.19200300.100.4.5
Required Attributes
objectClassDefines the object classes for the entry.
uid (userID)Identifies the account’s user ID.
Allowed Attributes
descriptionText description of the entry.
hostHostname of the computer on which the account resides.
l (localityName)Place where the account is located.
o (organizationName)Organization to which the account belongs.
ou (organizationalUnitName)Organizational unit to which the account belongs.
alias
seeAlsoURL to information relevant to the account.
Definition
Used to point to other entries in the directory tree.
Note: Aliasing is not supported in Directory Server.
This object class is defined in RFC 2256.
Superior Class
top
OID
2.5.6.1
24Red Hat Directory Server Schema Reference • May 2005
Required Attributes
objectClassDefines the object classes for the entry.
aliasedObjectNameDistinguished name of the entry for which this entry is
cosClassicDefinition
Definition
Identifies the template entry using both the template entry’s DN (as specified in the
cosTemplateDn
specified in the
This object class is defined in Directory Server.
Superior Class
cosSuperDefinition
OID
2.16.840.1.113730.3.2.100
attribute) and the value of one of the target entry’s attributes (as
cosSpecifier
an alias.
attribute).
Required Attributes
objectClassDefines the object classes for the entry.
cosAttributeProvides the name of the attribute for which you want
to generate a value. You can specify more than one
cosAttribute value.
Allowed Attributes
cn (commonName)Common name of the entry.
cosSpecifierSpecifies the attribute value used by a classic CoS,
which, along with the template entry’s DN, identifies
the template entry.
cosTemplateDnProvides the DN of the template entry associated with
the CoS definition.
descriptionText description of the entry.
Chapter 2Object Class Reference25
cosDefinition
Definition
Defines the Class of Services you are using. This object class is supported in order
to provide compatibility with the DS4.1 CoS Plug-in.
This object class is defined in Directory Server.
Superior Class
top
OID
2.16.840.1.113730.3.2.84
Required Attributes
objectClassDefines the object classes for the entry.
Allowed Attributes
aciEvaluates what rights are granted or denied when the
Directory Server receives an LDAP request from a
client.
cn (commonName)Common name of the entry.
cosAttributeProvides the name of the attribute for which you want
to generate a value. You can specify more than one
cosAttribute value.
cosSpecifierSpecifies the attribute value used by a classic CoS,
which, along with the template entry’s DN, identifies
the template entry.
cosTargetTreeDetermines the subtrees of the DIT to which the CoS
schema applies.
cosTemplateDnProvides the DN of the template entry associated with
the CoS definition.
uid (userID)Identifies the user ID.
26Red Hat Directory Server Schema Reference • May 2005
cosIndirectDefinition
Definition
Identifies the template entry using the value of one of the target entry’s attributes.
The attribute of the target entry is specified in the
attribute.
This object class is defined in Directory Server.
Superior Class
cosSuperDefinition
OID
2.16.840.1.113730.3.2.102
Required Attributes
objectClassDefines the object classes for the entry.
cosAttributeProvides the name of the attribute for which you want to
cosIndirectSpecifier
generate a value. You can specify more than one
cosAttribute value.
Allowed Attributes
cn (commonName)Common name of the entry.
cosIndirectSpecifierSpecifies the attribute value used by an indirect CoS to
descriptionText description of the entry.
cosPointerDefinition
Definition
Identifies the template entry associated with the CoS definition using the template
entry’s DN value. The DN of the template entry is specified in the
attribute.
This object class is defined in Directory Server.
identify the template entry.
cosTemplateDn
Chapter 2Object Class Reference27
Superior Class
cosSuperDefinition
OID
2.16.840.1.113730.3.2.101
Required Attributes
objectClassDefines the object classes for the entry.
cosAttributeProvides the name of the attribute for which you want to
generate a value. You can specify more than one
cosAttribute value.
Allowed Attributes
cn (commonName)Common name of the entry.
cosTemplateDnProvides the DN of the template entry associated with
the CoS definition.
descriptionText description of the entry.
cosSuperDefinition
Definition
All CoS definition object classes inherit from the
class.
This object class is defined in Directory Server.
Superior Class
ldapSubEntry
OID
2.16.840.1.113730.3.2.99
Required Attributes
objectClassDefines the object classes for the entry.
28Red Hat Directory Server Schema Reference • May 2005
cosSuperDefinition
object
cosAttributeProvides the name of the attribute for which you want to
Allowed Attributes
cn (commonName)Common name of the entry.
descriptionText description of the entry.
cosTemplate
Definition
Contains a list of the shared attribute values.
This object class is defined in Directory Server.
Superior Class
top
generate a value. You can specify more than one
cosAttribute value.
OID
2.16.840.1.113730.3.2.128
Required Attributes
objectClassDefines the object classes for the entry.
Allowed Attributes
cn (commonName)Common name of the entry.
cosPrioritySpecifies which template provides the attribute
value when CoS templates compete to provide an
attribute value.
Chapter 2Object Class Reference29
country
Definition
Used to define entries that represent countries.
This object class is defined in RFC 2256.
Superior Class
top
OID
2.5.6.2
Required Attributes
objectClassDefines the object classes for the entry.
c (countryName)Contains the two-character code representing country
names, as defined by ISO, in the directory.
dcObject
Allowed Attributes
descriptionText description of the country.
searchGuideSpecifies information for suggested search criteria when
using the entry as the base object in the directory tree for
a search operation.
Definition
Allows domain components to be defined for an entry. This object class is defined
as auxiliary because it is commonly used in combination with another object class,
such as
o (organizationName), ou
(organizationalUnitName), or
l (localityName)
. For
example:
30Red Hat Directory Server Schema Reference • May 2005
dn: dc=example,dc=com
objectClass: top
objectClass: organization
objectClass: dcObject
dc: example
o: Example Corporation
This object class is defined in RFC 2247.
Superior Class
top
OID
1.3.6.1.4.1.1466.344
Required Attributes
objectClassDefines the object classes for the entry.
dc (domainComponent)One component of a domain name.
device
Definition
Used to store information about network devices, such as printers, in the directory.
This object class is defined in RFC 2256.
Superior Class
top
OID
2.5.6.14
Required Attributes
objectClassDefines the object classes for the entry.
cn (commonName)Common name of the device.
Chapter 2Object Class Reference31
descriptionText description of the device.
l (localityName)Place where the device is located.
o (organizationName)Organization to which the device belongs.
ou (organizationalUnitName)Organizational unit to which the device belongs.
ownerDistinguished name of the person responsible for the
seeAlsoURL to information relevant to the device.
serialNumberSerial number of the device.
document
Allowed Attributes
device.
Definition
Used to define entries which represent documents in the directory.
This object class is defined in RFC 1274.
Superior Class
top
OID
0.9.2342.19200300.100.4.6
Required Attributes
objectClassDefines the object classes for the entry.
documentIdentifierUnique identifier for a document.
