InnerhalbNach weiteren Dokumenten suchenSupport-Ressourcen |  Dieses Buch im PDF-Format herunterladen (2485 KB)
Chapter 3 Messaging Server and Calendar Server AttributesThis chapter describes attributes required or allowed by LDAP object classes for Calendar Server and Messaging Server. The attributes are listed alphabetically. Note – Objects and attributes used exclusively by Access Manager are covered in Chapter 4, Access Manager Classes and Attributes. Objects and attributes used exclusively by iPlanet Delegated Administrator for Messaging are covered in Chapter 6, iPlanet Delegated Administrator Classes and Attributes (Schema 1). Objects and attributes used by Communications Express are covered in Chapter 7, Communications Express Classes and Attributes This chapter describes the following attributes: aclGroupAddrOriginMessaging Server 6.0, Calendar Server 6 Syntaxcis Object ClassesDefinitionAdds a user to a dynamic group specified as an identifier in an ACL entry. Members of the group share the particular access rights defined in the ACL entry. The group is represented by a dynamic mailing list with a filter on the aclGroupAddr attribute. ExampleaclGroupAddr: lee-staff@siroe.com OID1.3.6.1.4.1.42.2.27.9.1.686 adminRoleOriginMessaging Server 5.0 Syntaxcis Object ClassesDefinitionSpecifies the administrator role for this administrator entry. ExampleNone provided. OID2.16.840.1.113730.3.1.601 aliasedObjectNameOriginMessaging Server 5.0 Syntaxdn Object ClassesDefinitionUsed only in Schema 1 or in Schema 2 compatibility mode (with a DC Tree), not in Schema 2 native mode (no DC Tree). Used by the Messaging Server to identify alias entries in the directory. Contains the distinguished name of the entry for which it is an alias. The domain attribute values are taken only from the referenced domain. So that routing will be identical between these domains. ExamplealiasedObjectName: cn=jdoe,o=sesta.com OID2.5.4.1 businessCategoryOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesgroupOfUniqueNames, organization, organizationalUnit DefinitionIdentifies the type of business in which the entry is engaged. This should be a broad generalization such as is made at the corporate division level. ExamplebusinessCategory:Engineering OID2.5.4.15 calCalURIOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionContains URI to user’s entire default calendar. For details see RFC 2739. ExampleVaries according to the version of calendar server implemented. For details see RFC 2739. OID1.2.840.113556.1.4.478 calFBURLOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionURL to the user’s default busy time data. For details see RFC 2739. ExampleVaries according to the version of calendar server implemented. For details see RFC 2739. OID1.2.840.113556.1.4.479 cnOriginCalendar Server Syntaxcis, single-valued Object ClassesicsCalendarResource, icsCalendarUser, inetResource DefinitionFor users, full name of person. For resources, a unique identifier. In either case, it may contain spaces and special characters. Abbreviation for commonName. ExampleFor a user: cn: John Doe. For a resource: cn: Conference Room #3 or commonName: John Doe commonName: Conference Room #3 OID2.5.4.3 coOriginLDAP Syntaxcis Object ClassesDefinitionContains the name of a country, using a two character code. Abbreviation for countryName. The attribute friendlyCountryName is used to spell out the actual country name. Exampleco:IE or countryName:IE friendlyCountryName:Ireland OID2.5.4.4 commonName (see cn)Spells out the name of the attribute, but is the same as cn. countryName (see co)Spells out the name of the attribute, but is the same as co. dataSourceOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionText field to store a tag or identifier. Value has no operational impact. ExampledataSource:1.0 OID2.16.840.1.113730.3.1.779 dateOfBirthOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionDate of birth of the pabPerson. Format is: YYYYMMDD. ExampledateOfBirth: 19740404(date of birth on April 6, 1974.) OID2.16.840.1.113730.3.1.779 dcOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionThe domain component of the domain alias entry. Exampledc=sesta For example a domain alias entry DN might be:dn: dc=sesta, dc=fr, o=internet. OID0.9.2342.19200300.100.1.25 descriptionOriginLDAP Syntaxcis, multi-valued Object ClassesicsCalendarDWPHost, icsCalendarResource, groupOfUniqueNames, inetOrgPerson, organization, organizationalUnit, pab, pabGroup, sunServiceComponent DefinitionProvides a human readable description of the object. For people and organizations, this often includes their role or work assignment. Exampledescription: Quality control inspector. OID2.5.4.13 domainUidSeparatorOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionThis attribute is used only for LDAP Schema 1. This attribute is used by the messaging server to override the default mailbox (MB) home. When present, this attribute specifies that compound user identifications (UID's) are used in this domain and this attribute specifies the separator. For instance, if + is the separator, the mailbox names in this domain are obtained by replacing the right most occurrence of + in the uid with @. To map an internal mailbox name to the UID, the right most occurrence of @ is replaced with a + in the mailbox name. While substitution of an @ for the UID separator is sufficient to generate a mailbox name, this may not be the same as any of the user’s actual email addresses. Note – Format of internal mailbox names is uid@domain, where “domain” is DNS domain mapping to the namespace. The only exception to this rule is mailbox names for users in default domain where only the uid is used to construct internal mailbox names. See inetCanonicalDomainName on how the default value of domain name used can be overridden in specific cases. The MTA option used to override this attribute’s value is LDAP_DOMAIN_ATTR_UID_SEPARATOR. ExampledomainUIDSeparator: # OID2.16.840.1.113730.3.1.702 domOrgMaxUsersOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionThis attribute is used only for LDAP Schema 1. Maximum number of user entries in a domain organization. ExampledomOrgMaxUser: 500 OID2.16.840.1.113730.3.1.697 domOrgNumUsersOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionNumber of current user entries in a domain organization. ExampledomOrgNumUsers: 345 OID2.16.840.1.113730.3.1.698 facsimileTelephoneNumberOriginCalendar Server Syntaxtel, single-valued Object ClassesicsCalendarResource, inetResource, organization, organizationalUnit DefinitionFax telephone number for resources. ExamplefacsimileTelephoneNumber 1-800-555-1212 OID2.5.4.23 givenNameOriginLDAP Syntaxcis Object ClassesDefinitionIdentifies the entry’s given name, usually a person’s first name. ExamplegivenName: John OID2.5.4.42 groupidOriginCalendar Server 6 Syntaxcis, single-valued Object ClassesDefinitionIdentifies the unique name used to create the group calendar. The groupid must be unique among all uid and groupid attributes in its relative namespace. All valid Calendar group entries must have a groupid attribute. Examplegroupid:calendar1 OID1.3.6.1.4.1.42.2.27.9.1.784 icsAdminRoleOriginCalendar Server Syntaxcis Object ClassesDefinitionAdministrative calendar role that can be assigned to a group. ExampleNo example given. OID2.16.840.1.113730.3.1.724 icsAliasOriginCalendar Server Syntaxcis, UTF 8 encoded Object ClassesDefinitionAlias associated with a resource. An alias can make a resource name easier for the end user to work with. ExampleThe resource named “halleyscomet” can be aliased as “Halley’s Comet”. icsAlias: Halley’s Comet OID2.16.840.1.113730.3.1.725 icsAllowedServiceAccessOriginCalendar Server 6.0 Syntaxcis, single-valued Object ClassesicsCalendarDomain, icsCalendarUser DefinitionThis attribute is used only if the icsStatus attribute is not set, or in other words, if icsStatus is set, this attribute is ignored. Use this attribute to disallow calendar services to a user. As a default all users are allowed access with http, but if you specify this attribute as shown in the example, it disallows the user from receiving calendar access (user is disabled): Any other setting, or absence of the attribute entirely, results in the user having access to http services (user is enabled). ExampleicsAllowedServiceAccess:http OID2.16.840.1.113730.3.1.726 icsAllowRightsOriginCalendar Server Syntaxinteger, single-valued Object ClassesDefinitionA numeric string used to hold bit fields, each corresponding to a set of rights. Each bit corresponds to a setting in the ics.conf file. After you have figured out the bit string settings you want, convert the bits to an integer. If the property is set (1), the right is allowed. If the bit is not set (0), the right is not allowed. If this attribute does not exist, the corresponding ics.conf default settings are used. icsAllowRights defines the meaning of each bit position for bits 0-15: Table 3–1 Bit Definitions and ics.conf Settings
ExampleIf you decide that you want to disallow the following bits:
then your bit pattern would look like this: ”00000000000000000000101000000100’ which you would convert into the integer 2564 so that: icsAllowRights: 2564 OID2.16.840.1.113730.3.1.727 icsAnonymousAllowWriteOriginCalendar Server Syntaxboolean (yes, no) Object ClassesDefinitionSpecifies if anonymous users can write events in public calendars. The value comes from the ics.conf setting service.wcap.anonymousallowpubliccalendarwrite. ExampleicsAnonymousAllowWrite: yes OID2.16.840.1.113730.3.1.728 icsAnonymousCalendarOriginCalendar Server Syntaxces Object ClassesDefinitionCalendar ID for anonymous users. The value is taken from the ics.conf setting calstore.anonymous.calid. ExampleicsAnonymousCalendar: guest1 OID2.16.840.1.113730.3.1.729 icsAnonymousDefaultSetOriginNot implemented. Syntaxces, UTF 8 encoded Object ClassesDefinitionDefault calendar set for anonymous users. ExampleNo example given. OID2.16.840.1.113730.3.1.730 icsAnonymousLoginOriginCalendar Server Syntaxboolean (yes, no) Object ClassesDefinitionSpecifies if anonymous login is allowed. Value is taken from the ics.conf file setting service.http.allowanonymousLogin. ExampleicsAnonymousLogin: yes OID2.16.840.1.113730.3.1.798 icsAnonymousSetOriginNot implemented. Syntaxces, UTF 8 encoded Object ClassesDefinitionReserved. Not implemented. Default calendar set for anonymous users. ExampleNo example given. OID2.16.840.1.113730.3.1.732 icsAutoacceptOriginCalendar Server 6 Syntaxcis, single-valued Object ClassesicsCalendarGroup, icsCalendarResource DefinitionWhen a group receives an invitation, this attribute indicates whether the invitation is marked automatically as accepted. When enabled, the attribute causes the scheduled event to be marked as busy on the group calendar without any member taking any action. For a Calendar resource, this attribute allows the resource to accept invitations automatically. The icsAutoaccept attribute can have a value of 1, which allows automatic acceptance of invitations, or 0, which prohibits automatic acceptance. For a group calendar, the default value is 0 (prohibit automatic acceptance of events). For a Calendar resource, the default value is 1 (allow automatic acceptance of events). ExampleicsAutoaccept:0 icsAutoaccept:1 OID1.3.6.1.4.1.42.2.27.9.1.788 icsCalendarOriginCalendar Server Syntaxces, single-valued Object ClassesicsCalendarResource, icsCalendarGroup, icsCalendarUser DefinitionThe calendar ID (calid) of the default calendar for a user, group, or resource. Required attribute. It is a policy of Calendar Server to construct calids based on the user's uid or the group's groupid, since it is guaranteed to be unique. ExampleicsCalendar: jdoe OID2.16.840.1.113730.3.1.731 icsCalendarOwnedOriginCalendar Server Syntaxces, multi-valued Object ClassesDefinitionCalendars owned by this user. At least one instance of this attribute must exist for each user and must be set with the user's default calendar value. Multiple instances of this attribute can be used to specify other calendars the user owns. ExampleicsCalendarOwned:jdoe@sesta.com:Project icsCalendarOwned:jdoe@sesta.com:icsCalendarOwned icsCalendarOwned:jdoe@sesta.com:BaseballSchedule icsCalendarOwned:jdoe@sesta.com:Holidays OID1.3.6.1.4.1.42.2.27.9.1.6 icsCapacityOriginNot implemented. Syntaxinteger, single-valued Object ClassesNot currently defined. DefinitionReserved, not implemented. ExampleNo example given. OID2.16.840.1.113730.3.1.800 icsContactOriginNot implemented. Syntaxcis, UTF 8 encoded Object ClassesDefinitionReserved, not implemented. Resource contact name. ExampleicsContact: John Doe jdoe@sesta.com OID2.16.840.1.113730.3.1.733 icsDefaultAccessOriginCalendar Server Syntaxcis, single-valued Object ClassesDefinitionDefault access control string applied to the user’s default calendar. For more information about access control, see “Access Control Entries” in the Sun Java System Calendar Server Programmer’s Manual. If this attribute is not present, the value is taken from the ics.conf file setting calstore.calendar.default.acl. ExampleGranting the user both free-busy and scheduling permission for calendar components. icsDefaultAccess:@sesta.com^c^sf^g OID2.16.840.1.113730.3.1.734 icsDefaultaclOriginCalendar Server 6 Syntaxcis, single-valued Object ClassesicsCalendarGroup, icsCalendarResource DefinitionDefault access control string (ACL) applied to a group calendar or calendar resource. For more information about access control, see “Access Control Entries” in the Sun Java System Calendar Server Developer’s Guide. If this attribute is not present, the value is taken from the ics.conf file settings group.default.acl for groups or resource.default.acl for resources. ExampleGranting the group calendar both free-busy and scheduling permission for calendar components. icsDefaultacl:@sesta.com^c^sf^g OID1.3.6.1.4.1.42.2.27.9.1.786 icsDefaultSetOriginCalendar Server Syntaxces, single-valued Object ClassesDefinitionUser preference for what calendars to display at login. User’s can specify any of their calendar sets (groups they have created) to be displayed at login instead of a single calendar. ExampleicsDefaultSet: MyCalendarGroup OID2.16.840.1.113730.3.1.735 icsDomainAllowedOriginNot implemented. Syntaxcis, single-valued (see mgrpAllowedDomain) Object ClassesDefinitionWhat domains are allowed. The value has the following format: service-list:client-list where service-list is a blank- or comma-separated list of one or more service names or wild cards, and client-list is a blank- or comma-separated list of one or more host names or addresses, patterns or wild cards. The following are the explicit wild cards recognized by the system:
