All attributes found in an NDS tree consist of an attribute type and an attribute value, which can be multi-valued. The attribute type identifies the nature of information the attribute stores, and the value is the stored information.
The attribute type definition
Identifies the attribute syntax used for the value
Specifies the constraints that are imposed on the syntax
These constraints are also known as attribute flags. Attributes are assigned to objects according to the object’s class definition.
An example of an attribute type is CN (Common Name), which uses the Case Ignore String syntax. The CN (Common Name) attribute constrains this syntax to a range of from 1 to 64 elements.
Attribute types can be added to the NDS schema. However, once an attribute type has been created, it can’t be modified.
Attribute types can be removed from the NDS schema, but only if the attribute is not part of the base schema and only if the attribute type isn’t assigned to a class. All attribute types in the base schema are always flagged nonremovable.
The attribute syntax controls the type of information that can be stored in the value of an attribute. For example, the syntax determines whether the attribute stores integer, string, or stream data. The attribute’s syntax must be selected from the set of predefined attribute syntaxes. The syntax also controls the type of compare operations that can be performed on the value. See Section 1.12, Attribute Syntax Definitions for more information.
The attribute constraints restrict the information that can be stored in the data type and constrain the operations of NDS and NDS clients. The constraints specify whether the attribute
Allows only a single value or multiple values
Has a range or size limit to the value
Is synchronized immediately, at the next scheduled interval, or never
Is hidden or viewable
Is writable or read-only
The attribute constraints are flags, which are either TRUE or FALSE, and they can only be set when the attribute definition is created. Since there are more than dozen, they have been functionally grouped.
Reading the Attribute. These flags determine who can read the attribute's information.
|
Name |
Description |
|---|---|
|
Hidden Attribute |
In NDS version 6.xx and below, marks the attribute as usable only by the NDS server. In NDS version 7.xx and above, marks the attribute as usable by NDS and the applications running on the NDS server. If FALSE, clients can see the attribute. |
|
Public Read |
Indicates that anyone can read the attribute without read privileges being assigned. You cannot use inheritance masks to prevent an object from reading attributes with this constraint. If FALSE, NDS rights determine who can read the value of the attribute. If TRUE, NDS skips all rights checking, making access to the data extremely efficient. |
|
Server Read |
Indicates that Server class objects can read the attribute even though the privilege to read has not been inherited or explicitly granted. You cannot use inheritance masks to restrict servers from reading attributes with this constraint. The client cannot set or modify this constraint flag and thus cannot modify the attribute. |
Modifying the Attribute. The following flags regulate who can modify the attribute's value.
|
Name |
Description |
|---|---|
|
Read Only Attribute |
Prevents clients from remotely modifying the attribute. The NDS server and applications running on it create and maintain these attributes. Clients can read the attribute's value. If FALSE, clients can remotely modify the attribute. |
|
Write Managed |
Requires users to have supervisor rights to the object before they can add or delete the object as a value for this attribute. This flag only works on attributes which have a DN in the syntax. It is used on attributes such as Security Equals, Group Membership, and Profile Membership. |
Synchronizing the Attribute. The following flags regulate how changes to the attribute's value affect NDS synchronization.
|
Name |
Description |
|---|---|
|
Per Replica |
Marks the attribute so that the information in the attribute is not synchronized with other replicas. Modifications to the attribute never schedule synchronization and are never synchronized to other replicas. |
|
Schedule Sync Never |
Allows the attribute’s value to change without scheduling synchronization. Synchronization occurs at the next reguarly scheduled synchronization cycle or when another event triggers synchronization Set this flag to TRUE if the change in the attribute's value can wait ten to thirty minutes to be propagated. |
|
Sync Immediate |
Schedules synchronization within 10 seconds when the value of the attribute changes. Set this flag to TRUE if the change in the attribute's value needs to be immediately propagated or changed throughout the NDS tree. If FALSE, the attribute is synchronized at the next synchronization interval. |
If all of these synchronizing flags are false, NDS synchronizes the data at the slow synchronization level set on the server that contains the replica holding the change.
Constraining the Attribute Values. The following flags regulate the type of data that the attribute can store.
|
Name |
Description |
|---|---|
|
Single Valued Attribute |
Indicates that the attribute has a single value, with no order implied. If FALSE, the attribute is multi-valued. |
|
Sized Attribute |
Indicates that the attribute has an upper and lower boundary. The first number indicates the lower boundary and the second, the upper boundary. This flag should be set only on attributes with integer and string syntaxes. If FALSE, the attribute has no length or range limits. |
|
String Attribute |
Labels the attribute as a string type. NDS sets this constraint on all attributes that use a string for their syntax. Naming attributes must have this constraint. If FALSE, the attribute isn't a string and cannot be used as a naming attribute. |
Removing an Attribute. These flags control whether the attributes are removable from the schema.
|
Name |
Description |
|---|---|
|
Nonremovable Attribute |
Prevents the attribute from being removed from the schema:
All base attribute definitions have the nonremovable flag set to TRUE If FALSE, the attribute can be removed if it hasn’t been assigned to a class. |
|
Operational |
Indicates that NDS uses the attribute internally and requires the attribute to function correctly. Also used for LDAP compatibility. |
When an attribute is first defined, it is not associated with any object class. You must create an association with an object class before the attribute can be useful.
In other words, you could create a set of attributes such as Given Name, Initials, Surname, Telephone Number, and EMail Address. By themselves, they aren’t particularly useful. Then you define an object class such as Person, and have it include these attributes. The attributes now take on a meaning and give dimension to the object class.
For convenience, NDS uses abbreviations for the name types that are used most often. The following table shows the accepted abbreviations for these attributes.
|
Attribute Type |
Abbreviation |
|---|---|
|
Country Name |
C |
|
Organization Name |
O |
|
Organizational Unit Name |
OU |
|
State or Province Name |
S |
|
Locality Name |
L |
|
Common Name |
CN |
|
Street Address |
SA |
The Base Attribute Definitions section lists the names of each attribute type in alphabetical order. The name of the attribute is followed by a brief description of the attribute’s purpose. Valid abbreviations for the attribute appear in parentheses next to the attribute name. Additionally, you will find the following information:
The name of the syntax for this attribute type. See Attribute Syntax Definitions for the syntax specification.
Any constraints that apply to this attribute type.
The object class definitions which require or allow an attribute of this type when creating that class of object.
These remarks can include further restrictions, how to use the attribute, references to related documents, etc.
Attributes are assigned to objects according to the object’s class definition. For more information about the specific attributes an object class uses, see Novell Object Class Extensions.