Allowed Attributes
abstractAbstract of the document.
audioStores a sound file in binary format.
authorCnAuthor’s common or given name.
32Red Hat Directory Server Schema Reference • May 2005
authorSnAuthor’s surname.
cn (commonName)Common name of the document.
descriptionText description of the document.
dITRedirectDistinguished name to use as a redirect for the entry.
documentAuthorDistinguished name of the document author.
documentLocationLocation of the original document.
documentPublisherPerson or organization that published the document.
documentStoreNot defined.
documentTitleThe document’s title.
documentVersionThe document’s version number.
infoInformation about the object.
jpegPhotoPhoto in jpeg format.
keyWordsKeywords that describe the document.
l (localityName)Place where the document is located.
lastModifiedByDistinguished name of the last user to modify the
document.
lastModifiedTimeLast time the document was modified.
managerDistinguished name of the object’s manager.
o (organizationName)Organization to which the document belongs.
obsoletedByDocumentDistinguished name of a document that obsoletes this
document.
obsoletesDocumentDistinguished name of a document that is obsoleted by
this document.
ou (organizationalUnitName)Organizational unit to which the document belongs.
photoPhoto of the document, in binary form.
seeAlsoURL to information relevant to the document.
subjectSubject of the document.
uniqueIdentifierSpecific item used to distinguish between two entries
when a distinguished name has been reused.
updatedByDocumentDistinguished name of a document that is an updated
version of this document.
Chapter 2Object Class Reference33
updatesDocumentDistinguished name of a document for which this
documentSeries
Definition
Used to define an entry that represents a series of documents.
This object class is defined in RFC 1274.
Superior Class
top
OID
0.9.2342.19200300.100.4.9
Required Attributes
objectClassDefines the object classes for the entry.
document is an updated version.
cn (commonName)The common name of the series.
Allowed Attributes
descriptionText description of the series.
l (localityName)Place where the series is located.
o (organizationName)Organization to which the series belongs.
ou (organizationalUnitName)Organizational unit to which the series belongs.
seeAlsoURL to information relevant to the series.
telephoneNumberTelephone number of the person responsible for the
series.
34Red Hat Directory Server Schema Reference • May 2005
domain
Definition
Used to define entries that represent DNS domains in the directory. The
(domainComponent)
attribute should be used for naming entries of this object
class.
dc
Used to represent Internet domain names (e.g.,
The
domain
object class can only be used with an entry that does not correspond to
example.com
).
an organization, organizational unit or other type of object for which an object class
has been defined. The
domain
object class requires that the
dc (domainComponent)
attribute be present and permits several other attributes to be present in the entry.
This object class is defined in RFC 2247.
Superior Class
top
OID
0.9.2342.19200300.100.4.13
Required Attributes
objectClassDefines the object classes for the entry.
dc (domainComponent)One component of a domain name.
Allowed Attributes
associatedNameEntry in the organizational directory tree associated with
businessCategoryType of business in which this domain is engaged.
descriptionText description of the domain.
destinationIndicatorCountry and city associated with the entry; needed to
fax
(facsimileTelephoneNumber)
internationalISDNNumberDomain’s ISDN number.
l (localityName)Place where the domain is located.
a DNS domain.
provide Public Telegram Service.
Domain’s fax number.
Chapter 2Object Class Reference35
o (organizationName)Organization to which the domain belongs.
physicalDeliveryOfficeNameLocation where physical deliveries can be made.
postOfficeBoxDomain’s post office box.
postalAddressDomain’s mailing address.
postalCodeThe postal code for this address (such as a United States
zip code).
preferredDeliveryMethodDomain’s preferred method of contact or delivery.
registeredAddressPostal address suitable for reception of expedited
documents when the recipient must verify delivery.
searchGuideSpecifies information for suggested search criteria when
using the entry as the base object in the directory tree for
a search operation.
seeAlsoURL to information relevant to the domain.
st (stateOrProvinceName)State or province where the domain is located.
streetStreet address where the domain is located.
telephoneNumberDomain’s telephone number.
teletexTerminalIdentifierIdentifier for a domain’s teletex terminal.
telexNumberDomain’s telex number.
userPasswordPassword with which the entry can bind to the directory.
x121AddressX.121 address of the domain.
domainRelatedObject
Definition
Used to define entries which represent DNS/NRS domains which are
“equivalent” to an X.500 domain; for example, an organization or organizational
unit.
This object class is defined in RFC 1274.
Superior Class
top
OID
0.9.2342.19200300.100.4.17
36Red Hat Directory Server Schema Reference • May 2005
dSA
Required Attributes
objectClassDefines the object classes for the entry.
associatedDomainSpecifies a DNS domain associated with an object in the
directory tree.
Definition
Used to define entries representing DSAs in the directory.
This object class is defined in RFC 1274.
Superior Class
top
OID
2.5.6.13
Required Attributes
objectClassDefines the object classes for the entry.
cn (commonName)The common name of the series.
presentationAddressContains an OSI presentation address for the entry.
Allowed Attributes
descriptionText description of the series.
knowledgeInformationThis attribute is no longer used.
l (localityName)Place where the series is located.
o (organizationName)Organization to which the series belongs.
ou (organizationalUnitName)Organizational unit to which the series belongs.
seeAlsoURL to information relevant to the series.
supportedApplicationContextThis attribute contains the identifiers of OSI
application contexts.
Chapter 2Object Class Reference37
extensibleObject
Definition
When present in an entry,
optionally any attribute. The allowed attribute list of this class is implicitly the set
of all attributes known to the server.
This object class is defined in RFC 2252.
Superior Class
top
OID
1.3.6.1.4.1.1466.101.120.111
Required Attributes
objectClassDefines the object classes for the entry.
Allowed Attributes
All attributes known to the server.
extensibleObject
permits the entry to hold
friendlyCountry
Definition
Used to define country entries in the directory tree. This object class is used to
allow more user-friendly country names than those allowed by the country object
class.
This object class is defined in RFC 1274.
Superior Class
top
OID
0.9.2342.19200300.100.4.18
38Red Hat Directory Server Schema Reference • May 2005
Required Attributes
objectClassDefines the object classes for the entry.
co (friendlyCountryName)Stores the name of a country.
c (countryName)Contains the two-character code representing country
Allowed Attributes
descriptionText description of the country.
searchGuideSpecifies information for suggested search criteria when
groupOfCertificates
names, as defined by ISO, in the directory.
using the entry as the base object in the directory tree for
a search operation.
Definition
Used to describe a set of X.509 certificates. Any certificate that matches one of the
memberCertificateDescription
values is considered a member of the group.
This object class is defined in Directory Server.
Superior Class
top
OID
2.16.840.1.113730.3.2.31
Required Attributes
objectClassDefines the object classes for the entry.
cn (commonName)The group’s common name.