There is one operator that can be used in the service-list and the client-list:
You can use patterns to distinguish clients by the network address that they can connect to. For example: service@host_pattern:client-list. The default value comes from service.http.domainallowed in the ics.conf file. ExampleAllow local access to anyone in the sesta.com domain. icsDomainAllowed: ALL:sesta.com OID2.16.840.1.113730.3.1.736 icsDomainNamesOriginCalendar Server Syntaxcis, multi-valued, ASCII Object ClassesDefinitionFor cross-domain searching, each external domain to be searched must be listed using this attribute. ExampleicsDomainNames: sesta.com icsDomainNames: siroe.com OID1.3.6.1.4.1.42.2.27.9.1.3 icsDomainNotAllowedOriginCalendar Server Syntaxcis, single-valued (see mgrpDisallowedDomain) Object ClassesDefinitionWhat domains are not allowed. The value has the following format: service-list:client-list where service-list is a blank- or comma-separated list of one or more service names or wild cards, and client-list is a blank- or comma-separated list of one or more host names or addresses, patterns or wild cards. The following are the explicit wild cards recognized by the system:
There is one operator that can be used in the service-list and the client-list:
The value comes from ics.conf setting service.http.domainnotallowed. Example 1If you want to allow access to all but a selected few hosts, you can explicitly deny access as in the following example: Deny access to anyone at the company22.com domain. icsDomainNotAllowed: ALL:company22.com In this instance, you would not need to have any specific icsDomainAllowed attributes. Example 2If you want to implement a no-access default, a single instance of this attribute will do it. This denies all service to all hosts, unless they are specifically permitted access by icsDomainAllowed attributes. icsDomainNotAllowed: ALL:ALL Example 3The following example shows how to deny access to any unknown users. icsDomainNotAllowed: ALL:UNKNOWN@ALL OID2.16.840.1.113730.3.1.737 icsDoublebookingOriginCalendar Server 6 Syntaxcis, single-valued Object ClassesicsCalendarGroup, icsCalendarResource DefinitionIndicates whether a group allows double-booking of events in the group's calendar. When enabled, double-booking allows two events to be scheduled and displayed on the calendar at the same time. For a Calendar resource, this attribute allows the resource to be booked for two events at the same time. The icsDoublebooking attribute can have a value of 1, which allows double-booking, or 0, which prohibits double-booking. For a group calendar, the default value is 1 (allow double-booking). For a Calendar resource, the default value is 0 (prohibit double-booking). ExampleicsDoublebooking:1 icsDoublebooking:0 OID1.3.6.1.4.1.42.2.27.9.1.787 icsDWPBackEndHostsOriginCalendar Server 5.1.1 Syntaxcis, multi-valued Object ClassesDefinitionThe list of all possible back end hosts used for calendars found in this domain. This attribute is required if the calendar installation is using the Database Wire Protocol (DWP). ExampleicsDWPBackEndHosts: machine1 icsDWPBackEndHosts: machine2 OID1.3.6.1.4.1.42.2.27.9.1.5 icsDWPHostOriginCalendar Server.1 Syntaxcis, single-valued, ASCII Object ClassesicsCalendarDWPHost, icsCalendarGroup, icsCalendarResource, icsCalendarUser DefinitionStores a DWP host name so that the calendar ID can be resolved to the Database Wire Protocol (DWP) server that stores the calendar and its data. When the calendar database is distributed across several back end servers, the attribute value is the DNS name of the back-end server hosting the user, group, or resource. Each user’s, group's, or resource's entire calendar will be on a single back—end server. Required if using the Calendar Lookup Database (CLD). This attribute is required if the Calendar installation is using DWP to distribute calendar data across back end calendar data servers. If DWP is not being used, every user’s calendar will be found on the same host as the calendar server. If an installation initially does not use DWP, but later switches to it, the calendar server will fill in this value based on the default DWP host name found in the domain entry. If there is no value or such entry (calendar server is not in hosted domain mode) then the value will be picked up from the ics.conf configuration file. ExampleicsDWPHost:calserv1 OID1.3.6.1.4.1.42.2.27.9.1.1 icsExtendedOriginCalendar Server 5.1.1 Syntaxcis, multi-valued Object ClassesDefinitionExtensions for calendar. Reserved. ExampleNo example given. OID2.16.840.1.113730.3.1.738 icsExtendedDomainPrefsOriginCalendar Server Syntaxcis, multi- valued Object ClassesDefinitionPreferences for calendar domains can be set using the properties found in icsExtendedDomainPrefs. Each attribute value is a property-value pair. The format is icsExtendedDomainPrefs:property=value The icsExtendedDomainPrefs attribute is multi-valued, but each attribute:property pair can be used only once. For example, use icsExtendedDomainPrefs:domainAccess=value only once. The default settings for these properties are found in the domain server’s ics.conf file. In the absence of this attribute, the ics.conf settings will be used. Table 3–2 Domain Preferences
ExampleicsExtendedDomainPrefs: createLowerCase=yes icsExtendedDomainPrefs: domainAccess=@@d^a^slfrwd^g;anonymous^a^r^g;@^a^s^g In this example, any external domain matching the access rights shown above can search this domain. OID2.16.840.1.113730.3.1.739 icsExtendedGroupPrefsOrigin Calendar Server Syntaxcis Object ClassesDefinitionExtensions for calendar group preferences. Reserved. ExampleNo example given. OID2.16.840.1.113730.3.1.740 icsExtendedResourcePrefsOriginNot implemented. Syntaxcis Object ClassesNot yet assigned. DefinitionReserved, not implemented. ExampleNo example given. OID2.16.840.1.113730.3.1.741 icsExtendedUserPrefsOriginCalendar Server Syntaxcis, multi-valued Object ClassesDefinitionExtensions for calendar user preferences. The attribute value is a property-value pair. The following are the properties and their values Table 3–3 Extended User Preferences
Note – Regarding ceToolImage and ceToolText: the user interface only allows three possibilities for the toolbar: icons and text (attributes values 1, 1), icons only (attributes values 1, 0), and text only (attributes values 0, 1). It does not allow the user to turn off both icons and text (attributes values 0, 0). Exampleicsextendeduserprefs: ceClock=12 icsextendeduserprefs: ceColorSet=pref_group_1 icsextendeduserprefs: ceDateOrder=D/M/Y icsextendeduserprefs: ceDateSeparator=/ icsextendeduserprefs: ceDayHead=10 icsextendeduserprefs: ceDayTail=17 icsextendeduserprefs: ceDefaultAlarmEmail=jdoe@sesta.com icsextendeduserprefs: ceDefaultAlarmStart=P30H icsextendeduserprefs: ceDefaultTZID=America/New_York icsextendeduserprefs: ceDefaultView=groupview icsextendeduserprefs: ceFontFace=PrimaSans BT,Verdana,sans-serif icsextendeduserprefs: ceFontSizeDelta=pref_font_size_group_3 icsextendeduserprefs: ceInterval=PT2H0M icsextendeduserprefs: ceNotifyEmail=jdoe@sesta.com icsextendeduserprefs: ceNotifyEnable=0 icsextendeduserprefs: ceSingleCalendarTZID=America/Los_Angeles icsextendeduserprefs: ceToolText=1 icsextendeduserprefs: ceToolImage=1 OID2.16.840.1.113730.3.1.742 icsFirstDayOriginCalendar Server Syntaxcis, single-valued Object ClassesDefinitionFirst day of the week to be displayed on user’s calendar. Range of values: 1–7, with the values assigned as follows: 1 = Sunday 2 = Monday 3= Tuesday 4 = Wednesday 5 = Thursday 6 = Friday 7 = Saturday ExampleicsFirstDay: 1 OID2.16.840.1.113730.3.1.743 icsFreeBusyOriginNot implemented. Syntaxces, single-valued Object ClassesNot yet assigned. DefinitionReserved, not implemented. ExampleNo example given. OID2.16.840.1.113730.3.1.744 icsGeoOriginNot implemented. Syntaxcis single-valued Latitude; longitude Object ClassesNot yet identified. DefinitionReserved, not implemented. Geographical location of user or resource. ExampleThis class exists only for compliance with the RFC spec and is not used. OID2.16.840.1.113730.3.1.745 icsMandatorySubscribedOriginCalendar Server Syntaxces Object ClassesDefinitionThe valid calendar ID's for mandatory subscribed calendars for all users in a domain. ExampleicsMandatorySubscribed: ConfRm1@sesta.com:meetings OID2.16.840.1.113730.3.1.746 icsMandatoryViewOriginCalendar Server Syntaxcis Object ClassesDefinitionThe mandatory default view for all calendars in a domain. Views are: overview, day, week, month, year, comparison. ExampleicsMandatoryView: overview OID2.16.840.1.113730.3.1.747 icsPartitionOriginNot implemented. Syntaxcis, single-valued, ASCII Object ClassesicsCalendarResource, icsCalendarUser DefinitionReserved. not implemented. The name of the partition that holds a calendar database. There is no default value. ExampleicsPartition: partition1 OID1.3.6.1.4.1.42.2.27.9.1.4 icsPreferredHostOriginNot implemented. Syntaxcis, single-valued Object ClassesNot yet defined. DefinitionReserved, not implemented. Specifies the preferred host for this calendar. This attribute is used by clients to retrieve the front-end-host server name. ExampleNo example given. OID2.16.840.1.113730.3.1.749 icsQuotaOriginNot implemented. Syntaxinteger, single-valued Object ClassesNot yet specified. DefinitionReserved, not implemented. ExampleNo example given. OID2.16.840.1.113730.3.1.748 icsRecurrenceBoundOriginCalendar Server Syntaxinteger, single-valued Object ClassesDefinitionMaximum number of instances created for events and todos with infinite recurrence. The value is taken from the ics.conf setting calstore.recurrence.bound. ExampleicsRecurrenceBound: 60 OID2.16.840.1.113730.3.1.750 icsRecurrenceDateOriginCalendar Server Syntaxcis, single-valued Object ClassesDefinitionAn ISO 8601 date/time string specifying the maximum date for events and todos with infinite recurrence. ExampleicsRecurrenceDate: 20300365T115959Z OID2.16.840.1.113730.3.1.751 icsRegularExpressionsOriginCalendar Server.1 Syntaxces, multi-valued, UTF 8 Object ClassesDefinitionStores regular expressions used to divide the LDAP database between servers. ExampleicsRegularExpressions: A–F,G–L,M–T,U–Z A–F, G–L, M–T, U–Z are possible values for instances of this attribute and describe a database divided alphabetically between four servers. OID1.3.6.1.4.1.42.2.27.9.1.2 icsSecondaryownersOriginCalendar Server 6 Syntaxdn, multivalued Object ClassesicsCalendarGroup, icsCalendarResource DefinitionIdentifies the distinguished names (DNs) of co-owners of a group Calendar or Calendar resource. Like the primary owner, the users identified with icsSecondaryowners have administrative privileges over the Calendar group or Calendar resource entry. The co-owners must be Calendar users in the same domain as the group or resource. That is, Calendar service must be assigned to the co-owners as well as to the Calendar group or resource. ExampleicsSecondaryowners:cn=John Smith,o=Sesta,c=US OID1.3.6.1.4.1.42.2.27.9.1.785 icsSessionTimeoutOriginCalendar Server Syntaxinteger, single-valued Object ClassesDefinitionNumber of seconds of inactivity before a user session is timed out. Read from ics.conf setting service.http.idletimeout. ExampleicsSessionTimeout: 600 OID2.16.840.1.113730.3.1.752 icsSetOriginCalendar Server Syntaxcis, multi-valued Object ClassesicsAnonymousSet, icsCalendarUser,icsDefaultAnonymousSet DefinitionDefines one group of calendars. End users create these groups for various tasks. Each group is represented by one icsSet attribute, that is, for every group the user creates there will be one icsSet attribute. For example, if the user has three groups defined, there will be three icsSet attributes. The value for this attribute is a six-part string, with each part separated by a dollar sign ($). The following table shows the six parts of this attribute’s value: Table 3–4 Six Parts of the Attribute Value
ExampleThe value of this attribute should all be on one line or if you wish to break a line, start the next line with a single space or tab. icsSet: name=GroupName$calendars=calid1;calid2;calid3$ tzmode=specify$tz=America/Los_Angeles$mergeInDayView=FALSE$ description=Example group of calendars. OID2.16.840.1.113730.3.1.753 icsSourceHtmlOriginCalendar Server Syntaxces, single-valued Object ClassesDefinitionThe alternate location of all client HTML files. A directory path that is relative to the installed client HTML files. The default value comes from the ics.conf setting service.http.uidir.path. icsSourceHtml lists the values for this attribute. Table 3–5 Alternate Locations for Client HTML files.
