(Best viewed on a Mac or using Safari on Windows)
This document will be an attempt at enumerating relevant attributes in AD's LDAP schema for User objects.
The attributes listed here are (for the most part) things that need to be set by account creation and migration tools. Other attributes are set by the AD & Exchange server systems.
Information that will be listed (if applicable and known) includes:
The attributes for objectClasses eduPerson and saintmarysEduPerson after the main group of attributes.
Account-Expires
"The date when the account expires. This value represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). A value of 0 or 0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never expires." - link
"Interval", single-valued
9223372036854775807
smcEduAcctTargetDeleteDate
Could be used to control automatic deletion of accounts, especially for students.
Admin-Description
"The description displayed on admin screens." - link
Kathy Hausmann, Coord. of Student Computing
description, GECOS
GECOS
Could be based on description, gecos, title and/or any of a number of attributes.
Admin-Display-Name
"The name to be displayed on admin screens." - link
Kathy Hausmann
displayName
SPBPERS_PREF_FIRST_NAME from SPBPERS concatenated with LAST_NAME from AS_STUDENT_DATA or AP_EMPLOYEE_PROFILE
This is identical to displayName.
Country-Name
"The country/region in the address of the user. The country/region is represented as the 2-character country code based on ISO-3166." - link
US
none or c
NATN_CODE1 from AS_STUDENT_DATA or AP_EMPLOYEE_PROFILE
We can conjecture country by an account's use (most are ostensibly on-campus and can be marked "US", but there may be some that are used by international programmes that can be set to the code of the country in which they are primarily used.
Common-Name
"The name that represents an object. Used to perform searches." - link
khausman
uid
Active Directory has hijacked this attribute, and it is being used for purposes other than what I understand to be standard usage. The cn is part of an entity's Distinguished Name in AD, so it must be unique (in a domain? in a forest?). Examples I have seen set cn to be the user's username (what we've been using uid for).
co
"This attribute specifies the country/region in which the user is located." - link
United States
none or c
NATN_CODE1 from AS_STUDENT_DATA or AP_EMPLOYEE_PROFILE
I don't know where the mapping between this and c comes from. I don't know if it's worth it to populate this.
User-Comment
Unicode string, single-valued
Separate and distinct from the info LDAP attribute.
This attribute appears to be ostensibly to be set by the user, our software should perhaps not touch it.
Company
"The user's company name." - link
Unicode string, single-valued
Saint Mary's College
ou
It looks like this has the same apparent purpose as o. I suggest we populate both.
We haven't used this in the past, but maybe it would be useful with accounts for vendors or associated organizations like ECDC, Sodexho.
Country-Code
"Specifies the country/region code for the user's language of choice. This value is not used by Windows 2000." - link
Enumeration, single-valued
840
I don't know how or from where this is mapped. Either set them all to 840 (which appears to be US/English) or leave it alone.
?
"Amount of data, in kilobyte (KB), that you are allowed to receive." - link
integer?, single-valued
22000
Corresponds to the Receiving Maximum message size in Message Size Restrictions in Mail Flow Settings tab of a user's properties in MS Exchange
This is only needed for users with Exchange mailboxes. We can set this individually (perhaps based on a COS-type rule based on roles as defined in eduPersonPrimaryAffiliation) or use system defaults.
I believe zimbra uses postfix's message_size_limit (104857600).
This may ultimately be better set using a Microsoft API-compliant utility rather than via LDAP.
Department
"Contains the name for the department in which the user works." - link
Unicode string, single-valued
Dept of Information Tech
ou
DEPT_DESC1, DEPT_DESC2 from AS_STUDENT_DATA
ORGN_CODE_HOME_DESC from AP_EMPLOYEE_PROFILE
Since we are using ou containers, it would probably be better to put this information in department. Note that we also have been putting a student's graduating class year in ou. Should we put this here? department is probably more appropriate for a student's academic department (based on major).
Description
"Identifies a department within an organization." - link
ENGL
605200
DEPT_CODE1, DEPT_CODE2 from AS_STUDENT_DATA
ORGN_CODE_HOME from AP_EMPLOYEE_PROFILE
We have not been populating thie attribute in LDAP, but we can. Modify Banner-to-LDAP sync before migration?
Funny how this is multi-valued while department is single-valued.
description
"Contains the description to display for an object. This value is treated as single-valued by the system." - link
Unicode string (apparently single-valued on AD)
New Student 200710
Acct info mailed by Admissions July 2006
Migrated to Zimbra: Tue Jan 30 21:48:49 2007
description
GECOS
"This value is treated as single-valued by the system" presents a problem. I have been happily using description as a store of multiple pieces of information, as shown in the examples above. Tests reveal that AD does indeed prohibit multiple values of description. Another attribute must be found for this information.
Display-Name
"The display name for an object. This is usually the combination of the users first name, middle initial, and last name." - link
Unicode string, single-valued
Kathy Hausmann
displayName
SPBPERS_PREF_FIRST_NAME from SPBPERS concatenated with LAST_NAME from AS_STUDENT_DATA or AP_EMPLOYEE_PROFILE
Leading and trailing spaces must be removed or else Exchange will complain.
Migration software has been coded to not assign a value if source data is only a space or spaces (which also causes Exchange to complain).
Display-Name-Printable
"The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name." - link
IA5 string, single-valued
Kathy Hausmann
Gwen OBrien
displayName
SPBPERS_PREF_FIRST_NAME from SPBPERS concatenated with LAST_NAME from AS_STUDENT_DATA or AP_EMPLOYEE_PROFILE
This is almost identical to displayName. I don't know why its syntax is IA5 string.
Based on an error I observed in the Exchange Management Shell, the only acceptable characters are evidently:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"()+,\-\.\/:?<space>.