Chapter 2Object Class Reference39
Allowed Attributes
businessCategoryType of business in which the group is engaged.
descriptionText description of the group’s purpose.
memberCertificateDescriptionValues used to determine if a particular certificate is a
o (organizationName)Organization to which the group of certificates belongs.
ou (organizationalUnitName)Organizational unit to which the group belongs.
ownerDistinguished name of the person responsible for the
seeAlsoURL to information relevant to the group.
groupOfNames
Definition
Used to define entries for a group of names.
member of this group.
group.
Note: The definition in Directory Server differs from the standard definition. In
the standard definition,
member
is an allowed attribute. Directory Server therefore allows a group to have
member
is a required attribute. In Directory Server,
no member.
This object class is defined in RFC 2256.
Superior Class
top
OID
2.5.6.9
Required Attributes
objectClassDefines the object classes for the entry.
cn (commonName)The group’s common name.
40Red Hat Directory Server Schema Reference • May 2005
Allowed Attributes
businessCategoryType of business in which the group is engaged.
descriptionText description of the group’s purpose.
memberDistinguished name of a group member.
o (organizationName)Organization to which the group belongs.
ou (organizationalUnitName)Organizational unit to which the group belongs.
ownerDistinguished name of the person responsible for the
seeAlsoURL to information relevant to the group.
groupOfUniqueNames
Definition
Used to define entries for a group of unique names.
Note: The definition in Directory Server differs from the standard definition. In the
standard definition,
uniquemember
have no member.
uniquemember
is an allowed attribute. Directory Server therefore allows a group to
group.
is a required attribute. In Directory Server,
This object class is defined in RFC 2256.
Superior Class
top
OID
2.5.6.17
Required Attributes
objectClassDefines the object classes for the entry.
cn (commonName)The group’s common name.
Chapter 2Object Class Reference41
Allowed Attributes
businessCategoryType of business in which the group is engaged.
descriptionText description of the group’s purpose.
o (organizationName)Organization to which the group belongs.
ou (organizationalUnitName)Organizational unit to which the group belongs.
ownerDistinguished name of the person responsible for the
seeAlsoURL to information relevant to the group.
uniqueMemberDistinguished name of a unique group member.
groupOfURLs
Definition
An auxiliary object class of
consists of a list of labeled URLs.
group.
groupOfUniqueNames
or
groupOfNames
. The group
This object class is defined in Directory Server.
Superior Class
top
OID
2.16.840.1.113730.3.2.33
Required Attributes
objectClassDefines the object classes for the entry.
cn (commonName)The group’s common name.
Allowed Attributes
businessCategoryType of business in which the group is engaged.
descriptionText description of the group’s purpose.
memberURLURL associated with each member of the group.
42Red Hat Directory Server Schema Reference • May 2005
o (organizationName)Organization to which the group belongs.
ou (organizationalUnitName)Organizational unit to which the group belongs.
ownerDistinguished name of the person responsible for the
seeAlsoURL to information relevant to the group.
inetOrgPerson
Definition
Used to define entries representing people in an organization’s enterprise network.
Inherits
This object class is defined in RFC 2798.
Superior Class
person
OID
2.16.840.1.113730.3.2.2
cn (commonName)
group.
and
sn (surname)
from the
person
object class.
Required Attributes
objectClassDefines the object classes for the entry.
cn (commonName)The person’s common name.
sn (surname)The person’s surname or last name.
Allowed Attributes
audioStores a sound file in binary format.
businessCategoryType of business in which the person is engaged.
carLicenseThe license plate number of the person’s vehicle.
departmentNumberDepartment for which the person works.
descriptionText description of the person.
Chapter 2Object Class Reference43
destinationIndicatorCountry and city associated with the entry; needed to
provide Public Telegram Service.
displayNamePreferred name of a person to be used when displaying
entries.
employeeNumberThe person’s employee number.
employeeTypeThe person’s type of employment (for example, full
time).
fax
The person’s fax number.
(facsimileTelephoneNumber)
givenNameThe person’s given or first name.
homePhoneThe person’s home phone number.
homePostalAddressThe person’s home mailing adress.
initialsThe person’s initials.
internationalISDNNumberThe person’s ISDN number.
jpegPhotoPhoto in JPEG format.
l (localityName)Place where the person is located.
labeledURIURL that is relevant to the person.
mailThe person’s email address.
managerDistinguished name of the object’s manager.
mobileThe person’s mobile phone number.
o (organizationName)Organization to which the person belongs.
uid (userID)Identifies the person’s user ID (usually the logon ID).
userCertificateStores a user’s certificate in cleartext (not used).
userPasswordPassword with which the entry can bind to the directory.
userSMIMECertificateStores a user’s certificate in binary form. Used by
x121AddressX.121 address of the person.
x500UniqueIdentifierReserved.
labeledURIObject
Definition
This object class can be added to existing directory objects to allow for inclusion of
URI values. This approach does not preclude including the
type directly in other object classes as appropriate.
This object class is defined in RFC 2079.
Superior Class
top
Netscape Communicator for S/MIME.
labeledURI
attribute
Chapter 2Object Class Reference45
locality
OID
1.3.6.1.4.1.250.3.15
Required Attributes
objectClassDefines the object classes for the entry.
Allowed Attributes
labeledURIUniversal Resource Locator that is relevant to the entry.
Definition
Used to define entries that represent localities or geographic areas.
This object class is defined in RFC 2256.
Superior Class
top
OID
2.5.6.3
Required Attributes
objectClassDefines the object classes for the entry.
Allowed Attributes
descriptionText description of the locality.
l (localityName)Place where the entry is located.
searchGuideSpecifies information for a suggested search criteria
when using the entry as the base object in the directory
tree for a search operation.
46Red Hat Directory Server Schema Reference • May 2005
seeAlsoURL to information relevant to the locality.
st (stateOrProvinceName)State or province to which the locality belongs.
streetStreet address associated with the locality.
mailGroup
Definition
Defines the mail attributes for a group.
This object class is defined in Netscape Messaging Server.
Superior Class
top
OID
2.16.840.1.113730.3.2.4
Required Attributes
objectClassDefines the object classes for the entry.
Allowed Attributes
cn (commonName)The common name of the group.
mailThe email address of the group.
mailAlternateAddressIdentifies alternate email addresses used by a person.
mailHostName of the server which sends and receives email for
the mail group.
ownerThe DN of the person responsible for the entry.
Chapter 2Object Class Reference47
newPilotPerson
Definition
Used as a subclass of
to be assigned to entries of the
sn (surname)
This object class is defined in Internet White Pages Pilot.