ExampleicsSourceHtml: calHostname=calhost1 OID2.16.840.1.113730.3.1.754 icsStatusOriginCalendar Server Syntaxcis, single-valued Object ClassesicsCalendarDomain, icsCalendarDWPHost, icsCalendarGroup, icsCalendarResource, icsCalendarUser DefinitionIf this attribute is used with icsCalendarDomain, the attribute must be set when assigning calendar services to a domain. The attribute describes the status of this domain’s calendar service with one of the values specified in icsStatus. If the attribute is set for a user (icsCalendarUser), group (icsCalendarGroup), or resource (icsCalendarResource), the value of icsStatus affects the availability of the calendar for that individual entry. See Table 3–6, below, for definitions of the attribute's values. If this attribute is not set, the icsAllowedServiceAccess attribute is checked. If present and the value of that attribute is http, then calendar services are disabled for the user or group (the user or group status is inactive). If icsAllowedServiceAccess has any other value, or if both attributes are missing, then the default user or group status is active. Calendar services evaluate the following status attributes in order:inetDomainStatus, icsStatus (for icsCalendarDomain), either inetResourceStatus or inetUserStatus, and icsStatus (for icsCalendarResource, icsCalendarUser, or icsCalendarGroup). The rule is: the first of these attributes that is set to something other than active takes precedence over all the others. When this attribute is set for a domain, the following status values apply to all users, groups, and resources in the domain. When this attribute is set for a user, group, or resource, the following status values apply only to that individual entry. Table 3–6 Calendar Status Values
ExampleicsStatus: active OID2.16.840.1.113730.3.1.755 icsSubscribedOriginCalendar Server Syntaxces, multi-valued Object ClassesDefinitionList of calendars to which this user is subscribed. This includes all the calendars that the user owns, as well as any calendars owned by others to which the owner subscribes. The value of this attribute is the calendar ID and optionally, the calendar name, with a dollar sign ($) between them, when present. ExampleicsSubscribed: jdoe$MyHomeCalendaricsSubscribed: jsmith OID2.16.840.1.113730.3.1.756 icsTimezoneOriginCalendar Server Syntaxcis Object ClassesicsCalendarResource, icsCalendarGroup, icsCalendarUser DefinitionThe default time zone for this user, group, or resource calendar. Specifically, a valid time zone from the list found in Standard Time Zones. The value is taken from the ics.conf setting calstore.default.timezoneID. For a user, a time zone can be assigned explicitly through the user preferences attribute (see icsExtendedUserPrefs), which overrides the domain-level default. ExampleicsTimezone: America/Chicago OID2.16.840.1.113730.3.1.757 inetCanonicalDomainNameOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionFor Messaging Server, this attribute specifies the canonical domain name used to map a user entry to the correct organization entry when more than one organization entry exists. The mail processes use information stored in the organization entry to locate a user's mailbox in the message store. If a user has multiple identities in different domains (associated with the different organization entries), the mail processes need to determine which organization entry to use to find the correct mailbox. The inetCanonicalDomainName attribute points to this canonical organization. If inetCanonicalDomainName were not used, a user with multiple user IDs (in multiple domains) would have a different mailbox for each domain. Typically, the value of inetCanonicalDomainName is a fully qualified domain name, although this is not an absolute requirement. The inetCanonicalDomainName attribute is used in LDAP Schema 2 and LDAP Schema 1. For an explanation of Schema 1 and Schema 2 LDAP structures, see the Sun Java Communications Suite Deployment Planning Guide and Sun Java Communications Suite Schema Migration Guide. Schema 2In Schema 2, the directory can have two types of organization nodes: base and index. Base nodes appear at the root of the directory tree and contain the organization's data (users and groups). Typically, index nodes for the organization are created if a deployment involves more than one logical grouping of the same physical data. An index node can appear anywhere in the directory. Moreover, some LDAP administrators need to create a directory structure in which one organization node is placed above another, and the user data exists below both organization nodes. (You might have to do this to maintain the structure of a legacy user directory or to merge an existing user domain with a recently acquired domain.) If the directory contains multiple index nodes for the organization or nested organization nodes, a user entry can “belong” logically to more than one organization node. An application such as Messaging Server must determine which organization is the canonical one in order to resolve a domain search and correctly identify the user's mailbox. In this situation, you must decorate all the non-canonical organization entries with the inetCanonicalDomainName attribute, which specifies the domain name of the organization's base node. Its value must be the same as that of the sunPreferredDomain attribute in the organization's base node. If the inetCanonicalDomainName attribute is missing and there are multiple organization nodes referring to the organization's base node, the mail processes could possibly use the wrong domain name when trying to open users’ mailboxes. Note that it serves no purpose to decorate the canonical domain entry itself with the inetCanonicalDomainName attribute. If you do, it must have the same value as sunPreferredDomain. If you want multiple domains to have the same attribute settings, you should not create multiple organization nodes. Instead, add associatedDomain to the organization's base node to specify the DNS domain name aliases. (Add one instance of associatedDomain for each domain name alias.) If the organization's base node is not the canonical domain, then it must contain the sunPreferredDomain attribute. Schema 1In Schema 1, the inetCanonicalDomainName attribute is used for the same purpose as in Schema 2, but it is used with DC nodes in the DC tree. This attribute is used when more than one DC node in a DC tree refers to the same base node of a user/group tree for a particular domain in the Organization tree. (There can be only one canonical domain name for a domain's user/group base node in the Organization tree, but there can be many DC nodes referring to the same user/group base node.) In Schema 1, this attribute is not necessary if there is only one DC node referring to a domain's user/group base node. If the attribute is missing, the DC node entry is taken for the canonical domain name. If this attribute is missing and there are multiple DC nodes referring to the same user/group base node, the mail processes could possibly use the wrong domain name when trying to open users’ mailboxes. Using multiple domain nodes to point to the same user/group base node allows you to have different attribute settings (for example, to achieve different routing) for each one. If you want to be sure the two domains have the same attribute settings (for example, to ensure that they are routed identically), use aliasedObjectName on the duplicate node instead. ExamplesExample 1 — Schema 2Suppose the directory contains a base node, o=sesta, to store a corporation's user data. In addition, there is an index node, o=sesta2, which points to an overlapping subset of users. In this example, sesta.com is the canonical domain name. To identify the actual organization node, you must decorate the non-canonical organization entry (the index node) with the value of the canonical organization node, inetCanonicalDomainName:sesta.com: dn:o=sesta,o=rootsuffix sunPreferredDomain:sesta.com dn:o=sesta2,o=sesta,o=rootsuffix inetDomainBaseDN:o=sesta,o=rootsuffix inetCanonicalDomainName:sesta.com Example 2 — User Login with inetCanonicalDomainNameAssume the two organization nodes, o=sesta and o=sesta2, are decorated as shown in Example 1. The user jdoe logs in to Messaging Server with the following user ID: jdoe@sesta2.com In this example, there can be only one LDAP entry for the user jdoe. In this case, Messaging Server performs one or more lookups to determine jdoe's canonical user ID, which consists of the user's uid followed by @ and the user's canonical domain name. Messaging Server looks up the value of the inetCanonicalDomainName attribute in the sesta2 organization entry. It then replaces the original domain name in the login ID, sesta2, with the canonical domain name, sesta. Using the canonical user ID, Messaging Server opens jdoe's correct mailbox, which displays all of jdoe's messages, including messages sent to jdoe@sesta2.com, to jdoe@sesta.com, and to any other domain or alias domain associated with jdoe. Example 3 — User Login without inetCanonicalDomainNameAssume the same directory tree layout as is shown in Example 1, but now inetCanonicalDomainName is not used. The user jdoe logs in to Messaging Server with the following user ID: jdoe@sesta2.com As in Example 2 (shown above), there can be only one LDAP entry for the user jdoe. In this case, Messaging Server performs the same lookups it performs in Example 2. However, because the sesta2 organization entry does not contain the inetCanonicalDomainName attribute, Messaging Server uses the user ID <uid>@sesta2.com to determine which mailbox to open. A second mailbox associated with the sesta2 domain is created (or, if it already exists, opened). In this mailbox, the user jdoe sees only messages sent to the sesta2 domain; jdoe has no access to any other messages. All other messages are contained in the mailbox associated with the canonical domain. Example 4 — Schema 1In a Schema 1 scenario, if two DC Tree nodes exist, dc=sesta and dc=sesta2, both referring to the user/group base node o=sesta, then you must specify the canonical domain name as follows: dn:dc=sesta,dc=com,o=internet inetDomainBaseDN:o=sesta.com dn:dc=sesta2,dc=com,o=internet inetDomainBaseDN: o=sesta.com inetCanonicalDomainName:sesta.com OID2.16.840.1.113730.3.1.701 inetCoSOriginMessaging Server 5.0 Syntaxcis, multi-valued Object ClassesDefinition(Organization tree domain) Specifies the name of the Class of Service (CoS) template supplying values for attributes in the user entry. The RDN of the CoS template is the value of this attribute. Attribute values provided by the template and any override rules are specified in the CoS definition. CoS definitions are created by using the object class cosDefinition. The value of attribute cosSpecifier in CoS definition entry is set to inetCoS. Create CoS definitions and templates in the container ou=CoS in the subtree for that domain. ExampleinetCoS: HallofFame OID2.16.840.1.113730.3.1.706 inetDomainBaseDNOriginMessaging Server 5.0 Syntaxdn, single-valued Object ClassesinetDomain, sunManagedOrganization DefinitionIn Schema 2, this attribute decorates index nodes configured to support multiple logical groupings that point to the same physical data. In Schema 1, the attribute decorates domain nodes on the DC Tree when in compatibility mode. Schema 2 When your deployment comprises multiple logical groupings pointing to the same physical data, the directory may be configured to contain index nodes. Each index node must include the attribute inetDomainBaseDN; the attribute's value must point to the physical node under which the physical data is contained. The physical node must be decorated with the sunManagedOrganization object class. Schema 1 The two domains, the alias and the referenced domain, can have different attribute values, such that routing will differ between the two. If you want to ensure routing is the same, the attribute values of both domains must be identical. DN of the organization’s subtree where all user/group entries are stored. This attribute points to a valid Organization subtree DN. Messaging Server components using the RFC 2247 search (compatibility mode) must resolve this DN in order to search for user and group entries that correspond to the hosted organization. ExampleinetDomainBaseDN: o=sesta.com,o=siroe-isp.com OID2.16.840.1.113730.3.1.690 inetDomainCertMapOriginMessaging Server 5.0 Syntaxcis, multi-valued Object ClassesDefinitionReserved. ExampleNo example given. OID2.16.840.1.113730.3.1.700 inetDomainSearchFilterOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionLDAP search filter to use in search templates when performing a native mode search. The compatibility mode RFC 2247 algorithm search requires this attribute, but ignores its value. Used during authentication to map login name in that domain to an LDAP entry. The following variables can be used in constructing the filter:
If this attribute is missing, it is equivalent to: (&(objectclass=inetOrgPerson)(uid=%U)) Namespaces where users are provisioned with compound uids, such as uid=john_siroe.com, where john is the userID and siroe.com is the domain, would use a search filter of uid=%U_%V. This maps a login string of john@siroe.com (where @ is the login separator for the service) into a search request by the service for an entry’s namespace of siroe.com, where uid=john_siroe.com. An alternate example of using this attribute would be for sites wanting to log people in based on their employee identification. Assuming the attribute empID in user entries stores employee identifications, the search filter would be: (&(objectclass=inetOrgPerson)(empID=%U)). This attribute must return a unique match for valid users within the inetDomainBaseDN subtree. ExampleinetDomainSearchFilter: uid=%U OID2.16.840.1.113730.3.1.699 inetDomainStatusOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionApplications using a DC Tree as their entry point (RFC 2247 compliant compatibility mode LDAP data model) may choose to respect application specific status attributes, but must consume and respect this attribute on the affiliated physical node (Organization Tree). In other words, for compatibility mode, both the DC Tree and the Organization Tree contain this attribute and if the two attribute’s values differ, the one on the Organization Tree will take precedence. Specifies the global status of a domain for all services. The intent of this attribute is to allow the administrator to temporarily suspend and then reactivate access, or to permanently remove access, by the domain and all its users to all the services enabled for that domain. This attribute takes one of three values. Supported values are: Table 3–7 Status Attribute Values
A missing value implies status is active. An illegal value is treated as inactive. There are four status attributes that mail services look at and which are evaluated in this order: inetDomainStatus, mailDomainStatus, inetUserStatus, and mailUserStatus. The rule is: the first of these attributes that is set to something other than active takes precedence over all the others. Similarly, this attribute is used for calendar services when evaluating status. The status attributes used are: inetDomainStatus, icsStatus (of icsCalendarDomain), either inetResourceStatus or inetUserStatus, and icsStatus (of either icsCalendarResource or icsCalendarUser). In addition, in compatibility mode, when this attribute decorates both the DC Tree and the Organization Tree, both attributes should agree. Administrators are responsible for keeping the two synchronized. If the two attributes do not have the same value, Messaging Server will use the value found in the Organization Tree, while some other legacy application might be using the DC Tree attribute only. This could cause unpredictable results. For more information on native and compatibility mode LDAP schemes, see the Sun Java Enterprise System Installation Guide. ExampleinetDomainStatus: active OID2.16.840.1.113730.3.1.691 inetMailGroupStatusOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionCurrent status of a mail group. The following table lists the possible status values and gives a description of each:
A missing value implies status is active. An illegal value is treated as inactive. There are four status attributes that interact with each other: inetDomainStatus, mailDomainStatus, inetGroupStatus, and inetMailGroupStatus. These are considered in the order just given. The first one with a status of active takes precedence over the setting of all the others. The MTA option LDAP_GROUP_STATUS can be used to specify a different attribute to be used for group status. ExampleinetMailGroupStatus:active OID2.16.840.1.113730.3.1.786 inetResourceStatusOriginCalendar Server Syntaxcis, single-valued Object ClassesDefinitionThis is a global status for resources. It holds the current status of the resource: active, inactive, or deleted for all services. It is used by Access Manager to manage resources. Status changes can be made to a resource’s status using the commcli interface, or by directly changing the LDAP entry for the group. The following table lists the attribute’s values and their meanings: Table 3–8 Status Attribute Values