Conspicuously absent is the apostrophe, which one might regard as one of the most common special characters to appear in names.
The following error was observed in Exchange Management Shell:
WARNING: Object d.saintmarys.edu/People/Term/eoneill has been corrupted and it
is in an inconsistent state. The following validation errors have occurred:
WARNING: Erin O'Neill is not a valid value for SimpleDisplayName. The value may
only contain 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm',
'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C',
'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R',
'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4', '5', '6', '7',
'8', '9', '"', '(', ')', '+', ',', '-', '.', '/', ':', '?', ' '.
Note that SimpleDisplayName is actually the displayNamePrintable LDAP attribute.
This is supposedly an attribute for "legacy" mailing systems, and may not even be needed in our environmnent. But it is visible in the Exchange Management Console as "Simple Display Name".
Employee-ID
"The ID of an employee." - link
Unicode string, single-valued
980004869
smcEduID
ID from AS_STUDENT_DATA
ID_NUMBER from AP_EMPLOYEE_PROFILE
This is identical to smcEduID. Although not all students are actually employees, we can store their ID numbers here anyway.
Employee-Number
"The number assigned to an employee other than the ID." - link
Unicode string, single-valued
151109
smcEduPIDM
PIDM_KEY from AS_STUDENT_DATA or AP_EMPLOYEE_PROFILE
This is identical to smcEduPIDM. Although not all students are actually employees, we can store their PIDMs here anyway.
Employee-Type
"The job category for an employee." - link
Unicode string, single-valued
Administrator
Faculty
Staff
Student
Retired
Alumna
Vendor??
eduPersonPrimaryAffiliation
gidNumber (125 = student)
GID of 125 is a Student
ECLS_LONG_DESC from AP_EMPLOYEE_PROFILE for non-students
This is similar to eduPersonPrimaryAffiliation. I guess this should only be assigned for accounts that pertain to actual people.
Facsimile-Telephone-Number
"Contains telephone number of the user's business fax machine." - link
+1 574 284 4716
facsimileTelephoneNumber
In the past we've made this attribute "+1 574 284 4716" for every entry.
It has been recommended to me that we simply omit this attribute, though it may be possible to derive this from data entered in Prism, if it is configured for it.
Garbage-Coll-Period
"Amount of data, in kilobyte (KB), that you are allowed to receive." - link
integer, single-valued
1123200
Corresponds to Keep Deleted Items for (days) in Storage Quotas in Mailbox Settings tab of a user's properties in MS Exchange. Appears to be the value of the field multiplied by 86400. The attribute value is the number of seconds corresponding to the number of days specified in the field.
This is only needed for users with Exchange mailboxes. We can set this individually (perhaps based on a COS-type rule based on roles as defined in eduPersonPrimaryAffiliation) or use system defaults.
This may ultimately be better set using a Microsoft API-compliant utility rather than via LDAP.
Generation-Qualifier
"Indicates a person generation. For example, Jr. or II." - link
Unicode string, single-valued
Jr.
III
NAME_SUFFIX from AS_STUDENT_DATA or AP_EMPLOYEE_PROFILE
We haven't stored this information before. It is not entirely clear if only generational information is stored in the aforementioned Banner fields. Suffixes like "PhD" might also be stored there. If that is the case, we could parse those fields accepting only generational information.
gidNumber
"Contains an integer value that uniquely identifies a group in an administrative domain." - link
Enumeration, single-valued
gidNumber
This number should be the number of the primary unix group this account is associated with.
See An Analysis of Unix Groups on Diamond for information on unix groups and proposed cleanup of groups and accounts.
Given-Name
"Contains the given name (first name) of the user." - link
Unicode string, single-valued
Kathleen
givenName
FIRST_NAME from AS_STUDENT_DATA or AP_EMPLOYEE_PROFILE
Home-Directory
"The home directory for the account. If homeDrive is set and specifies a drive letter, homeDirectory must be a UNC path. Otherwise, homeDirectory is a fully qualified local path including the drive letter (e.g. "c:\directory\folder"). This value can be a null string." - link
Unicode string, single-valued
\\diamond.saintmarys.edu\khausman
uid
Once again, Microsoft has comandeered an attribute from conventional use. According to RFC 2307 (published in 1998), homeDirectory is defined as "The absolute path to the home directory". This has traditionally been in a unix context. Unix path information is now relegated to unixHomeDirectory.
Merideth says that this is best managed by GPO.
Home-Drive
"Specifies the drive letter to which to map the UNC path specified by homeDirectory. The drive letter must be specified in the form "<DriveLetter>:" where <DriveLetter> is the letter of the drive to map. The
Unicode string, single-valued
H:
H: for every user.
Merideth says that this is best managed by GPO.
ms-Exch-Home-MDB
"The distinguished name of the message database (MDB) for this mailbox." - link
Distinguished name, single-valued
CN=Mailbox Database,CN=First Storage Group,CN=InformationStore,CN=DMMEXCH2,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=SMC Exchange Test,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=d,DC=saintmarys,DC=edu
This may ultimately be better set using a Microsoft API-compliant utility rather than via LDAP.
ms-Exch-Home-MTA
"Points to the message transfer agent (MTA) that services this object." - link
Distinguished name, single-valued
CN=Microsoft MTA,CN=DMMEXCH2,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=SMC Exchange Test,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=d,DC=saintmarys,DC=edu
This may ultimately be better set using a Microsoft API-compliant utility rather than via LDAP.