Superior Class
person
OID
0.9.2342.19200300.100.4.4
Required Attributes
objectClassDefines the object classes for the entry.
cn (commonName)The person’s common name.
sn (surname)The person’s surname or last name.
person
from the
to allow the use of a number of additional attributes
person
person
object class.
object class. Inherits
cn (commonName)
and
Allowed Attributes
businessCategoryType of business in which this person is engaged.
descriptionText description of the person.
drink (favoriteDrink)The person’s favorite drink.
homePhoneThe person’s home phone number.
homePostalAddressThe person’s home mailing address.
janetMailboxThe person’s email address.
mailThe person’s email address.
mailPreferenceOptionIndicates a preference for inclusion of the person’s name
mobileThe person’s mobile phone number.
organizationalStatusThe common job category for the person’s function.
otherMailboxValues for electronic mailbox types other than X.400 and
48Red Hat Directory Server Schema Reference • May 2005
on mailing lists (electronic or physical).
rfc822.
pagerThe person’s pager number.
personalSignatureThe person’s signature file.
personalTitleThe person’s honorific.
preferredDeliveryMethodThe person’s preferred method of contact or delivery.
roomNumberThe person’s room number.
secretaryDistinguished name of the person’s secretary or
uid (userID)Identifies the person’s user ID (usually the logon ID).
userClassIdentifies the type of computer user this entry is.
userPasswordPassword with which the entry can bind to the directory.
nsComplexRoleDefinition
Definition
Any role that is not a simple role is, by definition, a complex role.
This object class is defined in Directory Server.
Superior Class
nsRoleDefinition
OID
2.16.840.1.113730.3.2.95
Required Attributes
objectClassDefines the object classes for the entry.
Chapter 2Object Class Reference49
Allowed Attributes
cn (commonName)The entry’s common name.
descriptionText description of the entry.
nsFilteredRoleDefinition
Definition
Specifies assignment of entries to the role, depending upon the attributes
contained by each entry.
This object class is defined in Directory Server.
Superior Class
nsComplexRoleDefinition
OID
2.16.840.1.113730.3.2.97
Required Attributes
objectClassDefines the object classes for the entry.
nsRoleFilterSpecifies the filter assigned to an entry.
Allowed Attributes
cn (commonName)The entry’s common name.
descriptionText description of the entry.
50Red Hat Directory Server Schema Reference • May 2005
nsLicenseUser
Definition
Used to track licenses for servers that are licensed on a per-client basis.
nsLicenseUser
can manage the contents of this object class through the Users and Groups area of
the Red Hat Administration Server.
This object class is defined in the Administration Server.
Superior Class
top
OID
2.16.840.1.113730.3.2.7
Required Attributes
objectClassDefines the object classes for the entry.
is intended to be used with the
inetOrgPerson
object class. You
Allowed Attributes
nsLicensedForServer that the user is licensed to use.
nsLicenseEndTimeReserved for future use.
nsLicenseStartTimeReserved for future use.
nsManagedRoleDefinition
Definition
Specifies assignment of a role to an explicit, enumerated list of members.
This object class is defined in Directory Server.
Superior Class
nsSimpleRoleDefinition
Chapter 2Object Class Reference51
OID
2.16.840.1.113730.3.2.96
Required Attributes
objectClassDefines the object classes for the entry.
Allowed Attributes
cn (commonName)The entry’s common name.
descriptionText description of the entry.
nsNestedRoleDefinition
Definition
Specifies containment of one or more roles of any type within the role.
This object class is defined in Directory Server.
Superior Class
nsComplexRoleDefinition
OID
2.16.840.1.113730.3.2.98
Required Attributes
objectClassDefines the object classes for the entry.
nsRoleDnSpecifies the roles assigned to an entry.
Allowed Attributes
cn (commonName)The entry’s common name.
descriptionText description of the entry.
52Red Hat Directory Server Schema Reference • May 2005
nsRoleDefinition
Definition
All role definition object classes inherit from the
This object class is defined in Directory Server.
Superior Class
ldapSubEntry
OID
2.16.840.1.113730.3.2.93
Required Attributes
objectClassDefines the object classes for the entry.
Allowed Attributes
cn (commonName)The entry’s common name.
nsRoleDefinition
object class.
descriptionText description of the entry.
nsSimpleRoleDefinition
Definition
Roles containing this object class are called simple roles because they have a
deliberately limited flexibility, which makes it easy to:
•Enumerate the members of a role.
•Determine whether a given entry possesses a particular role.
•Enumerate all the roles possessed by a given entry.
•Assign a particular role to a given entry.
•Remove a particular role from a given entry.
This object class is defined in Directory Server.
Chapter 2Object Class Reference53
ntGroup
Superior Class
nsRoleDefinition
OID
2.16.840.1.113730.3.2.94
Required Attributes
objectClassDefines the object classes for the entry.
Allowed Attributes
cn (commonName)The entry’s common name.
descriptionText description of the entry.
Definition
Holds data for a group entry stored in a Windows Active Directory or NT server.
Several Directory Server attributes correspond directly to or are mapped to match
Windows group attributes. When you create a new group in the Directory Server
that is to be synchronized with a Windows server group, Directory Server
attributes will be assigned to the Windows entry as shown in the attribute table
below. These attributes may then be added, modified, or deleted in the entry
through either directory service.
Superior Class
top
OID
2.16.840.1.113730.3.2.9
Required Object Classes
mailGroupAllows the mail attribute to be synchronized between
Windows and Directory Server groups.
54Red Hat Directory Server Schema Reference • May 2005
Required Attributes
cn (commonName)The entry’s common name; corresponds to the Windows
name field.
ntGroupTypeSpecifies the type of group.
objectClassDefines the object classes for the entry.
Allowed Attributes
descriptionText description of the group; corresponds to the
Windows comment field.
l (localityName)Place where the group is located.
memberSpecifies the members of the group.
ntGroupAttributesPointer to a binary file containing information about the
group.
ntGroupCreateNewGroupSpecifies whether a Windows account should be created
when this entry is created in the Directory Server.
ntGroupDeleteGroupSpecifies whether the user's Windows account should be
deleted when this entry is deleted from the Directory
Server.
ntGroupDomainIdSpecifies the domain ID string for the group.
ntUniqueIdGenerated ID number used by the server for operations
and identification.
ou (organizationalUnitName)Organizational unit to which the group belongs.
seeAlsoURL to information relevant to the group.
Chapter 2Object Class Reference55
ntUser
Definition
Holds data for a user entry stored in a Windows Active Directory or NT server.
Several Directory Server attributes correspond directly to or are mapped to match
Windows user account fields. When you create a new person entry in the
Directory Server that is to be synchronized with a Windows server, Directory
Server attributes will be assigned to Windows user account fields as shown in the
attribute table below. These attributes may then be added, modified, or deleted in
the entry through either directory service.
Superior Class
top
OID
2.16.840.1.113730.3.2.8
Required Attributes
objectClassDefines the object classes for the entry.
cn (commonName)The entry’s common name; corresponds to the Windows
name field.
ntUserDomainIdWindows domain login ID.
