Appendix C eDirectory Classes, Objects, and Attributes
The schema defines what attributes an NDS object class (such as Users, Printers, or Groups) can have. For example, a User object can have login restriction properties associated with it, and a Print Queue object can have attributes identifying the NetWare server where the queue directory is located. The schema also defines which information (attribute) is required or optional at the time that an NDS object is created. Every NDS object has a schema class that has been defined for that type of object.
The schema that originally shipped with NetWare is called the base schema. After the base schema has been modified in any way—such as adding a new class or a new attribute—the addition is considered the extended schema. eDirectory 8.7.3 ships with 100 class and 572 attribute definitions—not counting any classes or attributes added by NetWare.
TIP
The tables presented in this appendix were generated using output from two utilities, ReadClass32.EXE and ReadAttr32.EXE. They can be found in ftp://ftp.dreamlan.com/Freeware/schema.zip.
NOTE
If you are interested in finding out more about a specific class or attribute definition, click the NDS Schema Reference link at http://developer.novell.com/ndk/doc/ndslib/index.html.
Out of the 100 classes defined for eDirectory 8.7.3, there are 72 effective classes that you can use to create NDS objects; Top is an effective class, but you cannot create any objects by using this class. Table C.1 list all 100 object class definitions shipped with eDirectory 8.7.3. The table shows the following information:
Class name—The name of the class.
Class flags—In addition to basic information such as mandatory and optional attributes and containment, class flags are used to further define a class object. The following are some examples:
|
Flag |
Description |
|
|
This flag indicates that objects of the class can have subordinates. |
|
|
This flag indicates an effective class. |
|
|
This flag indicates an auxiliary class (NDS 8 and higher). |
|
|
This flag indicates that the class cannot be removed from the schema. |
|
|
This flag is for internal use by NDS 8 and higher to indicate whether this class must be present for NDS to function correctly; it also provides compatibility with LDAP. |
|
|
This flag indicates that the class cannot be used as a base class. It is set by eDirectory. |
|
|
This flag indicates that the class cannot be used as a base class. It is set by eDirectory. |
Superclass—The immediate class from which the current object class inherits.
Containment—The object classes under which the current object class can be created, as defined for the current class.
Named by—The naming attribute(s) for the class.
Mandatory attributes—Mandatory attributes defined for the current class.
Optional attributes—Optional attributes defined for the current class.
Using Table C.1, you can easily determine all the properties of a given class, such as a list of all its optional attributes. The following uses the Directory Map class as an example:
By combining the preceding information, taking into account all the attributes inherited from superclasses, the Directory Map class has the following properties:
Containment—Domain, Organization, Organizational Unit
Class flags—Effective (DS_EFFECTIVE_CLASS), nonremovable (DS_NONREMOVABLE_CLASS)
Named by (or naming attribute)—CN
Mandatory attributes—CN, Host Server, Object Class
Optional Attributes—ACL, Audit:File Link, Authority Revocation, auxClassCompatibility, Back Link, Bindery Property, CA Public Key, CA Private Key, Certificate Revocation, Certificate Validity Interval, creatorsName, Cross Certificate Pair, DirXML-Associations, Equivalent To Me, GUID, Host Resource Name, L, Last Referenced Time, masvAuthorizedRange, masvDefaultRange, masvProposedLabel, modifiersName, O, Obituary, objectVersion, Other GUID, OU, Path, rbsAssignedRoles, rbsAssignedRoles2, rbsOwnedCollections, rbsOwnedCollections2, Reference, Revision, See Also, Unknown Auxiliary Class, Unknown Base Class, Used By, Uses
NOTE
Because every object class inherits from Top (directly or indirectly), the mandatory attribute Object Class (which indicates that the current definition is for an object class) exists for all class definitions within an NDS tree. In many cases, its presence is implied, and it is not explicitly mentioned in documentation or displayed by utilities.
Table C.2 lists all 572 attributes defined for eDirectory 8.7.3. For each attribute, its value's range is listed, and any special definition flags used when the attribute is defined (such as if the attribute is single-valued or is nonremovable) are also shown. The following definition flags are used by NDS/eDirectory:
Single Valued (DS_SINGLE_VALUED_ATTR)—The attribute is single valued. By default, if this flag is not specified, an attribute may contain multiple values.
Sized Attribute (DS_SIZED_ATTR)—The attribute has length or range limits. For example, the Postal Code attribute is limited to 0x28 or 40 bytes in size.
Nonremovable (DS_NONREMOVABLE_ATTR)—The attribute cannot be deleted. By default, an attribute definition may be removed from the schema.
Read-Only Attribute (DS_READ_ONLY_ATTR)—Clients cannot write to the attribute but can read its value.
Hidden Attribute (DS_HIDDEN_ATTR)—Clients can neither read from nor write to the attribute.
String Attribute (DS_STRING_ATTR)—Attribute syntax is string. An attribute that does not have this flag set cannot be used as a naming attribute.
Sync Immediate (DS_SYNC_IMMEDIATE_ATTR)—The attribute value is scheduled for immediate synchronization. This is required on some attributes, such as the Password Required attribute of an User object, to maintain either proper data integrity or security.
Public Read (DS_PUBLIC_READ_ATTR)—Anyone can read this attribute without needing Read privileges to be assigned. You cannot use an Inheritance Rights Filter (IRF) to block access to an attribute flagged as Public Read.
Server Read (DS_SERVER_READ_ATTR)—Server class objects can read the attribute without an inherited or explicit Read right for this attribute.
Write Managed (DS_WRITE_MANAGED)—This flag forces the user to have Supervisor rights to the attribute before it can be modified. This flag can only be used on attributes that use SYN_DIST_NAME syntax. Group Membership is one such example.
Per Replica (DS_PER_REPLICA)—The information of the attribute is not synchronized with other servers in the replica ring. This flag is mostly used by DirXML-related attributes.
Sync Never (DS_SCHEDULE_SYNC_NEVER)—The name of this flag is a little misleading. This flag indicates that changes to the attribute's value do not trigger synchronization (immediately). The attribute can wait to propagate the change until the next regularly scheduled synchronization cycle or some other event triggers synchronization.
Operational (DS_OPERATIONAL)—This flag is used internally by NDS to indicate that the attribute definition must be present for NDS to function correctly. It was introduced in NDS 8 to provide compatibility with LDAP.