There are several status attributes that are evaluated to determine status. They are evaluated in this order: inetDomainStatus, icsStatus (for icsCalendarDomain), inetResourceStatus, icsStatus (for icsCalendarResource). These are considered in the order just given. The first one with a status of active takes precedence over the setting of all the others. ExampleinetResourceStatus: active OID2.16.840.1.113730.3.1.758 inetSubscriberAccountIdOriginMessaging Server 5.0 Syntaxcis, multi-valued Object ClassesDefinitionA unique account ID used for billing purposes. ExampleinetSubscriberAccountId: A3560B0 OID2.16.840.1.113730.3.1.694 inetSubscriberChallengeOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionAttribute for storing the challenge phrase used to identify the subscriber. Used in conjunction with the inetSubscriberResponse. ExampleinetSubscriberChallenge=Mother’s Maiden Name OID2.16.840.1.113730.3.1.695 inetSubscriberResponseOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionAttribute for storing the response to the challenge phrase. ExampleinetSubscriberResponse=Mamasita OID2.16.840.1.113730.3.1.696 inetUserHttpURLOriginMessaging Server 5.0, deprecated in Messaging Server 6.0 Syntaxcis, single-valued Object ClassesDefinitionThis attribute is deprecated for the user class inetUser starting in Messaging Server 6.0 and is likely to be removed from the object class in future versions of the schema. User’s primary URL for publishing Web content. This is an informational attribute and may be used in phonebook-type applications. It is not intended to have any operational impact. ExampleinetUserHttpURL: http://www.siroe.com/theotis OID2.16.840.1.113730.3.1.693 inetUserStatusOriginMessaging Server 5.0, Calendar Server 5.1.1 Syntaxcis, single-valued Object ClassesDefinitionSpecifies the status of a user’s account with regard to global server access. This attribute enables the administrator to temporarily suspend, reactivate, or permanently remove access to all services for a user account. The following table lists the values for this attribute: Table 3–9 Status Attribute Values
A missing value implies status is active. An illegal value is treated as inactive. There are four status attributes that mail services look at and which are evaluated in this order: inetDomainStatus, mailDomainStatus, inetUserStatus, and mailUserStatus. The rule is: the first of these attributes that is set to something other than active takes precedence over all the others. For calendar services, the attributes evaluated are: inetDomainStatus, icsStatus (for icsCalendarDomain), inetUserStatus, icsStatus (for icsCalendarUser). When this attribute applies to a static group, defined using the inetUser object class, inactivating (disabling) the group only applies to the group itself and not the users in the group. To disable the users of a group, create a dynamic group by assigning roles to the users, and then disable the role (which disables all users assigned to that role). For more information about roles, see the Sun Java System Directory Server Administrator’s Guide. The MTA option LDAP_USER_STATUS can be used to specify a different attribute to be used for user status. ExampleinetUserStatus=inactive OID2.16.840.1.113730.3.1.692 OriginMessaging Server 5.0, Calendar Server Syntaxcis, single-valued (RFC 822 address) Object ClassesinetLocalMailRecipient, icsCalendarResource, icsCalendarUser, icsCalendarGroup DefinitionIdentifies the primary email address for a user, Calendar group, or Calendar resource. This is the email address retrieved and displayed by white-pages lookup applications. This attribute and mailAlternateAddress, are the default attributes used for reverse searches. Examplemail=jdoe@sesta.com OID0.9.2342.19200300.100.1.3 mailAccessProxyPreAuthOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionAttribute tells the MMP if the users in this domain have to be preauthenticated. Permitted values are yes or no. ExamplemailAccessProxyPreAuth=yes OID2.16.840.1.113730.3.1.769 mailAccessProxyReplayOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionThis attribute tells the Messaging Multiplexor how to reconstruct the login string when replaying the login sequence with the back-end mail server. A missing attribute implies that the message access proxies construct the replay string based on the login name used by the client, the domain of the client, and the login separator used for this service. The mailAccessProxyReplay attribute overrides this default behavior when the message access proxy has a different back-end server than Communications Suite. The syntax is that of a login string, with the following substitutions:
Examples
OID2.16.840.1.113730.3.1.763 mailAdminRoleOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionSpecifies the administrative role assigned to the members of the group. The only legal value for this attribute is storeAdmin. The object class that contains this attribute inetMailAdministrator is overlaid on a group entry to grant members of a group administrative privileges over part of the mail server. Currently the only privilege group members inherit are rights to perform proxy authentication for any user in the domain. These rights extend over users in the same domain as where the group is defined. To grant such privileges the attribute mailAdminRole must be set to the value storeAdmin. ExamplemailAdminRole: storeAdmin OID2.16.840.1.113730.3.1.780 mailAllowedServiceAccessOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionStores access filters (rules). If no rules are specified, then user is allowed access to all services from all clients. Rules are separated by a dollar sign ($). The rules are evaluated in this manner:
For a full explanation of access filters and an alternate way to control access through the administration console or the config utility, see “Configuring Client Access to POP, IMAP, and HTTP Services” in the Sun Java System Messaging Server 6.3 Administration Guide. Rule Syntax"+" or "-"service_list":"client_list + (allow filter) means the services in the service list are being granted to the client list. - (deny filter) means the services are being denied to the client list. service_list is a comma separated list of services to which access is being granted or denied. Legal service names are: imap, imaps, pop, pops, smtp, smtps, http, and smime. Note that the MMP supports imap, imaps, pop, pops, and smtp, and smime. The back-end supports imap, pop, smtp, http, and smime. client_list is a comma separated list of clients (domains) to which access is being granted or denied. Wild cards can be substituted for the client list (domains). The following table shows the legal wild cards and gives a description of each: Table 3–10 Wild cards
The following wild cards can be used for the service list: *, ALL. Except OperatorThe access control system supports a single operator, EXCEPT. You can use the EXCEPT operator to create exceptions to the patterns found in a rule’s service list and client list. EXCEPT clauses can be nested. If there are multiple EXCEPT clauses in a rule, they are evaluated right to left. The EXCEPT format is: list1 EXCEPT list2 where list1 is a comma separated list of services and list2 is a comma separated lists of clients. ExampleThis example shows a single rule with multiple services and a single wild card for the client list. mailAllowedServiceAccess: +imap,pop,http:* This example shows multiple rules, but each rule is simplified to have only one service name and uses wild cards for the client list. (This is the most commonly used method of specifying access control in LDIF files.) mailAllowedServiceAccess: +imap:ALL$+pop:ALL$+http:ALL An example of how to disallow all services for a user is: mailAllowedServiceAccess: -imap:*$-pop:*$-http:* An example of a rule with an EXCEPT operator is: mailAllowedServiceAccess: -ALL:ALL EXCEPT server1.sesta.com This example denies access to all services for all clients except those on the host machine server1.sesta.com. The following example shows how to restrict user access to SSL-encrypted POP and IMAP access only: mailAllowedServiceAccess: +imaps,pops:*$+imap,pop:MMP IP address In the preceding example, note that the back-end servers do not recognize the pops and imaps service names, so it is necessary to grant the MMP IP address(es) pop and imap service access. Otherwise, connections for that user between the MMP and the back-end servers will be rejected. OID2.16.840.1.113730.3.1.777 mailAlternateAddressOriginMessaging Server 5.0 Syntaxcis, multi-valued Object ClassesinetLocalMailRecipient, pabPerson DefinitionAlternate RFC 822 email address of this recipient. If the MTA receives mail with a “to” header with this email address, it rewrites the header with the value of the mail attribute and routes the email to that inbox. The reverse-pointing addresses are rewritten from the value of any of a user's mailAlternateAddress attributes to the value of the user's mail attribute. (That is, the MTA will rewrite the following headers, if they match this attribute, to the value of the user's mail attribute.) The mailEquivalentAddress attribute works similarly to route the email, but does not rewrite the header. The local part of the address may be omitted to designate a user/group as the catchall address. A catchall domain address is an address that will receive mail to a specified domain if the MTA does not find an exact user address match with that domain. This attribute, along with mail, are the default attributes used for reverse searches. ExamplemailAlternateAddress: jdoe@sesta.com To specify a mail catchall address: mailAlternateAddress: @sesta.com OID2.16.840.1.113730.3.1.13 mailAntiUBEServiceOriginMessaging Server 5.2 Syntaxcis, multi-valued Object ClassesDefinitionThe string values given by this and other opt in attributes are collected and passed to the filtering agent being used (for instance, Brightmail). For Brightmail spam and virus checking, the interpretation of these strings is specified in the Brightmail configuration file. Brightmail uses the information from this attribute for its processing. There are two Brightmail values:
SpamAssasin, another filtering agent, does not use the actual value of the attribute; it can be set to anything. While another attribute can be named in the option.dat setting for LDAP_OPTIN, it is not recommended. (For more information on Brightmail, see the Messaging Server Administration Guide.) To use this attribute to specify per user opt in values, set the following in the option.dat file: LDAP_OPTIN=mailAntiUBEService To use the attribute to specify domain level opt in values, set the following in the option.dat file: LDAP_DOMAIN_ATTR_OPTIN=mailAntiUBEService ExamplemailAntiUBEService: virus mailAntiUBEService: spam OIDUnknown mailAutoReplyModeOriginMessaging Server 5.0 (for reply mode), Messaging Server 5.2 patch 1 (for echo mode) Syntaxcis, single-valued Object ClassesDefinitionSpecifies the autoreply mode for user mail account. This is one of several autoreply attributes used when autoreply is an active mail delivery option. The two modes for autoreply are:
ExamplemailAutoReplyMode: reply OID2.16.840.1.113730.3.1.14 mailAutoReplySubjectOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionSubject text of autoreply response. $SUBJECT can be used to insert the subject of the original message into the response. ExamplemailAutoreplySubject: I am on vacation OID2.16.840.1.113730.3.1.772 mailAutoReplyTextOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionAutoreply text sent to all senders except users in the recipient’s domain. If not specified, external users receive no auto response. ExamplemailAutoreplyText: Please contact me later. OID2.16.840.1.113730.3.1.15 mailAutoReplyTextInternalOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionAutoreply text sent to senders from the recipients domain. If not specified, then internal uses get the mail autoreply text message. ExamplemailAutoreplyTextInternal: Please contact me later. OID2.16.840.1.113730.3.1.773 mailAutoReplyTimeOutOriginMessaging Server 5.0 Syntaxinteger, single-valued Object ClassesDefinitionDuration, in hours, for successive autoreply responses to any given mail sender. If the value is set to 0 for mailAutoReplyMode: echo then a response is sent back every time a message is received. Autoreply responses are sent out only if the recipient is listed in the “to” or “cc:” of the original message. ExamplemailAutoreplyTimeout: 48 OID2.16.840.1.113730.3.1.771 mailClientAttachmentQuotaOriginMessaging Server 5.0 Syntaxinteger, single-valued Object ClassesDefinitionA positive integer value indicating the number of attachments the Messenger Express user can send per message in this domain. A value of -1 means no limit on attachments. ExamplemailClientAttachmentQuota: 12 OID2.16.840.1.113730.3.1.768 mailConversionTagOriginMessaging Server 5.2 Syntaxcis, multi-valued (ASCII string) Object ClassesinetMailGroup, inetMailUser DefinitionMethod of specifying unique conversion behavior for a user or group entry. A message sent to this user or group will match any conversion file entries that require the specified value of the tag. (Any string value can be associated with this attribute.) Tag-specific conversion actions are specified in the MTA configuration. The MTA option used to override this attribute is LDAP_CONVERSION_TAG. ExampleNo example given. OIDUnknown mailDeferProcessingOriginMessaging Server 5.2 Syntaxcis, single-valued (ASCII string) Object ClassesinetMailGroup, inetMailUser DefinitionControls whether or not address expansion of the current user or group entry is performed immediately (value is “No”), or deferred (value is “Yes”). Note – A different attribute (other than mailDeferProcessing) can be designated for this purpose in the MTA option LDAP_REPROCESS. Deferral takes place if the value is “Yes” and the current source channel isn’t the reprocess channel. Deferral is accomplished by directing the user or group’s address to the reprocess channel. That is, the expansion of the alias is aborted and the original address (user@domain) is queued to the reprocess channel. If this attribute does not exist, the setting of the deferred processing flag associated with delivery options processing is checked. If it is set, processing is deferred. If it is not set, the default for users is to process immediately (as if the value of this attribute were “No”). The default for groups (such as mailing lists) is controlled by the MTA option DEFER_GROUP_PROCESSING, which defaults to 1 (yes). Best Practices Suggestions for Duplicate Message ProblemGetting duplicate copies of messages can happen. For example, if a user sends an email to both addresseeA, and groupA that contains addresseeA, and DEFER_GROUP_PROCESSING=1 and this attribute is No, then the message immediately duplicates, such that addresseeA gets two copies, one that came directly, and one that took the deferred expansion hop through the reprocess channel for groupA to get expanded. While disabling deferred group expansion would eliminate the duplicate, that’s not a good idea if you have a lot of large groups. Using expandlimit 1 can potentially cause unnecessary overhead on general, non-group, multi-recipient messages. To minimize the effect of this situation, the following two solutions are best practices:
ExampleThe default for mail users: mailDeferProcessing: No The default for mailing lists: mailDeferProcessing:Yes OIDUnknown mailDeliveryFileURLOriginMessaging Server 5.0 Syntaxces, single-valued Object ClassesDefinitionFully qualified local path of file to which all messages sent to the mailing list are appended. Used in conjunction with mailDeliveryOption: file. The MTA option used to override this attribute’s value is LDAP_PROGRAM_FILE. ExamplemailDeliveryFileURL: /home/dreamteam/mail_archive OID2.16.840.1.113730.3.1.787 mailDeliveryOptionOriginMessaging Server 5.0 Syntaxcis, multi-valued Object ClassesDefinitionSpecifies delivery options for the mail recipient. One or more values are permitted on a user or group entry, supporting multiple delivery paths for inbound messages. Values will apply differently depending on whether the attribute is used in inetMailGroup or inetMailUser. Note, that the mailUserStatus attribute is processed before this attribute. If mailUserStatus is set to hold, an internal flag is set so that when mailDeliveryOption is processed, the mailUserStatus hold overrides whatever delivery options are specified with mailDeliveryOption. For users, delivery addresses are generated for each valid delivery option value. Valid values are: For users only (inetMailUser):
For groups only (inetMailGroup):
Both users and groups: These values are handled the same for both users and groups.
