RapidIdentity Cloud Directory Schema

RapidIdentity Cloud Metadirectory Schema

The directory schema for RapidIdentity Cloud provides a set of rules that define the data elements to be stored and used by RapidIdentity.

To ensure consistency and continuity between RapidIdentity software releases, Identity Automation maintains a comprehensive change management process for the RapidIdentity Cloud Metadirectory. All proposed changes are reviewed by the Directory Change Control Board on a periodic basis and evaluated based on a myriad of factors including but not limited to the business justification and resulting impact associated with the proposed change.

As an integral component of the RapidIdentity System, proposed changes to the RapidIdentity Cloud Metadirectory are considered to be a new feature or a feature enhancement and submitted as Product Ideas via the Identity Automation Support Community. Idea submissions are evaluated on a periodic basis and approved based product fit, alignment with product strategy and customer and market demand.

People/Accounts

• All account entries must be put directly under ou=Accounts,dc=meta.
• All LDAP entries MUST contain objectClass=idautoPerson , a unique idautoID value and at least one unique idautoPersonUserNameMV value.
• The DN for all accounts must look like idautoID=<idautoID_value>,ou=Accounts,dc=meta .

Core Attributes

Attribute Name	Friendly Name	DataType	Multi-Valued	Unique	Indexes	Description / Constraints
idautoID	ID	UUID	N	Y	eq	Required unique GUID of the account Must not be changed after initial creation
idautoPersonUserNameMV	Usernames	String	Y	Y	eq, sub	Required unique usernames for the account
givenName	First Name	String	N	N	eq, sub	Person’s first name
sn	Last Name	String	N	N	eq, sub	Person’s last name
displayName	Display Name	String	N	N	eq, sub	Constructed by Connect, generally as “<givenName> <sn>”
mail	Email	String	N	Y	eq, sub	Primary organizational email account Must contain an '@'
idautoPersonEmailAddresses	Email Addresses	String	Y	Y	eq, sub	Current and past email addresses
idautoPersonHomeEmail	Personal Email Address	String	N	Y	eq, sub	Personal/Home email address for email to reset forgotten password and use as an auth method
idautoDisabled	-	Boolean	N	N	eq	If TRUE, the account is considered DISABLED in RapidIdentity The attribute should be cleared instead of set to FALSE
userPassword	-	Binary	N	N	-	Hashed account password
idauto-pwdPrivate	-	Binary	N	N	-	Encrypted password managed by the Identity Automation password filter Automatically managed / Not writeable
idauto-pwdPrivateTS	-	DateTime	N	N	eq	The date/time in which the idauto-pwdPrivate value was last set Automatically managed / Not writeable
idautoPersonPhotoURL	Photo URL	String	N	N	-	URL to the person’s profile image
mobile	Mobile Numbers	String	Y	N	-	Person’s mobile phone numbers
manager	Manager	DN	Y	N	eq	DNs of the person’s managers
directReports	-	DN	Y	N	eq	DNs of all of the person’s direct reports Automatically managed / Not writeable
idautoPersonEndDate	Expiration Date	DateTime	N	N	eq	Expiration date for Sponsored Accounts Can be used to store disable date from source systems for non-Sponsored Student Accounts
employeeType	Role	String	Y	N	eq	Valid values include: staff, student, teacher, sponsored, parent ID Hub only supports polices on staff, student, teacher RapidIdentity calls this Account Type
idautoChallengeSet	-	String	Y	N	-	Stores RapidIdentity challenge question/answer data for the person Existing data MUST NOT be updated by Connect
idautoChallengeSetTimestamp	-	DateTime	N	N	-	Date/time when the person last set up their challenge questions/answers Can be cleared to force the user to do challenge setup again at next login if their Challenge Policy requires it
idautoRequestAssociations	-	String	Y	N	eq	Contains the IDs of all granted, “bound” Workflow Entitlements for the person Data MUST NOT be updated by Connect Can be read to make policy or other decisions based on current RapidIdentity workflow entitlements
idautoPersonClaimCode	Claim Code	String	N	N	eq	Stores an arbitrary “claim code” used by the out-of-the-box RapidIdentity Claim Policy Has an attribute constraint enforcing a minimum of 8 characters (Introduced in schema version 2025-02-19-000) Uniqueness and other constraints are not enforced by the data store
idautoPersonClaimFlag	Claimed	Boolean	N	N	-	Set to TRUE by RapidIdentity when an account is successfully claimed Used as a filter term in the out-of-the-box RapidIdentity Claim Policy to ensure that an account may not be claimed more than once The attribute should be cleared instead of set to FALSE
memberOf		DN	Y	N		read-only - comes from slapo-memberof overlay

Profile Attributes

None of these attributes have a unique constraint.