Phone-Home-Primary
"The user's main home phone number." - link
Unicode string, single-valued
+1 574 284 4716
homePhone
PHONE_AREA_CODE2 and PHONE_NUMBER2 from AS_STUDENT_DATA
PHONE_AREA_2 and PHONE_NUMBER_2 from AP_EMPLOYEE_PROFILE
Address-Home
"A user's home address." - link
Unicode string, single-valued
21121 Main St$South Bend$IN$46637$US
homePostalAddress
STREET2_LINE1, STREET2_LINE2, STREET2_LINE3, CITY2, STATE2, ZIP2, NATN_CODE2 from AS_STUDENT_DATA
STREET_LINE1_2, STREET_LINE2_2, STREET_LINE3_2, CITY_2, STATE_2, ZIP_2, NATN_CODE_2 from AP_EMPLOYEE_PROFILE
Standard LDAP convention is to use dollar-signs ($) as line delimiters. I don't know if AD complies or even tolerates this.
Currently the country is not included in homePostalAddress on aegis. The Banner-to-LDAP script should be updated prior to migration. Maybe include country only if not "US".
Comment
"The user's comments. This string can be a null string." - link?
Unicode string, single-valued
This attribute appears to be distinct from the comment attribute.
This attribute appears to be ostensibly to be set by the user, our software should perhaps not touch it.
Initials
"Contains the initials for parts of the user's full name. This may be used as the middle initial in the Windows Address Book." - link
Unicode string, single-valued
A
MIDDLE_INITIAL from AS_STUDENT_DATA or AP_EMPLOYEE_PROFILE
Currently not populated on aegis. The Banner-to-LDAP script should be updated prior to migration.
Locality-Name
"Represents the name of a locality, such as a town or city." - link
Unicode string, single-valued
Notre Dame
l
CITY1 from AS_STUDENT_DATA
CITY_1 from AP_EMPLOYEE_PROFILE
labeledURI
"A Uniform Resource Identifier followed by a label. The label is used to describe the resource to which the URI points, and is intended as a friendly name fit for human consumption." - link
http://www.saintmarys.edu/~khausman/ Home Page
labeledURI
Legacy-Exchange-DN
"Points to the message transfer agent (MTA) that services this object." - link
CaseIgnoreString(Teletex), single-valued
/o=SMC Exchange Test/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=jdoe
This may ultimately be better set using a Microsoft API-compliant utility rather than via LDAP.
loginShell
"Contains the path to the login shell." - link
IA5 string, single-valued
/bin/bash
loginShell
/etc/passwd entry
E-mail-Addresses
"The list of email addresses for a contact." - link
Unicode string, single-valued
khausman@saintmarys.edu
This doesn't appear to be used by Exchange.
Corresponds to the E-mail field in the General tab of the properties of a User in the Active Directory admin GUI.
ms-Exch-Mail-Nickname
Unicode string, single-valued
khausman
uid
According to Active Directory Cookbook, page 810, mailNickname has to be unique in the domain, and can be the same as sAMAccountName.
Manager
"Contains the distinguished name of the user who is the user's manager." - link
Object(DS-DN), single-valued
CN=dmandell,OU=Staff,OU=People,DC=saintmarys,DC=edu
?
Maybe someday.
?
"The maximum mailbox size, in kilobyte (KB), over which sending and receiving mail is disabled." - link
Integer?, single-valued
10003
Existence and value correspond to settings in the Storage Quotas window from Mailbox Settings tab of user properties in the Exchange admin GUI.
This may ultimately be better set using a Microsoft API-compliant utility rather than via LDAP.
?
"The mailbox quota overdraft limit in kilobyte (KB)." - link
Integer?, single-valued
10002
Existence and value correspond to settings in the Storage Quotas window from Mailbox Settings tab of user properties in the Exchange admin GUI.
This may ultimately be better set using a Microsoft API-compliant utility rather than via LDAP.
?
"The message database (MDB) quota in kilobyte (KB)." - link
Integer?, single-valued
10001
Existence and value correspond to settings in the Storage Quotas window from Mailbox Settings tab of user properties in the Exchange admin GUI.
This may ultimately be better set using a Microsoft API-compliant utility rather than via LDAP.
?
"Indicates whether the store should use the default quota, rather than the per-mailbox quota." - link
Integer?, single-valued
TRUE
Existence and value correspond to settings in the Storage Quotas window from Mailbox Settings tab of user properties in the Exchange admin GUI.
This may ultimately be better set using a Microsoft API-compliant utility rather than via LDAP.
Is-Member-Of-DL
"The distinguished name of the groups to which this object belongs." - link
CN=Staff,OU=UserGroups,OU=Groups,DC=d,DC=saintmarys,DC=edu
eduPersonPrimaryAffiliation
In addition to having OU containers, we will also have AD security groups that correspond to the OU containers and values of eduPersonPrimaryAffiliation. These groups will be in the subtree OU=UserGroups.
Every user object will belong to the security group that corresponds to its OU location (and the value of eduPersonPrimaryAffiliation).
Looks like the only way to add an entry to a group is to add the entry's DN to the member attribute of the group itself. AD will not allow addition or modification of the memberOf attribute.
Phone-Mobile-Primary
"The primary cell phone number." - link
Unicode string, single-valued
+1 574 284 4716
mobile
Displayed in Online Phonebook.
Currently settable/editable by users in the profile section of the @Home drupal web site (some people have actually used this).
msSFU-30-Name
"This attribute is used by Windows Services for UNIX." - link
"Contains the name of a map." - link
String(IA5), single-valued
khausman
uid
I don't know what this is for, and the documentation is vague. Apparently it should match cn, uid, etc.
msSFU-30-Nis-Domain
"This attribute is used by Windows Services for UNIX." - link
"Contains the NIS domain." - link
String(IA5), single-valued
adsmc???
I don't know what this is for, and the documentation is vague. Apparently it should be the name of the domain ("adsmc"?).
Evidently, this corresponds to the value of the NIS Domain field in the UNIX Attributes tab in properties of a user in ADUC.
?
?