Allowed Attributes
descriptionText description of the user; corresponds to the
destinationIndicatorCountry and city associated with the entry; needed to
fax
(facsimileTelephoneNumber)
givenNameThe person’s given or first name.
homePhoneThe person’s home phone number.
homePostalAddressThe person’s home mailing adress.
initialsThe person’s initials.
l (localityName)Place where the user is located.
56Red Hat Directory Server Schema Reference • May 2005
Windows comment field.
provide Public Telegram Service.
The person’s fax number.
mailThe person’s email address.
managerThe manager of the person.
mobileThe person’s mobile phone number.
ntUserAcctExpiresIdentifies when the user's Windows account will expire.
ntUserCodePageThe user's code page.
ntUserCreateNewAccountSpecifies whether a Windows account should be created
when this entry is created in the Directory Server.
ntUserDeleteAccountSpecifies whether the user's Windows account should be
deleted when this entry is deleted from the Directory
Server.
ntUserHomeDirPath to the user's home directory.
ntUserLastLogoffTime of the user's last logoff from the Windows server.
ntUserLastLogonTime of the user's last logon to the Windows server.
ntUserLogonHoursIdentifies the times during which the user may log on.
ntUserMaxStorageMaximum disk space available to the user in the
Windows server.
ntUserParmsUnicode string reserved for use by applications.
ntUserProfilePath to the user's Windows profile.
ntUserScriptPathPath to the user's Windows login script.
ntUserWorkstationsWindows workstations from which the user is allowed
to log into the Windows domain.
o (organizationName)Organization to which the person belongs.
ou (organizationalUnitName)Organizational unit to which the person belongs.
postalCodeThe postal code for this address (such as a United States
zip code).
postOfficeBoxThe user’s post office box.
registeredAddressPostal address suitable for reception of expediated
documents, where the recipient must verify delivery.
seeAlsoURL to information relevant to the user.
sn (surname)The entry’s surname or last name.
st (stateOrProvinceName)State or province where the user is located.
Chapter 2Object Class Reference57
streetStreet address where the user is located.
telephoneNumberTelephone number associated with the person.
teletexTerminalIdentifierIdentifier for a telex terminal associated with the user.
telexNumberTelex number associated with the user.
titleThe person’s job title.
userCertificateStores a user’s certificate in cleartext (not used).
x121AddressX.121 address associated with the entry.
organization
Definition
Used to define entries that represent organizations. An organization is generally
assumed to be a large, relatively static grouping within a larger corporation or
enterprise.
This object class is defined in RFC 2256.
Superior Class
top
OID
2.5.6.4
Required Attributes
objectClassDefines the object classes for the entry.
o (organizationName)The name of the organization.
Allowed Attributes
businessCategoryType of business in which the organization is engaged.
descriptionText description of the organization.
destinationIndicatorCountry and city associated with the entry; needed to
provide Public Telegram Service.
58Red Hat Directory Server Schema Reference • May 2005
userPasswordPassword with which the entry can bind to the directory.
x121AddressX.121 address of the person.
organizationalRole
Definition
Used to define entries that represent roles held by people within an organization.
This object class is defined in RFC 2256.
Superior Class
top
OID
2.5.6.8
Required Attributes
objectClassDefines the object classes for the entry.
cn (commonName)The role’s common name.
Allowed Attributes
descriptionText description of the role.
destinationIndicatorCountry and city associated with the entry; needed to
provide Public Telegram Service.
fax (facsimileTelephoneNumber)Fax number of the person in the role.
internationalISDNNumberISDN number of the person in the role.
l (localityName)Place where the person in the role is located.
Chapter 2Object Class Reference61
ou (organizationalUnitName)Organizational unit to which the person in the role
belongs.
physicalDeliveryOfficeNameLocation where physical deliveries can be made to the
person in the role.
postalAddressThe mailing address for the person in the role.
postalCodeThe postal code for this address (such as a United States
zip code).
postOfficeBoxThe post office box for the person in the role.
preferredDeliveryMethodPreferred method of contact or delivery of the person in
the role.
registeredAddressPostal address suitable for reception of expedited
documents when the recipient must verify delivery.
roleOccupantDistinguished name of the person in the role.
seeAlsoURL to information relevant to the person in the role.
st (stateOrProvinceName)State or province where the person in the role is located.
streetStreet address where the person in the role is located.
telephoneNumberThe person’s telephone number.
teletexTerminalIdentifierIdentifier for the teletex terminal of the person in the
telexNumberTelex number of the person in the role.
x121AddressX.121 address of the person in the role.
organizationalUnit
Definition
Used to define entries that represent organizational units. An organizational unit
is generally assumed to be a relatively static grouping within a larger
organization.
This object class is defined in RFC 2256.
Superior Class
top
role.
62Red Hat Directory Server Schema Reference • May 2005
OID
2.5.6.5
Required Attributes
objectClassDefines the object classes for the entry.
ou
The name of the organizational unit.
(organizationalUnitName)
Allowed Attributes
businessCategoryType of business in which the organizational unit is
engaged.
descriptionText description of the organizational unit.
destinationIndicatorCountry and city associated with the organizational
teletexTerminalIdentifierIdentifier for the organizational unit’s teletex terminal.
telexNumberThe organization’s telex number.
userPasswordPassword with which the entry can bind to the
directory.
x121AddressX.121 address of the organizational unit.
Definition
Used to define entries that generically represent people. This object class is the
base class for the
organizationalPerson
object class.
This object class is defined in RFC 2256.
Superior Class
top
OID
2.5.6.6
Required Attributes
objectClassDefines the object classes for the entry.
cn (commonName)The person’s common name.
sn (surname)The person’s surname or last name.
Allowed Attributes
descriptionText description of the person.
seeAlsoURL to information relevant to the person.
telephoneNumberThe person’s telephone number.
64Red Hat Directory Server Schema Reference • May 2005
userPasswordPassword with which the entry can bind to the
pilotObject
Definition
Used as a subclass to allow additional attributes to be assigned to entries of all
other object classes.
This object class is defined in RFC 1274.
Superior Class
top
OID
0.9.2342.19200300.100.4.3
Required Attributes
objectClassDefines the object classes for the entry.
directory.
Allowed Attributes
audioStores a sound file in binary format.
dITRedirectDistinguished name to use as a redirect for the entry.
infoInformation about the object.
jpegPhotoPhoto in jpeg format.
lastModifiedByDistinguished name of the last user to modify the object.
lastModifiedTimeLast time the object was modified.
managerDistinguished name of the object’s manager.
photoPhoto of the object.
uniqueIdentifierSpecific item used to distinguish between two entries
when a distinguished name has been reused.
Chapter 2Object Class Reference65
pilotOrganization
Definition
Used as a subclass to allow additional attributes to be assigned to
and
organizationalUnit
This object class is defined in RFC 1274.