The MTA option DELIVERY_OPTIONS, found in the msg-svr-base/config/option.dat file, defines how each of the previously listed values will be processed. The MTA option used to override this attribute’s value is LDAP_DELIVERY_OPTION. ExamplemailDeliveryOption: mailbox OID2.16.840.1.113730.3.1.16 mailDomainAllowedServiceAccessOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionStores access filters (rules). If no rules are specified, then domain is allowed access to all services from all clients. Rules are separated by a dollar sign ($). The rules are evaluated in this manner:
For a full explanation of access filters and an alternate way to control access through the administration console or the config utility, see “Configuring Client Access to POP, IMAP, and HTTP Services” in the Messaging Server Administration Guide. Rule Syntax+ or - <service_list\>":"<client_list\> + (allow filter) means the service list services are being granted to the client list. - (deny filter) means the services are being denied to the client list. service_list is a comma separated list of services to which access is being granted or denied. Legal service names are: imap, imaps, pop, pops, smtp, smtps, http, and smime. Note that the MMP supports imap, imaps, pop, pops, and smtp, and smime. The back-end supports imap, pop, smtp, http, and smime. client_list is a comma separated list of clients (domains) to which access is being granted or denied. Wild cards can be substituted for the client list (domains). The following table shows the allowed wild cards and describes each of them: Table 3–11 Wild Cards
The following wild cards can be used for the service list: *, ALL. Except OperatorThe access control system supports a single operator, EXCEPT. You can use the EXCEPT operator to create exceptions to the patterns found in a rule’s service list and client list. EXCEPT clauses can be nested. If there are multiple EXCEPT clauses in a rule, they are evaluated right to left. The EXCEPT format is: list 1 EXCEPT list 2 A list is a comma separated list of services or clients. ExampleThis example shows a single rule with multiple services and a single wild card for the client list. mailDomainAllowedServiceAccess: +imap,pop,http:* This example shows multiple rules, but each rule is simplified to have only one service name and uses wild cards for the client list. mailDomainAllowedServiceAccess: +imap:ALL$+pop:ALL$+http:ALL The second example is probably the most commonly used in Messaging Server LDIF files. An example of a rule with an EXCEPT operator is: mailDomainAllowedServiceAccess: -ALL:ALL EXCEPT server1.sesta.com This example denies access to all services for all clients except those on the host machine server1.sesta.com. OID2.16.840.1.113730.3.1.764 mailDomainCatchallAddressOriginMessaging Server 5.2 Syntaxcis, single-valued (RFC 822 mailbox) Object ClassesDefinitionSpecifies an address to be substituted for any address in the domain that doesn’t match any user or group in the domain. The MTA option used to override this attribute’s value is LDAP_DOMAIN_ATTR_CATCHALL_ADDRESS. ExampleNo example given. OIDUnknown mailDomainConversionTagOriginMessaging Server 5.2 Syntaxcis, multi-valued (ASCII string) Object ClassesDefinitionMethod of specifying unique conversion behavior for any user in the domain. A message sent to a user in this domain will match any conversion file entries that require the specified value of the tag. (Any string value can be associated with this attribute.) Tag-specific conversion actions are specified in the MTA configuration. The MTA option used to override this attribute’s value is LDAP_DOMAIN_ATTR_CONVERSION_TAG. ExampleNo example given. OIDUnknown mailDomainDiskQuotaOriginMessaging Server 5.0 Syntaxinteger, single-valued Object ClassesDefinitionDisk quota, in bytes, for all users in the domain. If domain quota enforcement is activated, then domains exceeding this quota stop receiving more messages until the domain messages no longer exceed the quota. Domain quota enforcement is activated using the command imquotacheck -f -d <domain\>. Valid numeric values for mailDomainDiskQuota are pos_num[G|M|K] or -1 or -2. where pos_num is a positive number up to a maximum of 4294966272 and G (gigabytes), M (megabytes), and K (kilobytes) are the valid units of measurement. You can specify the full quota value as a positive number by itself (for example, 20000000) or use a unit of measurement (for example, 20M). The maximum mailDomainDiskQuota value is 4096G. Specifying a mailDomainDiskQuota value of 0 will mean that no mail will be delivered. You can also use the values shown in the following table. Table 3–12 mailDomainDiskQuota Values
ExampleTo specify a quota of 4 gigabytes: mailDomainDiskQuota: 4G To specify the system default quota, do not add mailDomainDiskQuota to the LDAP entry. Or you can use the following value: mailDomainDiskQuota: -2 OID2.16.840.1.113730.3.1.766 mailDomainMsgMaxBlocksOriginMessaging Server 5.2 Syntaxinteger, single-valued Object ClassesmailDomain DefinitionImposes a size limit in units of MTA blocks on all messages sent to addresses in this domain. This limit doesn’t apply to messages sent by users from this domain. The value of this attribute is overridden by the value of mailMsgMaxBlocks, if set. The MTA option used to override this attribute’s value is LDAP_DOMAIN_ATTR_BLOCKLIMIT. ExampleNo example given. OIDUnknown mailDomainMsgQuotaOriginMessaging Server 5.0 Syntaxinteger, single-valued Object ClassesDefinitionQuota of number of messages permitted for all users in this domain. If domain quota enforcement is activated, then the domain exceeding this quota will stop receiving more messages until the messages no longer exceed the quota. Domain quota enforcement is activated using the command imquotacheck -f -d <domain\>. ExamplemailDomainMsgQuota: 2000000 OID2.16.840.1.113730.3.1.767 mailDomainReportAddressOriginMessaging Server 5.2 Syntaxcis, single-valued (RFC 822 mailbox) Object ClassesDefinitionThis value is used as the header From: address in DSN's reporting problems associated with recipient addresses in the domain. It is also used when reporting problems to users within the domain regarding errors associated with non-local addresses. If this attribute is not set, the reporting address will default to postmaster@domain. The MTA option used to override this attribute’s value is LDAP_DOMAIN_ATTR_REPORT_ADDRESS. ExampleNo example given. OIDUnknown mailDomainSieveRuleSourceOriginMessaging Server 5.2 Syntaxcis, single-valued (RFC 3028 sieve filter) Object ClassesDefinitionSIEVE filters are not supported by iPlanet Delegated Administrator. SIEVE filter for all users in the domain. There are two possible forms for the value of this attribute: a single value that contains the complete sieve script (RFC 3028 compliant), and multiple values, with each value containing a piece of the sieve script (not RFC 3028 compliant). A script has the following form: require ["fileinto", "reject"];
# $Rule Info: Order=(1-infinity, or 0 for disabled)
Template=(template-name) Name=(rule name)
if header :is "Sender" "owner-ietf-mta-filters@imc.org"
{ fileinto "filter"; # move to "filter" folder }
if header :is "Subject" "SPAM!" { delete }
Multi-valued FormMultiple SIEVE scripts per user can be stored in LDAP. To enable the user interface to handle several smaller rules scripts, rather than one script containing all the domain’s rules, this attribute takes multiple values (that is, multiple rules). The server looks at every rule in mailSieveRuleSource. To provide ordering and possible user interface editing information, there is an optional SIEVE comment line in each rule. This line has the following format: # $Rule Info: Order=(1-infinity, or 0 for disabled) All rules that have a Rule Info line will be processed first by the Messaging Server. If Order=0, then this rule is not used in the SIEVE evaluation. Otherwise, the rules are processed in the order provided (1 having highest priority). To accommodate SIEVE rules that might not have been entered using the Rule Info extension, any other rules found are run by the server, in order received from LDAP after all rules with corresponding order values have been processed. MTA Override OptionThe MTA option that overrides this attribute’s value is LDAP_DOMAIN_ATTR_FILTER. ExampleThe following example is correctly formed, but Messaging Server ignores discard and reject text, and does not send a reject or discard reply message. mailSieveRuleSource: require ["fileinto", "reject",
"redirect", "discard"]
if header :contains "Subject" "New Rules Suggestion
{redirect "rules@sesta.com" # Forward message}
if header :contains "Sender" "porn.com"
{discard text:
Your message has been rejected.
Please remove this address from your mailing list.
# Reject message, send reply message.}
if size :over 1M
{reject text:
Please do not send large attachments.
Put your file on a server and send the URL.Thank you.