?, single-valued
khausman
uid
Appears to be set by AD/Exchange. Apparently matches cn.
Controlled by the Name field in the User Information tab of user properties in Exchange Management Console.
While this does not seem to be controled in ADUC, this attribute is the name shown for the entry in ADUC.
Organization-Name
"The name of the company or organization." - link
Saint Mary's College
o
It appears that company serves the same purpose. Populate both.
?
"This attribute specifies the list of classes of which this object is an instance." - link
top
person
organizationalPerson
user
inetOrgPerson
eduPerson
saintMarysEduPerson
It appears that the values of top, person, organizationalPerson, and user are assigned with a user object is created. We must programmatically add inetOrgPerson, eduPerson, and saintMarysEduPerson. Any others?
Organizational-Unit-Name
"The name of the organizational unit." - link
Alum
Exstu
Faculty
Infotech
Retired
Shared
Special
Staff
Student
Term
ou
eduPersonPrimaryAffiliation
I don't know the correlation between the ou attribute and the ou containers. iPlanet didn't seem to care. I don't think Active Directory does, either. No values for ou were set when user objects were created in testing.
Would the safest thing to do would be to have ou reflect the bottom-most ou container in an entity's DN?
I currently store "class of" information in ou. Would it be harmful to continue this practice?
Phone-Pager-Primary
"The primary pager number." - link
Unicode string, single-valued
?
Dunno if we actually need this, but it's there if we do.
Corresponds to the value of the Pager field in the Telephones tab in properties of a user in ADUC.
Physical-Delivery-Office-Name
"Contains the office location in the user's place of business." - link
Unicode string, single-valued
130 Haggar College Center
smcEduRoomNumber, smcEduBuildingName
STREET1_LINE1, STREET1_LINE2 from AS_STUDENT_DATA
STREET_LINE1_1, STREET_LINE2_1, from AP_EMPLOYEE_PROFILE
Dunno if we actually need this.
Postal-Address
"A user's home address." - link
101 Haggar College Center, Saint Mary's College$Notre Dame$IN$46556$US
postalAddress
STREET1_LINE1, STREET1_LINE2, STREET1_LINE3, CITY1, STATE1, ZIP1, NATN_CODE1 from AS_STUDENT_DATA
STREET_LINE1_1, STREET_LINE2_1, STREET_LINE3_1, CITY_1, STATE_1, ZIP_1, NATN_CODE_1 from AP_EMPLOYEE_PROFILE
Standard LDAP convention is to use dollar-signs ($) as line delimiters. I don't know if AD complies or even tolerates this.
Currently the country is not included in postalAddress on aegis. The Banner-to-LDAP script should be updated prior to migration. Maybe include country only if not "US".
Postal-Code
"The postal or zip code for mail delivery." - link
Unicode string, single-valued
46556
postalCode
ZIP1 from AS_STUDENT_DATA
ZIP_1 from AP_EMPLOYEE_PROFILE
Post-Office-Box
"This attribute specifies the post office box number for this object." - link
postOfficeBox
?
If addresses have PO Boxes, we could put them here. This would involve some more parsing of address lines coming from Banner. I would consider populating this if there was a compelling need.
Corresponds to the value of the P.O. Box field in the Address tab in properties of a user in ADUC.
Physical-Delivery-Office-Name
"This attribute specifies the office location in the user's place of business." - link
Unicode string, single-valued
101 Haggar College Center
smcEduRoomNumber, smcEduBuildingName
Used in the Office field in the General tab in ADSI.
Preferred-OU
"The Organizational Unit to show by default on user' s desktop." - link
Object(DS-DN), single-valued
OU=Staff,OU=People,DC=adsmc,DC=saintmarys,DC=edu?????
eduPersonPrimaryAffiliation
I guess this should reflect the bottom-most OU container that the object is in.
I don't know if or how this is used. Should we set it?
Primary-Group-ID
"This attribute specifies the relative identifier (RID) for the primary group of the user. By default, this is the RID for the Domain Users group." - link
Integer, single-valued
513
Probably best to let the AD system set this during object creation.
Profile-Path
"This attribute specifies a path to the user's profile. This value can be a null string, a local absolute path, or a UNC path." - link
Unicode string, single-valued
Merideth says we will not use this.
Corresponds to the value of the Profile path field in the Profile tab in properties of a user in ADUC.
Proxy-Addresses
"A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects such as custom recipients and distribution lists." - link
SMTP:khausman@saintmarys.edu
smtp:kathy@saintmarys.edu
mail, mailAlternateAddress
mail (ldap attribute)
This is the addresses that an account is known by in Exchange. One entry must have "SMTP" in all caps. That one is considered the main address, corresponding to aegis's mail and uid. Other values are aliases, corresponding to mailAlternateAddress on aegis.
Pwd-Last-Set
"The date and time that the password for this account was last changed. This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). If this value is set to 0 and the User-Account-Control attribute does not contain the UF_DONT_EXPIRE_PASSWD flag, then the user must set the password at the next logon." - link
Interval, single-valued
128696920978125000
We could set this to zero to force a password change.
SAM-Account-Name
"The logon name used to support clients and servers running older versions of the operating system, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager. This attribute must be less than 20 characters to support older clients." - link
Unicode string, single-valued
khausman
uid
Make this identical to cn.
SAM-Account-Type
"This attribute contains information about every account type object..." - link
Enumeration, single-valued
805306368 (which is decimal for 0x30000000, which is designated as "SAM_NORMAL_USER_ACCOUNT")
This appears to be set by the system, even when programmatically creating a user.
Script-Path
"This attribute specifies the path for the user's logon script. The string can be null." - link
Unicode string, single-valued
Merideth says that this is best managed by GPO.