Superior Class
top
OID
0.9.2342.19200300.100.4.20
Required Attributes
objectClassDefines the object classes for the entry.
o (organizationName)Organization to which the entry belongs.
ou (organizationalUnitName)Organizational unit to which the entry belongs.
object class entries.
organization
Allowed Attributes
buildingNameName of the building where the entry is located.
businessCategoryType of business in which the entry is engaged.
descriptionText description of the entry.
destinationIndicatorCountry and city associated with the pilot organization;
needed to provide Public Telegram Service.
fax (facsimileTelephoneNumber)The pilot organization’s fax number.
internationalISDNNumberThe pilot organization’s ISDN number.
l (localityName)Place where the pilot organization is located.
physicalDeliveryOfficeNameLocation where physical deliveries can be made to the
pilot organization.
postalAddressThe pilot organization’s mailing address.
postalCodeThe postal code for this address (such as a United States
zip code).
postOfficeBoxThe pilot organization’s post office box.
66Red Hat Directory Server Schema Reference • May 2005
preferredDeliveryMethodThe pilot organization’s preferred method of contact or
delivery.
registeredAddressPostal address suitable for reception of expedited
documents when the recipient must verify delivery.
searchGuideSpecifies information for suggested search criteria when
using the entry as the base object in the directory tree for
a search operation.
seeAlsoURL to information relevant to the pilot organization.
st (stateOrProvinceName)State or province where the pilot organization is located.
streetStreet address where the pilot organization is located.
telephoneNumberThe pilot organization’s telephone number.
teletexTerminalIdentifierIdentifier for the pilot organization’s teletex terminal.
telexNumberThe pilot organization’s telex number.
userPasswordPassword with which the entry can bind to the directory.
x121AddressX.121 address of the pilot organization.
residentialPerson
Definition
Used by the Directory Server to contain a person’s residential information.
This object class is defined in RFC 2256.
Superior Class
top
OID
2.5.6.10
Required Attributes
objectClassDefines the object classes for the entry.
cn (commonName)The person’s common name.
l (localityName)Place in which the person resides.
sn (surname)The person’s surname or last name.
Chapter 2Object Class Reference67
Allowed Attributes
businessCategoryType of business in which the person is engaged.
descriptionText description of the person.
destinationIndicatorCountry and city associated with the entry; needed to
provide Public Telegram Service.
fax
(facsimileTelephoneNumber)
internationalISDNNumberThe person’s ISDN number.
physicalDeliveryOfficeNameLocation where physical deliveries can be made to the
postalAddressThe person’s business mailing address.
postalCodeThe postal code for this address (such as a United States
postOfficeBoxThe person’s business post office box.
preferredDeliveryMethodThe person’s preferred method of contact or delivery.
registeredAddressPostal address suitable for reception of expedited
seeAlsoURL to information relevant to the person.
st (stateOrProvinceName)State or province where the person resides.
streetStreet address where the person is located.
telephoneNumberThe person’s telephone number.
teletexTerminalIdentifierIdentifier for the person’s teletex terminal.
The person’s fax number.
person.
zip code).
documents when the recipient must verify delivery.
telexNumberThe person’s telex number.
userPasswordPassword with which the entry can bind to the directory.
x121AddressX.121 address of the entry.
RFC822LocalPart
Definition
Used to define entries that represent the local part of RFC 822 mail addresses. The
directory treats this part of an RFC 822 address as a domain.
This object class is defined in by the Internet Directory Pilot.
68Red Hat Directory Server Schema Reference • May 2005
Superior Class
domain
OID
0.9.2342.19200300.100.4.14
Required Attributes
objectClassDefines the object classes for the entry.
dc (domainComponent)Domain component of the entry.
Allowed Attributes
associatedNameEntry in the organizational directory tree associated with
a DNS domain.
businessCategoryType of business in which this local part is engaged.
cn (commonName)The local part’s common name.
descriptionText description of the local part.
destinationIndicatorCountry and city associated with the entry; needed to
provide Public Telegram Service.
fax (facsimileTelephoneNumber)The local part’s fax number.
internationalISDNNumberThe local part’s ISDN number.
l (localityName)Place where the local part is located.
o (organizationName)Organization to which the local part belongs.
physicalDeliveryOfficeNameLocation where physical deliveries can be made to the
local part.
postalAddressThe local part’s mailing address.
postalCodeThe postal code for this address (such as a United States
zip code).
postOfficeBoxThe local part’s post office box.
preferredDeliveryMethodLocal part’s preferred method of contact or delivery.
registeredAddressPostal address suitable for reception of expediated
documents, where the recipient must verify delivery.
Chapter 2Object Class Reference69
room
searchGuideSpecifies information for suggested search criteria when
using the entry as the base object in the directory tree for
a search operation.
seeAlsoURL to information relevant to the local part.
sn (surname)The entry’s surname or last name.
st (stateOrProvinceName)State or province where the local part is located.
streetStreet address where the local part is located.
telephoneNumberTelephone number associated with the local part.
teletexTerminalIdentifierIdentifier for a telex terminal associated with the local
part.
telexNumberTelex number associated with the local part.
userPasswordPassword with which the entry can bind to the directory.
x121AddressX.121 address associated with the entry.
Definition
Used to store information in the directory about a room.
This object class is defined in RFC 1274.
Superior Class
top
OID
0.9.2342.19200300.100.4.7
Required Attributes
objectClassDefines the object classes for the entry.
cn (commonName)Common name of the room.
Allowed Attributes
descriptionText description of the room.
70Red Hat Directory Server Schema Reference • May 2005
roomNumberThe room’s number.
seeAlsoURL to information relevant to the room.
telephoneNumberThe room’s telephone number.
strongAuthenticationUser
Definition
Used to store a user’s certificate entry in the directory.
This object class is defined in RFC 2256.
Superior Class
top
OID
2.5.6.15
Required Attributes
objectClassDefines the object classes for the entry.
userCertificateStores a user’s certificate, usually in binary form.
simpleSecurityObject
Definition
Used to allow an entry to contain the
principal object classes do not allow
for future use.
This object class is defined in RFC 1274.
Superior Class
top
OID
0.9.2342.19200300.100.4.19
userPassword
userPassword
attribute when an entry's
as an attribute type. Reserved
Chapter 2Object Class Reference71
Required Attributes
objectClassDefines the object classes for the entry.
userPasswordPassword with which the entry can bind to the directory.
72Red Hat Directory Server Schema Reference • May 2005
Chapter3
Attribute Reference
This chapter contains reference information about Red Hat Directory Server
(Directory Server) attributes. The attributes are listed in alphabetical order with
their definition, syntax, and OID.
For information on replication and synchronization attributes, refer to the Red Hat Directory Server Configuration, Command, and File Reference.
abstract
Definition
Provides an abstract of a document entry.
This attribute is defined in Internet White Pages Pilot.
Syntax
DirectoryString, multi-valued.