# Discard message, send reply message.}
if header :contains "Sender" "domainadminstrator@sesta.com
{fileinto complaints.refs # File message}
OIDUnknown mailDomainStatusOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionCurrent status of the mail domain. Can be one of the following values: active, inactive, deleted, hold, or overquota. This attribute is the mail service domain status. Missing value implies status is active. An illegal value is treated as inactive. The following table lists the status values: Table 3–13 Status Values
There are four status attributes that mail services look at and which are evaluated in this order: inetDomainStatus, mailDomainStatus, inetUserStatus, and mailUserStatus. The rule is: the first of these attributes that is set to something other than active takes precedence over all the others. The MTA option that overrides this attribute’s values is LDAP_DOMAIN_ATTR_STATUS. The LDAP_DOMAIN_ATTR_STATUS option does not affect the message store or Delegated Administrator commadmin utility, which only recognize and use the current value of mailDomainStatus. ExamplemailDomainStatus: active OID2.16.840.1.113730.3.1.770 mailDomainWelcomeMessageOriginMessaging Server 6.0 Syntaxcis, single-valued Object ClassesDefinitionWelcome message sent to new users added to this domain. The message must contain a header and a message body. The message header must contain at least a subject line. The header and body are separated by a blank line. Enter the mail-domain welcome message on a single line. You must use a $ (dollar sign) to represent a new line. To indicate a blank line, use $$ (two dollar signs). You can use the following variables in the mail-domain welcome message: [ID] The userid (message store user ID). [URL] The url location specified with the configutil parameter, gen.accounturl. You can configure this parameter to point the user to, for example, the url of the administrative interface where the user can customize the client configuration. ExampleThe following example would be entered on a single line, even though it appears on this page on multiple lines:
When the user anne logs in for the first time, the following sample mail-domain welcome message would be displayed (depending on the url configuration):
OID2.16.840.1.113730.3.1.765 mailEquivalentAddressOriginMessaging Server 5.2 Syntaxcis, multi-valued (RFC 822 addr-spec) Object ClassesinetMailGroup, inetMailUser DefinitionEquivalent to mailAlternateAddress in regard to mail routing, except with this attribute, the header doesn’t get rewritten. Note that mailEquivalentAddress is searched for when the system is deciding where to deliver messages, but it is not one of the attributes searched for when doing REVERSE_URL address reversal. This attribute works only for direct LDAP mode, not with the deprecated imsimta dirsync option. ExamplemailEquivalentAddress: jdoe@sesta.com mailEquvalentAddress: @sesta.com (catchall domain address) OIDUnknown mailFolderNameOriginMessaging Server 6.2 Syntaxcis, single-valued Object ClassesDefinitionThis attribute specifies the name of a public folder. ExamplemailFolderName: Announcements OIDUnknown mailForwardingAddressOriginMessaging Server 5.0 Syntaxcis, multi-valued Object ClassesDefinitionThis attribute stores one or more forwarding addresses for inbound messages. Addresses are specified in RFC 822 format. Messages are forwarded to the listed address when mailDeliveryOption: forward is set. Note that both mailDeiveryOption and this attribute must be set in order to keep the mail system in sync. ExamplemailForwardingAddress: kokomo@sesta.com OID2.16.840.1.113730.3.1.17 mailHostOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionFor a user or group entry, the fully qualified host name of the MTA that is the final destination of messages sent to this recipient. To be deemed local, the user entry must have this attribute, and it must match either the local.hostname configutil attribute, or one of the names specified by the local.imta.hostnamealiases configutil attribute. Otherwise, a new source routed address is generated in the form: @mailhost:user@domain and will be processed through the rewrite rules. If a user entry does not have this attribute, the generated address will use the mailRoutingSmartHost hostname associated with the domain @smarthost:user@domain. If the domain has no mailRoutingSmartHost attribute, the address is discarded and a 5xx error is reported. If a group entry does not have this attribute, the group is processed locally. The MTA option that overrides this attribute’s value is LDAP_MAILHOST. ExamplemailHost: mail.siroe.com OID2.16.840.1.113730.3.1.18 mailMessageStoreOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionSpecifies the message store partition name for the user. The mapping between the partition name and the file system location of the store is kept in the message store configuration. If not specified, the default store partition specified in the server configuration is used. ExamplemailMessageStore: secondary OID2.16.840.1.113730.3.1.19 mailMsgMaxBlocksOriginMessaging Server 5.2 Syntaxinteger, single-valued Object ClassesinetMailGroup, inetMailUser DefinitionThe size in units of MTA blocks of the largest message that can be sent to this user or group. The limit doesn’t apply to messages sent by the user. If this attribute is set, it overrides the value of mailDomainMsgMaxBlocks. The MTA option that overrides the attribute’s value is LDAP_BLOCKLIMIT. ExampleNo example given. OIDUnknown mailMsgQuotaOriginMessaging Server 5.0 Syntaxinteger, single-valued Object ClassesDefinitionMaximum number of messages permitted for a user is set with mailMsgQuota. This is a cumulative count for all folders in the store. This attribute also can specify the number of messages allowed for a particular folder or message type. Although mailMsgQuota is a single-valued attribute, you can use it to specify multiple quota values. You can set individual quota values for specific folders and message types. For details, see Specifying Quotas for Folders and Message Types. If the mailMsgQuota attribute is missing, the system default quota is used. This is defined by the configutil parameter store.defaultmessagequota. During server configuration, quota enforcement must be turned on for mailMsgQuota to take effect. Both soft and hard quotas can be set. (See the Sun Java System Messaging Server 6.3 Administration Guide.) The MTA option override is LDAP_MESSAGE_QUOTA. To specify a mailMsgQuota value for the user's entire mailbox tree, use the following format:
where msgquota is the number of messages. msgquota ValuesValid values for msgquota are up to a maximum of 4294966272. Specifying a msgquota value of 0 will mean that no mail will be delivered. You can also use the values shown in the following table: Table 3–14 MsgQuota Values
Specifying Quotas for Folders and Message TypesTo enable the quotas for individual folders or specific message types, you must run the configutil command with the parameters store.quotafolder.enable and store.typequota.enable. To enable and configure message types, you also must enable the configutil parameter store.messagetype.enable and configure other configutil parameters. Guidelines for Specifying Multiple Quota Values You can specify the following mailMsgQuota values for a user's mailbox tree:
The following guidelines apply when you assign multiple quota values for a user:
Formatting Quota Values for Folders and Message Types To specify mailMsgQuota values for folders or message types, use the following format:
where {msgquota} is the number of messages. For a description of the valid numeric values, see msgquota Values. {name} is the name of the folder or message type. The semicolon (“;” ) is a separator that separates multiple quota values. The percent sign (“%”) associates a folder or message-type name with the quota value that follows it. Additional Formatting Guidelines for Quota Values
ExampleTo specify a quota of 2,000 messages: mailMsgQuota: 2000 To specify the system default quota, do not add mailMsgQuota to the LDAP entry. Or you can use the following value: mailMsgQuota: -2 To specify a default quota of 2,000 messages for all user folders not explicitly assigned a quota; a voice-message quota of 100 messages; and a quota for the Archive folder of 4,000 messages: mailMsgQuota: 2000;#voice%100;Archive%4000 In the preceding example, the 2,000–message default quota includes messages in all user folders except the Archive folder; it also excludes voice messages. The 100–message voice-mail quota includes voice messages in all user folders, including the Archive folder. The 4,000–message Archive-folder quota includes messages in the Archive folder and its subfolders; it includes messages of all types except voice messages. OID2.16.840.1.113730.3.1.774 mailProgramDeliveryInfoOriginMessaging Server 5.0 Syntaxces, multi-valued Object ClassesDefinitionSpecifies one or more programs used for program delivery. These programs have to be on the approved list of programs that the messaging server is permitted to execute for a domain. The attribute value specifies a reference to a program. That reference is resolved from the approved list of programs. The resolved reference also provides the program parameters and execution permissions. Used in conjunction with the mailDeliveryOption: program. The value of this attribute should be used as the value for the method name (-m value) when running imsimta program. The program approval process is documented further in the Sun Java System Messaging Server 6.3 Administration Guide. The MTA option used to name a different attribute for this function is LDAP_PROGRAM_INFO. ExamplemailProgramDeliveryInfo: procmail OID2.16.840.1.113730.3.1.20 mailPublicFolderDefaultRightsOriginMessaging Server 6.2 Syntaxcis, multi-valued Object ClassesDefinitionSpecifies the access control rights granted for this public folder. Each value of this attribute consists of two parts separated by a space. The two parts are: an identifier, as specified in RFC 2086, and a list of access rights, mod_rights, as shown in the following table: Table 3–15 Access Rights for a Public Folder
Messaging Server’s IMAP ACL implementation also defines the following new identifier: anyone@domain where domain is a valid domain. If the attribute is missing, the default rights specified in the mailPublicFolderDefaultRights attribute from the mailDomain object class will be applied. If mailDomain does not contain this attribute, the following default ACL is set when a public folder is first created: anyone@domain lrs where domain is a valid domain. Group identifiers start with the prefix “group=”. Do not put the group identifier prefix on a userid. The message store’s user creation code checks for this. ExamplesmailPublicFolderDefaultRights: anyone@sesta.com lrs mailPublicFolderDefaultRights: group: sales@sesta.com lrs mailPublicFolderDefaultRights: john@sesta.com lrswid OIDUnknown mailQuotaOriginMessaging Server 5.0 Syntaxinteger, single-valued Object ClassesDefinitionSpecifies, in bytes, the amount of disk space allowed for the user’s mailbox. This attribute also can specify the amount of disk space allowed for a particular folder or message type. Although mailQuota is a single-valued attribute, you can use it to specify multiple quota values. You can set individual quota values for specific folders and message types. For details, see Specifying Quotas for Folders and Message Types. For a description of the numeric values for specifying quotas, see quota Values. If the mailQuota attribute is not specified, the system default quota is used. The system default is specified in the server configuration parameter store.defaultmailboxquota. Setting the configuration parameter store.quotaenforcement to ”on’ causes the message store to enforce the quota. Note – LDAP_DISK_QUOTA is the MTA option used to specify a different attribute name for this function. To specify a mailQuota value for the user's entire mailbox tree, use the following format:
where quota is the number of bytes. quota ValuesValid numeric values for quota are pos_num[G|M|K] or -1 or -2. where pos_num is a positive number up to a maximum of 4294966272 and G (gigabytes), M (megabytes), and K (kilobytes) are the valid units of measurement. You can specify the full quota value as a positive number by itself (for example, 20000000) or use a unit of measurement (for example, 20M). The maximum quota value of the user mailbox is 4096G. Specifying a quota value of 0 will mean that no mail will be delivered. You can also use the values shown in the following table. Table 3–16 quota Values
Specifying Quotas for Folders and Message TypesTo enable the quotas for individual folders or specific message types, you must run the configutil command with the parameters store.quotafolder.enable and store.typequota.enable. To enable and configure message types, you also must enable the configutil parameter store.messagetype.enable and configure other configutil parameters. Guidelines for Specifying Multiple Quota Values You can specify the following mailQuota values for a user's mailbox tree:
The following guidelines apply when you assign multiple quota values for a user:
Formatting Quota Values for Folders and Message Types To specify mailQuota values for folders or message types, use the following format:
where {quota} is the number of bytes. For a description of the allowed numeric values, see quota Values. {name} is the name of the folder or message type. The semicolon (“;” ) is a separator that separates multiple quota values. The percent sign (“%”) associates a folder or message-type name with the quota value that follows it. Additional Formatting Guidelines for Quota Values
ExampleTo specify a quota of 4 gigabytes for the user mailbox: mailQuota: 4G To specify the system default quota, do not add mailQuota to the LDAP entry. Or you can use the following value: mailQuota: -2 To specify a 20 MB default quota for all user folders not explicitly assigned a quota; a 10 MB voice-message quota; and a 100 MB quota for the Archive folder: mailQuota: 20M;#voice%10M;Archive%100M In the preceding example, the 20 MB default quota includes messages in all user folders except the Archive folder; it also excludes voice messages. The 10 MB voice-message quota includes voices messages in all user folders, including the Archive folder. The 100 MB Archive folder quota includes messages in the Archive folder and its subfolders; it includes messages of all types except voice messages. OID2.16.840.1.113730.3.1.21 mailRejectTextOriginMessaging Server 5.2 Syntaxces, multi-valued Object ClassesDefinitionThe first line of text stored in the first value of this attribute is saved. This text is returned if any of the authentication attributes cause the message to be rejected. Since text can appear in SMTP responses, the value is limited to US-ASCII characters in order to comply with messaging standards. Note – LDAP_REJECT_TEXT is the MTA option used to specify a different attribute name for this function. ExampleNo example given. OIDUnknown mailRoutingAddressOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionUsed together with mailHost to determine whether or not the address should be acted upon at this time or forwarded to another system. Note – LDAP_ROUTING_ADDRESS is the MTA option used to specify a different attribute name for this function. ExampleNo example given. OID2.16.840.1.113730.3.1.24 mailRoutingHostsOriginMessaging Server 5.0 Syntaxcis, multi-valued Object ClassesDefinitionFully qualified host name of the MTA responsible for making routing decisions for users in this (and all contained) domain(s). Unspecified attribute implies all MTA's must route messages for the users/groups of this (and contained) domain(s). When a domain is found to be non-local, the use of this attribute depends on the value of the MTA option ROUTE_TO_ROUTING_HOST:
Since this attribute is multi-valued and the first value the MTA “sees” will be chosen when the option is set to 1, it might be tempting to assume that you can direct the order in which these mail hosts will be used; that is, you might assume you can do a sort of load balancing by ordering the various values of this attribute. But, LDAP does not guarantee that attribute value ordering is preserved, so the first value seen by the MTA might be any of the attribute’s values, not necessarily the first one in the LDAP entry. You can implement load balancing with a set of MX records for each of the routing host names. Do not attempt to do it with the ordering of this attribute’s values. LDAP_DOMAIN_AATR_ROUTING_HOSTS is the MTA option used to specify a different attribute name for this function. ExamplemailRoutingHosts: mail.siroe.com OID2.16.840.1.113730.3.1.759 mailRoutingSmartHostOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionFully qualified host name, or domain-literal IP address, of a mail server responsible for handling mail for users not found in the local directory. Messages sent to users not found in the messaging server’s directory are forwarded to the mail server specified in this attribute. This is useful when making a transition from one mail system to another and all users have not yet been moved over to the messaging server directory. An empty or missing attribute implies the local MTA is responsible for routing and delivering all messages for users in that domain. This attribute is used by the system only if the domain it cares about is listed in the attribute, otherwise, it is ignored. Note – LDAP_DOMAIN_ATTR_SMARTHOST is the MTA option used to specify a different attribute name for this function. ExamplemailRoutingSmartHost: mail.siroe.com mailRoutingSmartHost: 129.148.12.141 OID2.16.840.1.113730.3.1.760 mailSieveRuleSourceOriginMessaging Server 5.0 Syntaxcis, multi-valued Object ClassesinetMailUser, inetManagedGroup, inetMailGroup DefinitionSIEVE filters are not supported with iPlanet Delegated Administrator for Messaging. Use this with LDAP Schema 2 and Access Manager. The attribute contains a SIEVE rule (RFC 3028 compliant) used to create a message filter script for a user entry. This attribute can be either single-valued, with the rule containing the complete SIEVE script, or multi-valued, with each rule containing an independently valid piece of the SIEVE script. When there are multiple values, the Web filter construction interface combines the rules into a single SIEVE script using an ordering parameter (Order) found in a #Rule Info: comment. Note – Note that when the value of Order is a negative number, the value is ignored, and the rule is processed with other unordered SIEVE rules for this entry, but when the value of Order is zero, the rule is disabled and not processed at all. The script is applied when a message is ready to be enqueued to the delivery channel. Though the SIEVE script is created while the MTA is expanding aliases, it is not used until after the resulting delivery addresses have been expanded and are being sent to the ims-ms, native, autoreply or pipe channels. A script has the following form: require ["fileinto", "reject"];
# Rule Info: $Order=(1-infinity, or 0 for disabled)
Template=(template-name) Name=(rule name)
if header :is "Sender" "owner-ietf-mta-filters@imc.org"
{ fileinto "filter"; # move to "filter" folder }
if header :is "Subject" "SPAM!"
{ delete }
MTA OptionThe MTA option used to name a different attribute for this function is LDAP_FILTER. ExamplemailSieveRuleSource: require ["fileinto", "reject",
"redirect", "discard]
if header :contains "Subject" "New Rules Suggestion
{redirect "rules@sesta.com" # Forward message }
if header :contains "Sender" "porn.com"
{discard text:
Your message has been rejected.
Please remove this address from your mailing list.
# Reject message, send reply message.}
if size :over 1M
{ reject text:
Please do not send me large attachments.
Put your file on a server and send me the URL.
Thank you.