Surname
"This attribute contains the family or last name for a user." - link
Unicode string, single-valued
Hausmann
sn
LAST_NAME from AS_STUDENT_DATA or AP_EMPLOYEE_PROFILE
State-Or-Province-Name
"The name of a user's state or province." - link
Unicode string, single-valued
IN
st
STATE1 from AS_STUDENT_DATA
STATE_1 from AP_EMPLOYEE_PROFILE
Street-Address
"The street address." - link
Unicode string, single-valued
101 Haggar College Center, Saint Mary's College
street
STREET1_LINE1, STREET1_LINE2, STREET1_LINE3 from AS_STUDENT_DATA
STREET_LINE1_1, STREET_LINE2_1, STREET_LINE3_1 from AP_EMPLOYEE_PROFILE
?
"The street address." - link
Unicode string, single-valued
101 Haggar College Center, Saint Mary's College
street
STREET1_LINE1, STREET1_LINE2, STREET1_LINE3 from AS_STUDENT_DATA
STREET_LINE1_1, STREET_LINE2_1, STREET_LINE3_1 from AP_EMPLOYEE_PROFILE
The ADSI interface uses streetAddress as opposed to street.
ms-Exch-Target-Address
"Contains the destination address for this object." - link
Unicode string, single-valued
khausman@migrate.saintmarys.edu
uid, mailForwardingAddress
This is how we tell Exchange how to route mail for people who don't have Exchange mailboxes (which is everybody, initially). Until we start using Exchange, every user will have a targetAddress of <cn>@migrate.saintmarys.edu.
Telephone-Number
"The primary telephone number." - link
Unicode string, single-valued
+1 574 284 5000
telephoneNumber
PHONE_AREA_CODE1, PHONE_NUMBER1 from AS_STUDENT_DATA
PHONE_AREA_1, PHONE_NUMBER_1 from AP_EMPLOYEE_PROFILE
Title
"Contains the user's job title." - link
Unicode string, single-valued
Coord. of Student Computing
Student
title
JOB_CURR_TITLE from AP_EMPLOYEE_PROFILE
"Student" if student
uidNumber
"Contains an integer that uniquely identifies a user in an administrative domain." - link
Enumeration, single-valued
9494
uidNumber
/etc/passwd
This is the unix uid number assigned to each account. Must be unique.
unixHomeDirectory
"Contains the absolute path to the home directory." - link
String(IA5), single-valued
/home/infotech1/khausman
homeDirectory
/etc/passwd
Since AD hijacked homeDirectory for its own purposes, we must use this for the file server (diamond, coal).
Will users' home directory locations change when they move to server coal?
User-Password
"The user's password in UTF-8 format. This is a write-only attribute." - link
The actual attribute is apparently set by the system.
To programmatically set a password, use the WIN32::OLE construct:
$objUser->SetPassword($password);
User-Principal-Name
"This attribute contains the UPN that is an Internet-style login name for a user based on the Internet standard RFC 822." - link
Unicode string, single-valued
khausman@saintmarys.edu
uid
Corresponds to the value of the User logon name field in the Account tab of user properties in ADUC.
Corresponds to the value of the User logon name (User Principal Name) field in the Account tab of user properties in Exchange Management Console.
Same as eduPersonPrincipalName.
User-Account-Control
"Flags that control the behavior of the user account." - link
Enumeration, single-valued
Various settings in ADUC (and perhaps Exchange Management Console) control this. - link
WWW-Home-Page
"The primary web page." - link
Unicode string, single-valued
http://www.saintmarys.edu/~khausman/
labeledURI
How is this different (in function, not form) from labeledURI?
"Specifies the person's relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc."
Administrative - Full-Time
Student
eduPersonAffiliation
ECLS_LONG_DESC from AP_EMPLOYEE_PROFILE
A value of this attribute is set to "Student" for student accounts (gidNumber=125).
This is similar to eduPersonPrimaryAffiliation, but allows multiple values. It could be used this way for employees who take classes or students who are employed by the College.
"Person's nickname, or the informal name by which they are accustomed to be hailed."
"Most often a single name as opposed to displayName which often consists of a full name. Useful for user-friendly search by name. As distinct from the cn (common name) attribute, the eduPersonNickname attribute is intended primarily to carry the person's preferred nickname(s). E.g., Jack for John, Woody for Durwood, JR for Joseph Robert."
Kathy
The Brick
eduPersonNickname
SPBPERS_PREF_FIRST_NAME from SPBPERS
Perhaps we can make this user-editable...
"The distinguished name (DN) of the directory entry representing the institution with which the person is associated."
Distingushed Name, single-valued
DC=adsmc,DC=saintmarys,DC=edu???
The eduPerson documentation says that the o attribute must be part of this.
We don't have a directory entry representing the institution.
"The distinguished name(s) (DN) of the directory entries representing the person's Organizational Unit(s). "
Distingushed Name
OU=Staff,OU=People,DC=adsmc,DC=saintmarys,DC=edu???
eduPersonPrimaryAffiliation
We don't have directory entries representing people's Organizational Unit(s).
"Specifies the person's PRIMARY relationship to the institution in broad categories such as student, faculty, staff, alum, etc."
Directory string, single-valued
Administrator
Student
eduPersonPrimaryAffiliation
ECLS_LONG_DESC from AP_EMPLOYEE_PROFILE
A value of this attribute is set to "Student" for student accounts (gidNumber=125).
We intend to use this attribute to designate roles for users of various services (e.g. COS on Zimbra). The data from Banner is parsed into a very specific taxonomy that the container structure inside OU=People in Active Directory should match.
"The "NetID" of the person for the purposes of inter-institutional authentication. It should be represented in the form "user@scope" where scope defines a local security domain..."
Directory string, single-valued
khausman@saintmarys.edu
eduPersonPrincipalName
Same as userPrincipalName.