OID
0.9.2342.19200300.102.1.9
73
aliasedObjectName
Definition
Used by the Directory Server to identify alias entries in the directory. Contains the
distinguished name of the entry for which it is an alias.
Contains the name of a country. Often, the
two-character code for a country, and the
to describe the actual country name.
or
LDAPServer
friendlyCountryName
country
object classes:
attribute is used to describe a
attribute is used
For example:
friendlyCountryName: Ireland
or
co: Ireland
This attribute is defined in RFC 1274.
Syntax
DirectoryString, multi-valued.
OID
0.9.2342.19200300.100.1.43
80Red Hat Directory Server Schema Reference • May 2005
cosAttribute
Description
Provides the name of the attribute for which you want to generate a value. You can
specify more than one
CoS definition entries.
This attribute is defined in Directory Server.
Syntax
Directory String, multi-valued.
OID
2.16.840.1.113730.3.1.550
cosIndirectSpecifier
Description
Specifies the attribute values used by an indirect CoS to identify the template entry.
cosAttribute
value. This attribute is used by all types of
This attribute is defined in Directory Server.
Syntax
DirectoryString, single-valued.
OID
2.16.840.1.113730.3.1.577
cosPriority
Definition
Specifies which template provides the attribute value when CoS templates compete
to provide an attribute value. This attribute represents the global priority of a
particular template. A priority of zero is the highest priority.
This attribute is defined in Directory Server.
Chapter 3Attribute Reference81
Syntax
INTEGER, single-valued.
OID
2.16.840.1.113730.3.1.569
cosSpecifier
Description
Specifies the attribute value used by a classic CoS, which, along with the template
entry’s DN, identifies the template entry.
This attribute is defined in Directory Server.
Syntax
DirectoryString, single-valued.
OID
2.16.840.1.113730.3.1.551
cosTargetTree
Definition
Determines the subtrees of the DIT to which the CoS schema applies. The values
for this attribute for the schema and for multiple CoS schema may overlap their
target trees in an arbitrary fashion.
This attribute is defined in Directory Server.
Syntax
DirectoryString, single-valued.
OID
2.16.840.1.113730.3.1.552
82Red Hat Directory Server Schema Reference • May 2005
cosTemplateDn
Definition
The DN of the template entry which contains a list of the shared attribute values.
Changes to the template entry attribute values are automatically applied to all the
entries within the scope of the CoS. A single CoS might have more than one
template entry associated with it.
This attribute is defined in Directory Server.
Syntax
DirectoryString, single-valued.
OID
2.16.840.1.113730.3.1.553
crossCertificatePair
Definition
This attribute is to be stored and requested in the binary form, as
crossCertificatePair;binary
.
For example:
crosscertificatepair;binary:: AAAAAA==
This attribute is defined in RFC 2256.
Syntax
Binary, multi-valued.
OID
2.5.4.40
dc (domainComponent)
Definition
Specifies one component of a domain name.
For example:
Chapter 3Attribute Reference83
domainComponent: example
or
dc: example
This attribute is defined in RFC 2247.
Syntax
DirectoryString, single-valued.
OID
0.9.2342.19200300.100.1.25
deltaRevocationList
Definition
This attribute is to be stored and requested in the binary form, as
deltaRevocationList;binary
This attribute is defined in RFC 2256.
.
Syntax
Binary, multi-valued.
OID
2.5.4.53
departmentNumber
Definition
Identifies the entry’s department number.
For example:
departmentNumber: 2604
This attribute is defined in RFC 2798.
Syntax
DirectoryString, multi-valued.
84Red Hat Directory Server Schema Reference • May 2005
OID
2.16.840.1.113730.3.1.2
description
Definition
Provides a human-readable description of the object. For
organization
For example:
description: Quality control inspector for the ME2873 product line.
This attribute is defined in RFC 2256.
Syntax
DirectoryString, multi-valued.
OID
2.5.4.13
person
, this often includes their role or work assignment.
and
destinationIndicator
Definition
The country and city associated with the entry; needed to provide Public Telegram
Service. Generally used in conjunction with
For example:
destinationIndicator: Stow, Ohio, USA
This attribute is defined in RFC 2256.
Syntax
DirectoryString, multi-valued.
OID
2.5.4.27
registeredAddress
Chapter 3Attribute Reference85
.
displayName
Definition
Preferred name of a person to be used when displaying entries. Especially useful
in displaying a preferred name for an entry within a one-line summary list. Since
other attribute types, such as cn, are multivalued, they can not be used to display
a preferred name.
For example:
displayName: Michigan Smith
This attribute is defined in RFC 2798.
Syntax
DirectoryString, single-valued.
OID
2.16.840.1.113730.3.1.241
dITRedirect
Definition
Used to indicate that the object described by one entry now has a newer entry in
the directory tree. This attribute may be used when an individual’s place of work
changes, and the individual acquires a new organizational DN.
For example:
ditRedirect: cn=jdoe, o=example.com
This attribute is defined in RFC 1274.
Syntax
DN
OID
0.9.2342.19200300.100.1.54
86Red Hat Directory Server Schema Reference • May 2005
dmdName
Definition
The value of this attribute specifies a directory management domain (DMD), the
administrative authority which operates the Directory Server.
This attribute is defined in RFC 2256.
Syntax
DirectoryString, multi-valued.
OID
2.5.4.54
dn (distinguishedName)
Definition
Defines the distinguished name (DN) for the entry.
Specifies DNS resource records, including type A (Address), type MX (Mail
Exchange), type NS (Name Server), and type SOA (Start of Authority) resource
records.
For example:
Chapter 3Attribute Reference87
dNSRecord: IN NS ns.uu.net
This attribute is defined in Internet directory pilot.
Syntax
IA5String, multi-valued.
OID
0.9.2342.19200300.100.1.26
documentAuthor
Definition
Contains the distinguished name of the author of a document entry.
88Red Hat Directory Server Schema Reference • May 2005
OID
0.9.2342.19200300.100.1.11
documentLocation
Definition
Defines the location of the original copy of a document entry.
For example:
documentLocation: Department Library
This attribute is defined in RFC 1274.
Syntax
DirectoryString, multi-valued.
OID
0.9.2342.19200300.100.1.15
documentPublisher
Definition
The person and/or organization that published a document.
For example:
documentPublisher: Southeastern Publishing
This attribute is defined in RFC 1274.
Syntax
DirectoryString, single-valued.
OID
0.9.2342.19200300.100.1.56
Chapter 3Attribute Reference89
documentStore
Definition
Contains information on where the document is stored. This attribute is defined
in Internet White Pages Pilot.
Syntax
DirectoryString, multi-valued.
OID
0.9.2342.19200300.102.1.10
documentTitle
Definition
Contains the title of a document entry.
For example:
documentTitle: Red Hat Directory Server Administrator’s Guide
This attribute is defined in RFC 1274.