# Discard message, send reply message.}
if header :contains "Sender" "barkley@sesta.com
{ fileinto complaints.refs # File message}
OID2.16.840.1.113730.3.1.775 mailSMTPSubmitChannelOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionMost commonly, this attribute is a factor involved in setting up guaranteed message delivery, or in setting up other special classes of service. When defined, this attribute tells the MTA to consider the channel named by this attribute to be the effective submission channel, if the SMTP AUTH is successful. ExamplemailSMTPSubmitChannel: tcp_tas OID 2.16.840.1.113730.3.1.776 mailUserStatusOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionCurrent status of the mail user. Can be one of the following values: active, inactive, deleted, hold, overquota, or removed. A missing value implies status is active. An illegal value is treated as inactive. Table 3–17 Mail User Status
There are four status attributes that mail services look at and which are evaluated in this order: inetDomainStatus, mailDomainStatus, inetUserStatus, and mailUserStatus. The rule is: the first of these attributes that is set to something other than active takes precedence over all the others. Note – LDAP_USER_STATUS is the MTA option that overrides the mailUserStatus attribute. The LDAP_USER_STATUS option does not affect the message store or Delegated Administrator commadmin utility, which only recognize and use the current value of mailUserStatus. ExamplemailUserStatus: active OID2.16.840.1.113730.3.1.778 maxPabEntriesOriginMessaging Server 5.0 Syntaxinteger, single-valued Object ClassesDefinitionSpecifies the maximum number of personal address book entries users are permitted to have in their personal address book store. A value of -1 implies there is no limit. If this attribute is not present then the system default specified in the personal address book configuration is used. ExamplemaxPabEntries: 1000 OID2.16.840.1.113730.3.1.705 memberOfOriginMessaging Server 5.0, deprecated in Messaging Server 6.0 for inetUser; Access Manager Syntaxdn, multi-valued Object ClassesDefinitionFor LDAP Schema 2, this attribute decorates inetAdmin, and specifies the DN of an assignable dynamic group to which a user belongs. It is used as the default well-known filtered attribute used in conjunction with mgrpDeliverTo to search for assignable dynamic group members. This attribute is deprecated for inetUser in Messaging Server 6.0 and is likely to be removed from the inetUser object class in future versions of the schema. For LDAP Schema 1, this attribute specifies the DN of a mailing list to which a user belongs, indicating static group membership as a backpointer. ExamplememberOf: cn=Administrators,ou=groups o=sesta.com,o=basedn OID1.2.840.113556.1.2.102 memberOfPABOriginMessaging Server 5.0 Syntaxcis, multi-valued Object ClassesDefinitionThe unique name (un) of the personal address book(s) in which this entry belongs. ExamplememberOfPAB:addressbook122FA7 OID2.16.840.1.113730.3.1.718 memberOfPABGroupOriginMessaging Server 5.0 Syntaxcis, multi-valued Object ClassesDefinitionUnique name of the personal group(s) in which this user belongs. ExamplememberOfPabGroup:testgroup15577F2D OID2.16.840.1.113730.3.1.719 memberURLOriginMessaging Server 5.2 Syntaxces, multi-valued Object ClassesgroupOfURLs DefinitionA list of URLs, which, when expanded, provides a list of mailing list member addresses. This is the preferred way to specify a dynamic mailing list. Alternately, you can use mgrpDeliverTo. The MTA option used to override this attribute’s value is LDAP_GROUP_URL2. ExamplememberURL:ldap://cn=jdoes, o=sesta.com OID2.16.840.1.113730.3.1.198 mgrpAddHeaderOriginNetscape Messaging Server Syntaxces, multi-valued Object ClassesDefinitionEach attribute value specifies a header field that is to be added to the message header if it is present. For the MTA, the values of these attributes are headers, which are used to set header-trimming ADD options. Note – LDAP_ADD_HEADER is the MTA option used to specify a different attribute name for this function. ExamplemgrpAddHeader:Reply-To: thisgroup@sesta.com OID2.16.840.1.113730.3.1.781 mgrpAllowedBroadcasterOriginMessaging Server 5.0 Syntaxces, multi-valued Object ClassesDefinitionIdentifies mail users allowed to send messages to the mail group. The purpose of this attribute is to restrict who can send messages to the mail group. If no instances of this attribute exist on the inetMailGroup entry, there are no restrictions on who can send messages to the mail group unless the mgrpAllowedDomain, mgrpDisallowedDomain, and mgrpDisAllowedBroadcaster attributes are used. The Messaging Server expects this attribute to contain either a distinguished name or an RFC822address using an LDAP URI or a mailto address (see example). If a distinguished name is used, it must represent a mailable entry or entries of type group or groupOfUniqueNames. (That is, the group entry must contain an email address in one of the following attributes: mail, mailAlternateAddress, mailEquivalentAddress.) If multi-valued, each URL or DN is expanded into a list of addresses and each address is checked against the current envelope “from” address. The message is allowed if there is a match. Any email addresses specified are expanded as if they are a mailing list. Unlike a mailing list, this expansion includes all the attributes used to store email addresses (normally mail, mailAlternateAddress, and mailEquivalentAddress). Thus, if an address for the list itself is specified as a mgrpAllowedBroadcaster, a user can subscribe to a restricted list using one address and use an alternate address to send messages to the list. If none of the attribute values is a valid URL, or none of the members of the group specified in the attribute value have a valid URL, the message will bounce or be directed to a moderator (as determined by the mgrpMsgRejectAction attribute). Note – LDAP_AUTH_URL is the MTA option used to specify a different attribute name for this function. ExamplemgrpAllowedBroadcaster: uid=bjensen,o=siroe.com mgrpAllowedBroadcaster: ldap:///uid=bjensen,o=siroe.com mgrpAllowedBroadcaster:mailto:group1@siroe.com OID2.16.840.1.113730.3.1.22 mgrpAllowedDomainOriginMessaging Server 5.0 Syntaxcis, multi-valued Object ClassesDefinitionIdentifies domains or subdomains from which users are allowed to send messages to the mail group. Note that glob-style wild carding can be used in the domains. In other words, any part of the domain specification can be wild carded. If no instances of this attribute exist on the inetMailGroup entry, then there are no restrictions on who can send messages to the mail group unless the mgrpAllowedBroadcaster, mgrpDisallowedBroadcaster, and mgrpDisallowedDomain attributes are used. Note – LDAP_AUTH_DOMAIN is the MTA option used to specify a different attribute name for this function. ExamplesmgrpAllowedDomain:siroe.com will only match the siroe.com domain. mgrpAllowedDomain:*.siroe.com will match any subdomain of the siroe.com domain. mgrpAllowedDomain:*.com will match any *.com domain. mgrpAllowedDomain:siroe.* will match any top-level domain beginning with siroe. OID2.16.840.1.113730.3.1.23 mgrpAuthPasswordOriginMessaging Server 5.0 Syntaxces, single-valued Object ClassesDefinitionSpecifies a password needed to post to the list. The presence of this attribute forces a reprocessing pass. As the message is enqueued to the reprocessing channel, the password is taken from the header and placed in the envelope. Then, while reprocessing, the password is taken from the envelope and checked against this attribute. Only passwords that are actually used are removed from the header field. This allows for routing to the moderator in the event of a password failure. Note – LDAP_AUTH_PASSWORD is the MTA option used to specify a different attribute name for this function. ExampleNo example given. OID2.16.840.1.113730.3.1.783 mgrpBroadcasterPolicyOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionPolicy for determining allowed broadcaster. It specifies the level of authentication required to access the list of broadcaster addresses. The allowed values are:
Note – LDAP_AUTH_POLICY is the MTA option used to specify a different attribute name for this function. ExamplemgrpBroadcasterPolicy:AUTH_REQ OID2.16.840.1.113730.3.1.3 mgrpDeliverToOriginMessaging Server 5.0 Syntaxces, multi-valued Object ClassesDefinitionUsed as an alternative method of specifying mail group membership. This can be used to create a dynamic mailing list. The preferred attribute to use for specifying dynamic mail group is memberURL. The values of this attribute are a list of URL's, which, when expanded, provides mailing list member addresses. Messaging Server expects this attribute to contain an LDAP URL using the format described in RFC 1959. Any entries returned by the resulting LDAP search are members of the mailing group. There is a hard limit on the length of the search filter of 1024 bytes. Note – LDAP_GROUP_URL1 is the MTA option used to specify a different attribute name for this function. ExampleThis example returns all users in the United States Accounting department for Sesta corporation. mgrpDeliverTo: ldap:///ou=Accounting,o=Sesta,c=US??sub?(&(objectClass=inetMailUser)(objectClass=inetOrgPerson)) OID2.16.840.1.113730.3.1.25 mgrpDisallowedBroadcasterOriginMessaging Server 5.0 Syntaxces, multi-valued Object ClassesDefinitionIdentifies mail users not allowed to send messages to the mail group. If no instances of this attribute exist on the inetMailGroup entry, then there are no restrictions on who can send messages to the mail group unless the mgrpAllowedDomain and mgrpDisallowedDomain attributes are used. Messaging Server expects this attribute to contain either a distinguished name or an RFC822address. If a distinguished name is used, it must represent a mailable entry or entries of type group or groupOfUniqueNames. (That is, the group entry must contain an email address in one of the following attributes: mail, mailAlternateAddress, mailEquivalentAddress.) The distinguished name must be represented in the form of an LDAP URL as described in RFC 1959. If multi-valued, each URL is expanded into a list of addresses and each address is checked against the current envelope “from” address. The message is disallowed if there is a match. Note – LDAP_CANT_URL is the MTA option used to specify a different attribute name for this function. ExamplemgrpDisallowedBroadcaster: ldap:///uid=bjensen, o=sesta.com mgrpDisallowedBroadcaster: mailto:sys50@sesta.com OID2.16.840.1.113730.3.1.785 mgrpDisallowedDomainOriginMessaging Server 5.0 Syntaxcis, multi-valued Object ClassesDefinitionIdentifies domains from which users are not allowed to send messages to the mail group. This attribute is a private extension used by Messaging Server to manage mailing lists. If this attribute exists, then messages from listed domains are rejected. If no instances of this attribute exist on the inetMailGroup entry, then there are no restrictions on who can send messages to the mail group unless the mgrpAllowedBroadcaster, mgrpDisallowedBroadcaster, and mgrpAllowedDomain attributes are used. Note – LDAP_CANT_DOMAIN is the MTA option used to specify a different attribute name for this function. ExamplemgrpDisallowedDomain:sesta.com OID2.16.840.1.113730.3.1.784 mgrpErrorsToOriginMessaging Server 5.0 Syntaxces, single-valued Object ClassesDefinitionRecipient of error messages generated when messages are submitted to this list. Recipient’s address can be specified using the mailto syntax, which includes an RFC 822 email address preceded by the keyword “mailto:” or simply an RFC 822 email address. Also supports LDAP URL syntax. However, if an LDAP URL is used, it must be one that produces a single address. The envelope originator (MAIL FROM) address is set to the value of this attribute. Note – LDAP_ERRORS_TO is the MTA option used to specify a different attribute name for this function. Examples:Example 1: mgrpErrorsTo:mailto:jordan@siroe.comExample 2: mgrpErrorsTo: ldap:///uid=ofanning,ou=people,o=siroe.com,o=isp OID2.16.840.1.113730.3.1.26 mgrpModeratorOriginMessaging Server 5.0 Syntaxces, multi-valued Object ClassesDefinitionLDAP URI or mailto URL identifying the moderators allowed to submit messages to this list. Only those messages that are submitted by the moderator are sent to the members of this list. Messages submitted by others are forwarded to the moderators for approval and resubmitting. The URLs given as the value of this attribute are expanded into a series of addresses, and then compared with the envelope “from” address. If there is a match, group processing continues. If there is no match, the value of this attribute becomes the group URL, any list of RFC 822 addresses or DNs associated with the group is cleared, the delivery options for the group are set to “members,” and there is no further group processing for the failed URL (subsequent group attributes are ignored). Note – LDAP_MODERATOR_URL is the MTA option used to specify a different attribute name for this function. ExamplemgrpModerator: mailto:jordan@sesta.com OID2.16.840.1.113730.3.1.33 mgrpMsgMaxSizeOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionMaximum message size in bytes that can be sent to the group. Messaging Server expects zero or one instance of this attribute to exist for every mailGroup entry. If no entry exists, then no size limit is imposed on mail to the group. This attribute is obsolete, but still supported for backwards compatibility. Use mailMsgMaxBlocks instead. Note – LDAP_ATTR_MAXIMUM_MESSAGE_SIZE is the MTA option used to specify a different attribute name for this function. ExamplemgrpMsgMaxSize:8000 OID2.16.840.1.113730.3.1.3 mgrpMsgPrefixTextOriginNot implemented. SyntaxUTF-8 text, single-valued Object ClassesDefinitionSpecifies the text to be added to the beginning of the message text. You must supply the formatting. That is, you must insert CRLF where they belong in the text. Note – LDAP_PREFIX_TEXT is the MTA option used to specify a different attribute name for this function. ExampleNo example given. OIDUnknown mgrpMsgRejectActionOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionIdentifies the action to be taken when a email sent to a mail group is rejected. The Messaging Server may reject mail for the following reasons:
This attribute takes two values: reply and toModerator: reply– The system produces an SMTP error, which is also the default if the attribute is not set. The text of the failure notice is stored in the mgrpMsgRejectText attribute. toModerator– The mail is forwarded to the moderator for processing. The moderator is identified by the mgrpModerator attribute. Note – LDAP_REJECT_ACTION is the MTA option used to specify a different attribute name for this function. ExamplemgrpMsgRejectAction: reply OID2.16.840.1.113730.3.1.28 mgrpMsgRejectTextOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionSpecifies the error text to use in the event of a group access failure. Because this text may appear in SMTP responses, this restricts the text to a single line of US-ASCII. This is implemented by reading only the first line of text in this attribute and using it only if it contains no 8 bit characters. (This is a limitation of the SMTP protocol.) ExampleNo example given. OID2.16.840.1.113730.3.1.29 mgrpMsgSuffixTextOriginNot implemented. SyntaxUTF-8 text, single-valued Object ClassesinetMailGroup DefinitionSpecifies the text to be appended to the text message. You must supply the formatting. That is, you must insert any CRLF's (carriage return, line feeds) that belong in the text. Note – LDAP_SUFFIX_TEXT is the MTA option used to specify a different attribute name for this function. ExampleNo example given. OIDUnknown mgrpNoDuplicateChecksOriginMessaging Server 5.0, not implemented going forward for Messaging Server 5.2 Syntaxcis, single-valued Object ClassesDefinitionThis attribute is no longer supported. Duplicate checking is controlled by characteristics of the lists themselves. Some lists combine and some lists don’t. Old definition: Prevents Messaging Server from checking for duplicate delivery to members of the mail group. Prevents multiple deliveries if a user is on multiple lists. No means the system checks for duplicate delivery. Yes means the system does not check for duplicate delivery. ExamplemgrpNoDuplicateChecks: yes OID2.16.840.1.113730.3.1.789 mgrpRemoveHeaderOriginMessaging Server 5.0 Syntaxcis, multi-valued Object ClassesDefinitionEach attribute value specifies a header field that is to be removed from the message header, if present. Turns the headers specified into header trimming MAXLINES=-1 options. Note – LDAP_REMOVE_HEADER is the MTA option used to specify a different attribute name for this function. ExampleNo example given. OID2.16.840.1.113730.3.1.801 mgrpRequestToThis attribute has been removed from the schema. It is no longer supported. It only worked for dirsync mode, which was deprecated in Messaging Server 5.2. mgrpRFC822MailMemberOriginMessaging Server 5.0 Syntaxcis, multi-valued Object ClassesDefinitionIdentifies recipients of mail sent to mail group. Mail sent to both this attribute and uniqueMember attributes are not members of the mixed-in groupOfUniqueNames. This attribute represents mail recipients that cannot be expressed as distinguished names, or who are to be sent mail from this group but who do not have the full privileges of a unique group member. Messaging Server expects this attribute to contain RFC 822 mail addresses. Generally used for group members who are not in the local directory. For backwards compatibility, rfc822MailMember is also supported. You can use either one or the other of these attributes in any given group, but not both. Note – LDAP_GROUP_RFC822 is the MTA option used to specify a different attribute name for this function. ExamplemgrpRFC822MailMember:bjensen@siroe.com OID2.16.840.1.113730.3.1.30 msgVanityDomainOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionThis attribute and the object class using it are deprecated in the current release, and may not be supported in future releases. Sites should stop using this feature and consider migrating current vanity domains to hosted domains. ExampleNo example given. OID2.16.840.1.113730.3.1.799 multiLineDescriptionOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionDetailed description of the distribution list. A dollar sign (“$”) creates a new line. ExamplemultiLineDescription:People who like cats. $And are ambivalent about people. OID1.3.6.1.4.1.250.1.2 nickNameOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionIdentifies the short name used to locate a pabPerson or a pabGroup entry. Examplenickname:Nick OID2.16.840.1.113730.3.1.720 nswcalDisallowAccessOriginNetscapeTM Calendar Hosting Server Syntaxcis, single Object ClassesDefinitionLists the calendar protocols not allowed to be used by this user. ExampleNo example given. OID2.16.840.1.113730.3.1.539 nswmExtendedUserPrefsOriginMessaging Server 5.0 Syntaxcis, multi-valued Object ClassesDefinitionThis attribute holds the pairs that define client user preferences such as sort order, Mail From address, and so on. Each instance of this attribute is the tuple pref_name=pref_value. This is a proprietary syntax and the example below is for illustrative purposes only. ExampleExample 1: nswmExtendedUserPrefs: meColorSet=4 Example 2:nswmExtendedUserPrefs: meSort=r Example 3: nswmExtendedUserPrefs: meAutoSign=True Example 4: nswmExtendedUserPrefs: meSignature=OtisFanning$ofanning@sesta.com Example 5: nswmExtendedUserPrefs: meDraftFolder=Drafts OID2.16.840.1.113730.3.1.520 oOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionName of the user’s company or organization. Abbreviation of organizationName. ExampleorganizationName:Company22 Incorporated or o:Company22 Incorporated OID2.5.4.10 objectClassOrigin Messaging Server 5.0 Syntaxcis Object ClassesDefinitionSpecifies the objects for this object class. ExampleobjectClass:person OID2.5.4.0 organizationName (see o)All information about this attribute found under o. organizationUnitName (see ou)All information about this attribute found under ou. ouOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionName of the organization unit to which the user belongs. Abbreviation for organizationUnitName. ExampleorganizationUnitName:docs or ou:docs OID2.16.840.1.113730.3.1.722 ownerOriginMessaging Server 5.0, Calendar Server Syntaxdn, single-valued Object ClassesgroupOfUniqueNames, icsCalendarResource DefinitionIdentifies the distinguished name (DN) of the person or group with administrative privileges over the entry. If the group has Calendar service (is a Calendar group), the owner must be a Calendar user in the same domain as the group. That is, Calendar service must be assigned to the owner as well as the Calendar group. Exampleowner:cn=John Smith,o=Sesta,c=US OID2.5.4.32 pabURIOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionLDAP URI specifying the container of the personal address book entries for this user. It takes the following form: ldap://server:port/container_dn, where:
ExamplepabURI: ldap://ldap.siroe.com:389/ou=ed,ou=people,o=sesta.com,o=isp,o=pab OID2.16.840.1.113730.3.1.703 parentOrganizationOriginMessaging Server 6.0, Calendar Server 6.0 Syntaxcis, single-valued Object ClassessunManagedSubOrganization DefinitionSpecifies the logical parent of a suborganization. The value of this is the DN of the parent organization or parent suborganization. ExampleparentOrganization:o=sesta,o=com,o=internet OIDUnknown postalAddressOriginLDAP Syntaxcis Object ClassesicsCalendarResource, organization, organizationalUnit DefinitionIdentifies the entry’s mailing address. This field is intended to include multiple lines. When represented in LDIF format, each line should be separated by a dollar sign ($). To represent an actual dollar sign (“$”) or back slash (“\”) within this text, use the escaped hex values, \24 and \5c respectively. For example, to represent the string: The dollar ($) value can be found in the c:\cost file. provide the string: The dollar(\24) value can be found$in the c:\5ccost file. ExamplepostalAddress:123 Oak Street$Anytown, CA$90101 OID2.5.4.16 preferredLanguageOriginMessaging Server 5.0, Calendar Server, Directory Server SyntaxObject ClassesicsCalendarUser, inetMailGroup, inetOrgPerson, iPlanetPreferences, mailDomain DefinitionPreferred written or spoken language for a person. The value for this attribute should conform to the syntax for HTTP Accept-Language header values. Messaging Server uses this attribute to figure the locale. It does not use the locale specified with iPlanetPreferences. Also used by Access Manager in user LDAP entries to store a user’s preferred language. Note that only Access Manager uses the iPlanetPreferences object class to host this attribute. Table 3–18 Language Strings for preferredLanguage Attribute
ExamplepreferredLanguage:en OID2.16.840.1.113730.3.1.39 preferredMailHostOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionIf you are provisioning an LDAP Schema 2 directory with Communications Suite Delegated Administrator: See preferredMailHost for a definition of how to use this attribute with Schema 2. If you are provisioning an LDAP Schema 1 directory with iPlanet Delegated Administrator, use the following definition: Used to set the mailHost attribute of newly created users in this mail domain. When a user is created, the mailHost attribute of the user entry is filled by the value of preferredMailHost. ExamplepreferredMailHost:mail.siroe.com OID2.16.840.1.113730.3.1.761 preferredMailMessageStoreOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionIf you are provisioning an LDAP Schema 2 directory with Communications Suite Delegated Administrator: See preferredMailMessageStore for a definition of how to use this attribute with Schema 2. If you are provisioning an LDAP Schema 1 directory with iPlanet Delegated Administrator, use the following definition: Used to set the mailMessageStore attribute of newly created users. If missing, Delegated Administrator leaves the mailMessageStore attribute empty and the access server assumes that the user’s mailbox is in the default partition of the server instance. ExamplepreferredMailMessageStore: primary OID2.16.840.1.113730.3.1.762 seeAlsoOriginLDAP Syntaxdn Object ClassesgroupOfUniqueNames, organization, organizationalUnit DefinitionIdentifies another LDAP entry that may contain information related to this entry. ExampleseeAlso: cn=Quality Control Inspectors,ou=manufacturing,o=Company22, c=US OID2.5.4.34 snOriginLDAP Syntaxcis Object ClassesDefinitionIdentifies the entry’s surname, also referred to as last name or family name. Examplesurname:jones OID2.5.4.4 telephoneNumberOriginLDAP Syntaxtel Object Classesdomain, organization, organizationalUnit DefinitionIdentifies the entry’s phone number. ExampletelephoneNumber:800-555-1212 OID2.5.4.20 uidOriginCalendar Server 5.0, Messaging Server 5.0 Syntaxcis, single-valued Object ClassesicsCalendarResource, icsCalendarUser DefinitionIdentifies the unique identifier for this user or resource within its relative namespace. All valid user and resource entries must have a uid attribute. Group entries may have a uid. For Messaging Server, the uid is used to generate the user address to pass to the delivery channel. If a user entry does not have a uid attribute, the entry is ignored. If multiple uid attributes exist in an entry, only the first one is used. The MTA used to override this attribute’s value is LDAP_UID. Exampleuid:jdoe OID0.9.2342.19200300.100.1.1 unOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionUnique name assigned to PAB entry. This is also the naming attribute for entries created by this object class and is used to form the DN of all PAB entries, irrespective of the type (pab, pabPerson, or pabGroup). Exampleun:Nick OID2.16.840.1.113730.3.1.717 uniqueMemberOriginMessaging Server 5.0 Syntaxdn, multi-valued Object ClassesDefinitionIdentifies a member of a static group. Each member of the group is listed in the group’s LDAP entry using this attribute. ExampleuniqueMember:uid=jdoe,ou=People,o=sesta.com,o=basedn uniqueMember: uid=rsmith,ou=People,o=sesta.com,o=basedn OID2.5.4.50 userId (see uid)All information for this attribute found at uid. userPasswordOriginMessaging Server 5.0 Syntaxbin, single-valued Even though RFC 2256 defines this attribute as multi-valued, for Sun JavaTM System products, only one value is allowed. Object ClassesinetUser, domain, organization, organizationalUnit DefinitionThis attribute identifies the entry’s password and encryption method in the following format: {encryption method}encrypted password Transfer of cleartext passwords is strongly discouraged where the underlying transport service cannot guarantee confidentiality. Transfer of cleartext may result in disclosure of the password to unauthorized parties. ExampleuserPassword:{sha}FTSLQhxXpA05 OID2.5.4.35 vacationEndDateOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionVacation end date and time. Date is in the following format: YYYYMMDDHHMMSSZ; where YYYY is the four digit year, MM is the two digit month, DD is the two digit day, HH is the two digit hour, and SS is the two digit second. Time is normalized to GMT. Z is the character Z. When the current date falls outside the range of dates specified by the attributes vacationStartDate and vacationEndDate, then any delivery options (in the DELIVERY_OPTIONS list) prefixed with “^” are removed from the active set of options. For example, if one of the DELIVERY_OPTIONS is “^*autoreply” and today’s date falls outside the vacation date range, then the option is removed from the active options list. Otherwise, the autoreply delivery option is activated. ExamplevacationEndDate:20000220000000Z OID2.16.840.1.113730.3.1.708 vacationStartDateOriginMessaging Server 5.0 Syntaxcis, single-valued Object ClassesDefinitionVacation start date and time. Date is in the following format: YYYYMMDDHHMMSSZ; where YYYY is the four digit year, MM is the two digit month, DD is the two digit day, HH is the two digit hour, and SS is the two digit second. Time is normalized to GMT. Z is the character Z. ExamplevacationStartDate:20000215000000Z OID2.16.840.1.113730.3.1.707 mgrpErrorsToOriginMessaging Server Syntaxcis, single-valued Object ClassesinetMailGroup DefinitionThe mgrpErrorsTo attribute specifies either an email address or a URL, which is resolved to produce an address. The address is placed in the MAIL FROM (envelope from) field of all messages the list produces. Additionally, the presence of the mgrpErrorsTo attribute causes the MTA to treat the group as a full-fledged mailing list and not as a simple autoforwarder. The basic purpose of the MAIL FROM address is to create a place to send reports of message delivery problems. As such, the main effect of mgrpErrorsTo is to cause errors delivering list mail to be directed to the mgrpErrorsTo address. ExamplemgrpErrorsTo=mgrperrors.log@siroe.com OID2.16.840.1.113730.3.1.26 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|