1.3.6.1.4.1.14003.1.1.1
Controls number of registrations netreg allows for a given account.
Integer, single-valued
1
smcEduResNetRegsAllowed
Useful as long as we use netreg.
By default, each student account gets a value of 1 in smcEduResNetRegsAllowed and other accounts get 0. This is editable via the netreg administrative interface.
1.3.6.1.4.1.14003.1.1.2
Indicates if account info was given to user (typically for new students). Corresponds to most recent print date.
Integer, single-valued
1 (received in person)
2 (sent via mail, received signed form in return mail)
smcEduAcctInfoReceived
Tracks the disposition of account information. May be useful to know how account information was received by the individual. This could be extended with another value to indicate info was received online..
Read and set by utility applications and scripts for printing account forms and enabling email accounts when signed forms are received.
1.3.6.1.4.1.14003.1.1.3
Indicates when account info was given to user (typically for new students).
Generalized time
20030821104514-0500
smcEduAcctInfoPrintDate
Tracks the disposition of account information. Indicates date & time of each printing of account information. The name is somewhat of a misnomer as this timestamp can also be set for online account distribution.
Read and set by utility applications and scripts for printing account forms and enabling email accounts when signed forms are received.
For migration, transfer all values of this attribute.
1.3.6.1.4.1.14003.1.1.4
Flag indicating exemption from auto-deletion.
Integer
0 (or missing) - normal/non-exempt
1 - exempt from auto-deletion
smcEduAcctSpecialHandling
Flag to indicate to any automated deletion software developed to exempt a given account from deletion. This is set to 1 for special accounts and 0 for other accounts in ldapadduser.
Automated account deletion was never implemented with the iPlanet directory server. Perhaps there are mechanisms built into AD that would obviate the need for this attribute. In that case, it could be deprecated.
For migration, transfer all values of this attribute.
1.3.6.1.4.1.14003.1.1.5
Date/time to presumably delete an account.
Generalized time. Single-valued
20101201000000-0500
smcEduAcctTargetDeleteDate
Date an account can supposedly be deleted. Set at account creation for student accounts to December 1 of the year they are scheduled to graduate. Updated by banner sync software based on student's currenly-known grad year. Could be used by (semi-) automatic account deletion software.
Automated account deletion was never implemented with the iPlanet directory server. Perhaps there are mechanisms built into AD that would obviate the need for this attribute. In that case, it could be deprecated.
For migration, transfer all values of this attribute.
1.3.6.1.4.1.14003.1.1.6
1.3.6.1.4.1.14003.1.1.7
1.3.6.1.4.1.14003.1.1.8
Security question & answer for self-serve password resets.
Directory String. Single-valued
What is your favorite child's name?==Taryn
smcEduAcctSecurityQA1
smcEduAcctSecurityQA2
smcEduAcctSecurityQA3
Three question/answer pairs to allow self-serve account password resets. I suppose this could have been stored as multiple values of the same attribute, but I made a design decision to have separate attributes. I don't remember why.
These attributes were created as part of an online account information retrieval system I developed in spring of 2007. The system was never used because it was deemed too unreliable to use in my absense and (in 2007) it relied on new students having their ID numbers (as I was assured they would), but this turned out not to be the case.
If a 3rd-party password/security system is purchased, then these can be deprecated.
1.3.6.1.4.1.14003.1.1.9
Retrievable storage of account's initial password.
Directory String
zzMnb]up<
smcEduAcctInitialPW
Set at account creation. Used for printing (and online distribution) of account information for new users. Note that this is used heavily during Orientations by printing software.
NEW
1.3.6.1.4.1.14003.1.1.10
Retrievable storage of account's initial password.
Directory String. Single-valued
New Student 200910<
description
Active Directory provides non-standard behavior of the description attribute. It restricts it to single values. In the current LDAP implementation, we have been storing multiple values in description, and certain software depends on this behavior. Other attributes, like info and comment also only allow single values, so they cannot be utilized.
To restore the functionality of description, this attribute was created to take its place.
For migration, transfer all values of description to smcEduAcctDesc.
NEW
1.3.6.1.4.1.14003.1.2.1
Unique identifier field in various Oracle tables in Banner.
Integer. Single-valued
151109
smcEduPIDM
PIDM_KEY from AS_STUDENT_DATA
SPRIDEN_PIDM from SPRIDEN
SPBPERS_PIDM from SPBPERS
For accounts that correspond to persons, this is the unique identifier of this person in Banner. This is used extensively by Banner-to-LDAP synchronization software, and is the key link between directory services and Banner.
Accounts that do not correspond to a person in Banner currently either have no smcEduPIDM attribute, or it is set to 0. Note that we do have accounts that correspond to individual people that are not in Banner (e.g. ECDC, Sodhexo, Book Store); those have no or zero-valued smcEduPIDM attributes.
We should standardize this and have every account have a smcEduPIDM attribute set to 0 or otherwise.
Will also be storing this in employeeNumber.
1.3.6.1.4.1.14003.1.2.2
Employee's current status.
Directory String. Single-valued
Active
Terminated
smcEduEmplStatus
EMPL_STATUS_DESC from AP_EMPLOYEE_PROFILE
Indicates whether an employee is active, on-call, retired, terminated, etc. Its primary use is the online phonebook and filtering for managed email lists on listserv.
Could also indicate current employment status of students.
NEW
1.3.6.1.4.1.14003.1.2.8
Employee's current status.
Directory String. Single-valued
A
T
EMPL_STATUS from AP_EMPLOYEE_PROFILE
1- or 2-letter code indicating an employee's status, e.g. active, on-call, retired, terminated, etc. Its primary use is the online phonebook and filtering for managed email lists on listserv.
Could also indicate current employment status of students.
1.3.6.1.4.1.14003.1.2.3
Student's current status.