Syntax
DirectoryString, multi-valued.
OID
0.9.2342.19200300.100.1.12
documentVersion
Definition
Defines the version of a document entry.
For example:
documentVersion: 1.1
This attribute is defined in RFC 1274.
90Red Hat Directory Server Schema Reference • May 2005
Syntax
DirectoryString, multi-valued.
OID
0.9.2342.19200300.100.1.13
drink (favoriteDrink)
Definition
Describes the favorite drink of a person entry.
For example:
drink: soda
or
favoriteDrink: soda
This attribute is defined in RFC 1274.
Syntax
DirectoryString, multi-valued.
OID
0.9.2342.19200300.100.1.5
dSAQuality
Definition
Specifies the purported quality of a DSA. This attribute allows a DSA manager to
indicate the expected level of availability of the DSA.
For example:
dSAQuality: high
This attribute is defined in RFC 1274.
Syntax
DirectoryString, single-valued.
Chapter 3Attribute Reference91
OID
0.9.2342.19200300.100.1.49
employeeNumber
Definition
Identifies the entry’s employee number.
For example:
employeeNumber: 3440
This attribute is defined in RFC 2798.
Syntax
DirectoryString, single-valued.
OID
2.16.840.1.113730.3.1.3
employeeType
Definition
Identifies the entry’s type of employment.
For example:
employeeType: Full time
This attribute is defined in RFC 2798.
Syntax
DirectoryString, multi-valued.
OID
2.16.840.1.113730.3.1.4
92Red Hat Directory Server Schema Reference • May 2005
enhancedSearchGuide
Definition
Used by X.500 clients when construcing search filters.
For example:
enhancedSearchGuide: (uid=mhughes)
This attribute is defined in RFC 2798.
Syntax
DirectoryString, multi-valued.
OID
2.5.4.47
fax (facsimileTelephoneNumber)
Definition
Identifies the fax number at which the entry can be reached. Abbreviation:
fax
.
For example:
facsimileTelephoneNumber: +1 415 555 1212
or:
fax: +1 415 555 1212
This attribute is defined in RFC 2256.
Syntax
TelephoneNumber, multi-valued.
OID
2.5.4.23
Chapter 3Attribute Reference93
generationQualifier
Definition
Contains the generation qualifier part of the name, typically appearing in the
suffix.
For example:
generationQualifier:III
This attribute is defined in RFC 2256.
Syntax
DirectoryString, multi-valued.
OID
2.5.4.44
givenName
Definition
Identifies the entry’s given name, usually a person’s first name.
For example:
givenName: Hecuba
This attribute is defined in RFC 2256.
Syntax
DirectoryString, multi-valued.
OID
2.5.4.42
homePhone
Definition
Identifies the entry’s home phone number.
For example:
94Red Hat Directory Server Schema Reference • May 2005
homeTelephoneNumber: 415-555-1212
or
homePhone: 415-555-1234
This attribute is defined in RFC 1274.
Syntax
TelephoneNumber, multi-valued.
OID
0.9.2342.19200300.100.1.20
homePostalAddress
Definition
Identifies the entry’s home mailing address. This field is intended to include
multiple lines, but each line within the entry should be separated by a dollar sign
($). To represent an actual dollar sign ($) or backslash (\) within this text, use the
escaped hex values
The dollar ($) value can be found
in the c:\cost file.
provide the string:
The dollar (\24) value can be found$in the c:\5ccost file.
This attribute is defined in RFC 1274.
Syntax
DirectoryString, multi-valued.
OID
0.9.2342.19200300.100.1.39
Chapter 3Attribute Reference95
host
Definition
Defines the hostname of a computer.
For example:
host: mozilla
This attribute is defined in RFC 1274.
Syntax
DirectoryString, multi-valued.
OID
0.9.2342.19200300.100.1.9
houseIdentifier
Definition
Identifes a building in a location.
info
For example:
houseIdentifier: B105
This attribute is defined in RFC 2256.
Syntax
DirectoryString, multi-valued.
OID
2.5.4.51
Definition
Specifies any general information pertinent to an object. It is recommended that
specific usage of this attribute type is avoided and that specific requirements are
met by other (possibly additional) attribute types.
96Red Hat Directory Server Schema Reference • May 2005
initials
For example:
info: not valid
This attribute is defined in RFC 1274.
Syntax
DirectoryString, multi-valued.
OID
0.9.2342.19200300.100.1.4
Definition
Identifies the entry’s initials. Does not identify the entry’s surname.
For example:
initials: BFA
This attribute is defined in RFC 2256.
Syntax
DirectoryString, multi-valued.
OID
2.5.4.43
internationalISDNNumber
Definition
Contains the ISDN number of the entry. This is in the internationally agreed format
for ISDN addresses given in CCITT Rec. E. 164.
This attribute is defined in RFC 2256.
Syntax
IA5String, multi-valued.
Chapter 3Attribute Reference97
OID
2.5.4.25
janetMailbox
Definition
Specifies an email address. This attribute is intended for the convenience of U.K.
users unfamiliar with RFC 822 mail addresses. Entries using this attribute must
also include an
This attribute is defined in RFC 1274.
Syntax
DirectoryString, multi-valued.
OID
0.9.2342.19200300.100.1.46
rfc822Mailbox
attribute.
jpegPhoto
Definition
Contains a JPEG photo of the entry.
For example:
jpegPhoto:: AAAAAA==
This attribute is defined in RFC 2798.
Syntax
Binary, multi-valued.
OID
0.9.2342.19200300.100.1.60
98Red Hat Directory Server Schema Reference • May 2005
keyWords
Definition
Contains keywords for the entry.
For example:
keyWords: directory LDAP X.500
This attribute is defined in Internet White Pages Pilot.
Syntax
DirectoryString, multi-valued.
OID
0.9.2342.19200300.102.1.7
knowledgeInformation
Definition
This attribute is no longer used.
This attribute is defined in RFC 2256.
Syntax
DirectoryString, multi-valued.
OID
2.5.4.2
l (localityName)
Definition
Identifies the county, city, or other geographical area in which the entry is located
or with which it is in some other way associated.
For example:
localityName: Santa Clara
or
Chapter 3Attribute Reference99
l: Santa Clara
This attribute is defined in RFC 2256.
Syntax
DirectoryString, multi-valued.
OID
2.5.4.7
labeledURI
Definition
Specifies a Uniform Resource Identifier (URI) that is relevant in some way to the
entry. Values placed in the attribute should consist of a URI (currently only URLs
are supported) optionally followed by one or more space characters and a label.
For example:
labeledURI: http://home.example.com
labeledURI: http://home.example.com Red Hat website
This attribute is defined in RFC 2079.
Syntax
IA5String, multi-valued.
OID
1.3.6.1.4.1.250.1.57
lastModifiedBy
Definition
Specifies the distinguished name of the last user to modify the associated entry.