What does SSPR add to the schema?

  • 7015681
  • 19-Sep-2014
  • 26-Apr-2018

Environment

Self Service Password Reset
SSPR 3.x
SSPR 4.x

Situation

What attributes does SSPR add to the directory schema?
What changes are made to the schema by executing SSPR ldif files?
What schema extensions are added when ssprADSschema.exe is run?

Resolution

SSPR adds the following to the diretory schema:

Object Class:
 pwmUser - defines the user as an SSPR user

Attributes:
  pwmEventLog - allows logging events for the user
 pwmResponseSet - answers to challenge response questions
 pwmLastPwdUpdate - date of the last password update made through SSPR

Depending on the LDAP directory the following attributes may also be added:
 pwmGUID  - unique identifier assigned to the SSPR user.
 pwmToken - used with one time password configuration
 pwmOtpSecret - used with one time password configuration



Additional Information

Note that it is not not necessary to extend the schema to use SSPR with Active Directory.  There are three options for installing SSPR on Active Directory - database mode, schema mode, and RDBMS mode.  Only schema mode requires the AD schema to be extended.

For more detail see "Setting up Your Environment" in the online documentation at https://www.netiq.com/documentation/sspr3/adminguide/data/b14gnfe6.html

The LDIF files that ship with SSPR also show the schema extensions to be made.  Select the file for the appropriate directory. These LDIF files are found in the  ...\supplemental\ldif  directory.  Note that, unlike eDirectory or other directories, AD Schema extensions are not made with an LDIF, but by running ssprADSschema.exe from the directory ...\supplemental\Schema\AD.