Directory String. Single-valued
Values currently found in LDAP:
smcEduStudStatus
STST_DESC from AS_STUDENT_DATA
Indicates whether a student is active, graduated, withdrew, abroad, etc.. Its primary use is the online phonebook and filtering for managed email lists on listserv.
NEW
1.3.6.1.4.1.14003.1.2.7
Student's current status.
Directory String. Single-valued
STST_CODE from AS_STUDENT_DATA
2-character code that indicates whether a student is active, graduated, withdrew, abroad, etc.. Its primary use is the online phonebook and filtering for managed email lists on listserv.
1.3.6.1.4.1.14003.1.2.4
Integer indication of display of personal data in applications (e.g. online phonebook) per FERPA guidelines.
Integer. Single-valued
0
1 (corresponds to "y" or "Y" in Banner)
smcEduConfidentialityInd
SPBPERS_CONFID_IND from SPBPERS
This was our first attempt at FERPA compliance. Subsequently, greater granularity was obtained with attributes under smcEduPersonPrivacy section.
It is currently up to the software consuming directory data to honor this attribute. In general, the practice is that this attribute takes precedence over some of the smcEduPersonPrivacy attributes (i.e. a 1 value here overrides those).
Currently this attribute controls the display of homePostalAddress, homePhone, in the Online PhoneBook.
1.3.6.1.4.1.14003.1.2.5
ID number for a person in Banner.
Directory String. Single-valued
980002565
smcEduID
ID from AS_STUDENT_DATA
ID_NUMBER from AP_EMPLOYEE_PROFILE
This is a unique ID number that gets printed on ID cards and is used for PRISM access. This is not the same as PIDM, which is an internal identifier, not for human consumption.
This was to be used as part of the credentials new students would use to identify themselves to obtain computer account information online via a mechanism I wrote in spring of 2007.
Will also be storing this in employeeID.
1.3.6.1.4.1.14003.1.2.6
ID number for a person in Banner.
Directory String. Single-valued
13-JUN-75
smcEduDOB
BIRTH_DATE from AS_STUDENT_DATA or AP_EMPLOYEE_PROFILE
This was to be used as part of the credentials new students would use to identify themselves to obtain computer account information online via a mechanism I wrote in spring of 2007.
If a 3rd-party password/security system is purchased, then this can be deprecated, though there may be some other uses for this information
1.3.6.1.4.1.14003.1.3.1
Building name of person's on-campus (office or residence) address.
Directory String
Haggar College Center
smcEduBuildingName
STREET1_LINE1, STREET1_LINE2 from AS_STUDENT_DATA
STREET_LINE1_1, STREET_LINE2_1from AP_EMPLOYEE_PROFILE
Displayed in Online Phonebook. Used in filters for managed email lists on listserv.
1.3.6.1.4.1.14003.1.3.2
Room number of person's on-campus (office or residence) address.
Directory String
75 F
smcEduRoomNumber
STREET1_LINE1, STREET1_LINE2 from AS_STUDENT_DATA
STREET_LINE1_1, STREET_LINE2_1from AP_EMPLOYEE_PROFILE
Displayed in Online Phonebook. Used in filters for managed email lists on listserv.
Room "number" is a slight misnomer as this attribute is a string and can contain other characters (e.g. "145B").
1.3.6.1.4.1.14003.1.3.3
Instant-messaging screen names.
Directory String
HappyFunBallPro
smcEduIMScreenName
Displayed in Online Phonebook.
Currently settable/editable by users in the profile section of the @Home drupal web site (some people have actually used this).
1.3.6.1.4.1.14003.1.3.4
Intended graduation year of student.
Directory String
2012
smcEduIntendedGradYr
function FZ_GET_COHORT
This is supplanted by a value in the OU attribute. But since OU can have multiple values, it may be easier to obtain this information using this attribute instead.
1.3.6.1.4.1.14003.1.3.5
Student's concentration of study.
Directory String
Elementary Education
smcEduConcentration
MAJR_DESC, MAJR_DESC_1_2, MAJR_DESC_MINOR_1, MAJR_DESC_MINOR_1_2 from AS_STUDENT_DATA
Displayed in Online Phonebook and Class Roster Lister.
Essential data for Class Roster Lister. Useful if we wish to implement anything based on major or concentration (including but not limited to major-specific managed mailing lists).
1.3.6.1.4.1.14003.1.4.1
Bar code on person's ID card.
Directory String, single-valued.
71000011806407
smcEduIDCardBarCode
ZIDCARD_BARCODE from ZIDCARDS
For possible use by IT-developed card-swiping systems.
Probably obviated by adoption of OneCard.
1.3.6.1.4.1.14003.1.4.2
Indicates the "type" of ID card issued to a person.
Directory String, single-valued.
FAC
STAF
STU
smcEduIDCardType
ZIDCARD_CARD_TYPE from ZIDCARDS
For possible use by IT-developed card-swiping systems.
Probably obviated by adoption of OneCard.
Can be used as a fall-back for determining the role of a person if data in eduPersonPrimaryAffiliation is incorrect or missing.
1.3.6.1.4.1.14003.1.4.3
Date/time of last change to ZIDCARDS record.
Directory String, single-valued.
07-JUN-07
smcEduIDCardChgDate
ZIDCARD_CARD_CHG_DATE from ZIDCARDS
For possible use by IT-developed card-swiping systems.
Probably obviated by adoption of OneCard.
1.3.6.1.4.1.14003.1.4.4
Essentially, the number of ID cards that have been issued to this person.
Directory String, single-valued.
01
smcEduIDCardIssueNum
ZIDCARD_ISSUE_NUM from ZIDCARDS
For possible use by IT-developed card-swiping systems.
Probably obviated by adoption of OneCard.
