Extended Attribute Flags#

eDirectory supports numerous Extended Flags that affect the type of data an attribute can contain and that control its synchronization schedule.

The LDAP server in NDS eDirectory can set and get information about the following eDirectory extended flags.

By default, when creating an attribute definition, none of these flags are set.

To obtain the information when reading the schema, you must send the flag with the request to read the attribute.

Extended FlagsDescriptionNDAP Equivalent
X-NDS_PUBLIC_READWhen set, allows anyone to read the attribute's value even though such rights have not been granted or inherited.
Using this flag makes access to the attribute extremely efficient because eDirectory performs no rights checking.
When not set, users must have been granted rights or inherit rights to read the attribute's value.
DS_PUBLIC_READ flag set to True.
X-NDS_SERVER_READWhen set, allows the NCP Server object to read the attribute's value even though such rights have not been granted or inherited.
When not set, the NCP Server object must be granted rights or inherit rights to read the attribute's value.
DS_SERVER_READ flag set to True.
X-NDS_NEVER_SYNCWhen set, prevents changes to this attribute from synchronizing with other replicas. The information in the attribute is specific to the replica.
When not set, changes to the attribute are synchronized to other replicas.
DS_PER_REPLICA flag set to True.
X-NDS_NOT_SCHED_SYNC_IMMEDIATEWhen set, allows the attribute's value to change without scheduling synchronization, and synchronization will start within 30 minutes.
When not set, causes any changes to the attribute to schedule immediate synchronization (within 10 seconds).
DS_SYNC_IMMEDIATE flag set to False.
X-NDS_SCHED_SYNC_NEVERWhen set, allows the attribute's value to change without scheduling synchronization. The attribute can wait until the next scheduled synchronization cycle to propagate its changes. When not set, causes any changes to the attribute to schedule synchronization. Developers can only read this flag.DS_SCHEDULE_SYNC_NEVER flag set to True.
X-NDS_LOWER_BOUNDWhen set, specifies the lower boundary for a string or integer syntax.
When not set, the attribute has no lower boundary.
DS_SIZED_ATTR flag set to True
X-NDS_NAME_VALUE_ACCESSThis flag only works on attributes which use a DN syntax and contain a list of entries, such as groupMembership.
When set, requires users to have supervisor rights to the entry before they can add or delete the entry as a value for this attribute.
When not set, requires the user to have read rights to read the values and write rights to modify the values.
DS_WRITE_MANAGED flag set to True.
X-NDS_NAMEWhen creating an attribute, specifies the legacy eDirectory attribute that automatically maps to this LDAP attribute. This is new in NDS eDirectory 8.5 and should be used to make attributes available to previous versions of the LDAP server in an eDirectory tree. When reading the attribute definition, returns the legacy eDirectory attribute name.NA
X-NDS_ACL_TEMPLATESEvery object in the NDS tree has an ACL attribute. This attribute holds information about which trustees have access to the object itself (entry rights) and which trustees have access to the attributes for the object. This information is stored in sets of information containing the following:
* The trustee name
* The affected attribute-Entry Rights, All Attributes Rights, or a specific attribute
* The privileges
ACL templates helps us in defining ACLs for specific classes in the base schema and provide a minimum amount of access security for newly created objects.
This flag was added in 8.7.0.
NA

Standard LDAP attribute flags can also be used. #

The following table lists the LDAP name and the corresponding NDAP name.
Standard LDAP FlagsNDAP Equivalent
SINGLE-VALUE DS_SINGLE_VALUED_ATTR set to TrueCOLLECTIVE Not supported
NO-USER-MODIFICATION FlagDS_READ_ONLY_ATTR set to True
USAGE userApplicationsNone required. This sets the attribute as a normal attribute. The other USAGE flags can only be set by eDirectory.
USAGE directoryOperationDS_OPERATIONAL (set by eDirectory)
USAGE distributedOperationDS_OPERATIONAL (set by eDirectory)
USAGE dSAOperationDS_OPERATIONAL (set by eDirectory)

Object Class Flags#

eDirectory uses a set of flags to define allowable class operations. When adding a new object class definition to the schema, you can set the following flags. When reading definitions, you send the flags to obtain the information.

Extended Flags ObjectClassesDescriptionEquivalent
X-NDS_NOT_CONTAINERWhen set, indicates that this object class cannot contain other entries and is thus a leaf entry.
When not set, indicates that this object class can contain other entries and is thus a container class.
DS_CONTAINER_CLASS flag set to False.
X-NDS_CONTAINMENTWhen included, this flag is followed by a list of object classes that can be the parent container of the object class that is being defined.
When not included, the object class that is being defined is automatically assigned containment classes of country, organization, organizationalUnit, locality, and domain.
DS_AMBIGUOUS_CONTAINMENT flag set to False.
X-NDS_NAMINGWhen included, this flag is followed by the list of attributes that can be used to name entries based on this object class definition.
When not included, the naming attributes for the object class are all of the MAY and MUST attributes that use a string-type syntax.
DS_AMBIGUOUS_NAMING flag set to False.
X-NDS_NONREMOVABLEWhen set, indicates that the class cannot be removed even if no entries are using the definition. This flag is placed on all classes in the eDirectory operational schema. NDS 8 and higher allow application developers to set this flag.
When not set, indicates that the class can be removed from the schema if no entries are using the definition.
DS_NONREMOVABLE_CLASS flag set to True.
X-NDS_NAMEWhen defining an object class, specifies the legacy eDirectory object class that automatically maps to this LDAP class. This is new in NDS eDirectory 8.5 and should be used to make classes available to previous versions of the LDAP server in an eDirectory tree. When reading object class definitions, returns the legacy eDirectory name for this object class.NA

Standard LDAP ObjectClass Flags#

The standard LDAP class flags can also be used.
Standard LDAP FlagsNDAP Equivalent
ABSTRACTDS_EFFECTIVE_CLASS set to False
STRUCTURALDS_EFFECTIVE_CLASS set to True
AUXILIARYDS_AUXILIARY_CLASS set to True

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-38) was last changed on 05-Oct-2014 09:45 by jim