1.3.6.1.4.1.14003.1.4.5
Value of ZIDCARD_STATUS in table ZIDCARDS.
Directory String, single-valued.
A
I
smcEduIDCardStatus
ZIDCARD_STATUS from ZIDCARDS
For possible use by IT-developed card-swiping systems.
Probably obviated by adoption of OneCard.
1.3.6.1.4.1.14003.1.4.6
Data on the magnetic stripe on a person's ID card.
Directory String, single-valued.
70004689
smcEduIDCardMagStripe
ZIDCARD_MAGSTRIPE from ZIDCARDS
For possible use by IT-developed card-swiping systems.
This is the most important attribute in the smcEduPersonIDCard area. It would permit the development of card-swiping systems for IT (and elsewhere).
Probably obviated by adoption of OneCard.
1.3.6.1.4.1.14003.1.5.1
Controls visibility of a person's postalAddress attribute.
Integer, single-valued.
1 (show)
0 (hide)
smcEduShowPostalAddress
GORDPRF_DIRO_CODE (ADDR_CP or ADDR_OF) from GORDPRF
FERPA compliance, finer control than smcEduConfidentialityInd. Set by users via PRISM.
See sub getPrivacyPrefsByPIDM in addUserBannerSubs.pl.
It is currently up to the software consuming directory data to honor this attribute.
Don't know if a 3rd-party online phonebook product could be configured to honor this.
1.3.6.1.4.1.14003.1.5.2
Controls visibility of a student's telephoneNumber attribute.
Integer, single-valued.
1 (show)
0 (hide)
smcEduShowTelephone
GORDPRF_DIRO_CODE (TELE_CP) from GORDPRF
FERPA compliance, finer control than smcEduConfidentialityInd. Set by users via PRISM.
This only applies to students. Employees have no control over the display of telephoneNumber.
See sub getPrivacyPrefsByPIDM in addUserBannerSubs.pl.
It is currently up to the software consuming directory data to honor this attribute.
Don't know if a 3rd-party online phonebook product could be configured to honor this.
1.3.6.1.4.1.14003.1.5.3
Controls visibility of a person's homePostalAddress attribute.
Integer, single-valued.
1 (show)
0 (hide)
smcEduShowHomePostalAddress
GORDPRF_DIRO_CODE (ADDR_HO) from GORDPRF
FERPA compliance, finer control than smcEduConfidentialityInd. Set by users via PRISM.
See sub getPrivacyPrefsByPIDM in addUserBannerSubs.pl.
It is currently up to the software consuming directory data to honor this attribute.
Don't know if a 3rd-party online phonebook product could be configured to honor this.
1.3.6.1.4.1.14003.1.5.4
Controls visibility of a person's homePhone attribute.
Integer, single-valued.
1 (show)
0 (hide)
smcEduShowHomeTelephone
GORDPRF_DIRO_CODE (TELE_HO) from GORDPRF
FERPA compliance, finer control than smcEduConfidentialityInd. Set by users via PRISM.
See sub getPrivacyPrefsByPIDM in addUserBannerSubs.pl.
It is currently up to the software consuming directory data to honor this attribute.
Don't know if a 3rd-party online phonebook product could be configured to honor this.
1.3.6.1.4.1.14003.1.5.5
Controls visibility of a student's smcEduBuildingName attribute.
Integer, single-valued.
1 (show)
0 (hide)
smcEduShowBuildingName
GORDPRF_DIRO_CODE (ADDR_CP) from GORDPRF
FERPA compliance, finer control than smcEduConfidentialityInd. Set by users via PRISM.
This only applies to students. Employees have no control over the display of smcEduBuildingName.
See sub getPrivacyPrefsByPIDM in addUserBannerSubs.pl.
It is currently up to the software consuming directory data to honor this attribute.
Don't know if a 3rd-party online phonebook product could be configured to honor this.
1.3.6.1.4.1.14003.1.5.6
Controls visibility of a student's smcEduRoomNumber attribute.
Integer, single-valued.
1 (show)
0 (hide)
smcEduShowRoomNumber
GORDPRF_DIRO_CODE (ADDR_CP) from GORDPRF
FERPA compliance, finer control than smcEduConfidentialityInd. Set by users via PRISM.
This only applies to students. Employees have no control over the display of smcEduRoomNumber.
See sub getPrivacyPrefsByPIDM in addUserBannerSubs.pl.
It is currently up to the software consuming directory data to honor this attribute.
Don't know if a 3rd-party online phonebook product could be configured to honor this.
1.3.6.1.4.1.14003.1.6.1
Controls reception of messages on various managed mailing lists for accounts that would not otherwise be eligible via the defined LDAP filters for the lists.
Directory string.
fac-staff
faculty
staff
allsmc
class2007
class2008
class2009
class2010
class2011
classtr
holycross
lemans
mccandless
opus
regina
residents
offcampus
students
smcstudentlists
smcEduListMail
Used to allow mail reception (Listserv subscription keyword MAIL) for accounts not otherwise eligible for subscription via the LDAP filters that control the lists. This is useful for clubs, departments, and people of different roles (e.g. a staff member needing mail to the faculty list).
1.3.6.1.4.1.14003.1.6.2
Controls transmission privileges of messages on various managed mailing lists for accounts that would not otherwise be eligible via the defined LDAP filters for the lists.
Directory string.
fac-staff
faculty
staff
allsmc
class2007
class2008
class2009
class2010
class2011
classtr
holycross
lemans
mccandless
opus
regina
residents
offcampus
students
smcstudentlists
smcEduListMail
Used to allow posting (Listserv subscription keyword POST) for accounts not otherwise eligible for subscription via the LDAP filters that control the lists. This is useful for clubs, departments, and people of different roles (e.g. a staff member needing to post to the faculty list).