Attribute Name	Friendly Name	Data Type	Multi-Valued	Indexes	Description / Constraints
l	City	String	Y	eq, sub	Person’s cities
st	State	String	Y	eq, sub	Person’s states
idautoPersonCountry	Country	String	Y	-	Person’s countries Note: Introduced in amazon-ricloud-2022-12-21
idautoPersonStreetAddress	Street Address	String	Y	-	Person’s street addresses Note: Introduced in amazon-ricloud-2022-12-21
postalCode	Postal Code	String	Y	-	Person’s postal codes
idautoPersonMiddleName	Middle Name	String	N	-	Person’s middle name/initial Often used for username/email generation in Connect
idautoPersonOfficePhone	Office Phone	String	N	-	Person’s office phone number
idautoPersonPhoneExtension	Phone Extension	String	N	-	Person’s phone extension
idautoPersonHomePhone	Home Phone	String	N	-	Person’s home phone number
idautoPersonBirthdate	Birthdate	Date	N	-	Person’s birthdate Format: yyyy-MM-dd Often used for account claiming or help desk identification
idautoPersonTermDate	Source Termination DateLast Enroll Date	Date	N	-	Account termination date originating from source systems (for Students) Format: yyyy-MM-dd Often useful for making decisions in Connect
idautoPersonGraduationDate	Graduation Date	Date	N	-	This is used to store graduation date, as institutions typically allow students to access their data beyond their graduation Note: Introduced in amazon-ricloud-2022-12-21
idautoPersonEmployeeTypes	Employee Types	String	Y	eq	Employee Types beyond what is stored in employeeType Examples: Teacher, Admin, Para Often used for dynamic role membership and other RapidIdentity ACLs
idautoPersonDeptCodes	Department Codes	String	Y	eq, sub	Codes for all departments in which the person is a member Often used for dynamic role membership and other RapidIdentity ACLs
idautoPersonDeptCode	Primary Department Code	String	N	eq, sub	Person’s primary department code Often used for dynamic role membership, RapidIdentity ACLs and making decisions in Connect
idautoPersonDeptDescrs	Departments	String	Y	eq, sub	Descriptions for all departments in which the person is a member Often used for dynamic role membership and other RapidIdentity ACLs Often on display in Delegation Profiles
idautoPersonDeptDescr	Department	String	N	eq, sub	Person’s primary department description Often used for dynamic role membership and other RapidIdentity ACLs Often on display in Delegation Profiles
idautoPersonLocCodes	Location Codes	String	Y	eq, sub	Codes for all locations associated with the person Often used for dynamic role membership and other RapidIdentity ACLs
idautoPersonLocCode	Primary Location Code	String	N	eq, sub	Person’s primary location code Often used for dynamic role membership, RapidIdentity ACLs and making decisions in Connect
idautoPersonLocNames	Locations	String	Y	eq, sub	Names for all locations associated with the person Often used for dynamic role membership and other RapidIdentity ACLs Often on display in Delegation Profiles
idautoPersonLocName	Primary Location	String	N	eq, sub	Person’s primary location name Often used for dynamic role membership and other RapidIdentity ACLs Often on display in Delegation Profiles
idautoPersonJobCodes	Job Codes	String	Y	eq, sub	Codes for all jobs associated with the person Often used for dynamic role membership and other RapidIdentity ACLs
idautoPersonJobCode	Job Code	String	N	eq, sub	Person’s primary job code Often used for dynamic role membership, RapidIdentity ACLs and making decisions in Connect
idautoPersonJobTitles	Job Titles	String	Y	eq, sub	Titles for all jobs associated with the person Often used for dynamic role membership and other RapidIdentity ACLs Often on display in Delegation Profiles
idautoPersonJobTitle	Job Title	String	N	eq, sub	Person’s primary job title Often used for dynamic role membership and other RapidIdentity ACLs Often on display in Delegation Profiles
idautoPersonAffiliations	Affiliations	String	Y	eq,sub	Used to store granular affiliations, such as Faculty, Staff, Emeritus, Retiree, Student Applicant, Student Admitted, Student Enrolled, Student Graduated, etc. Note: Introduced in amazon-ricloud-2022-12-21
idautoPersonAffiliation	Primary Affiliation	String	N	eq,sub	Used to store primary affiliation associated with user Note: Introduced in amazon-ricloud-2022-12-21
idautoPersonGender	Gender	String	N	-	Person’s gender Note: Introduced in amazon-ricloud-2022-12-21
idautoPersonPronouns	Pronouns	String	Y	-	Person’s pronouns Note: Introduced in amazon-ricloud-2022-12-21
idautoPersonProfileUrl	Profile Url	String	N	-	Person's Profile URL for Online directory, contact cards, brings up bio page Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonADProfilePath	AD Profile Path	String	N	-	Person’s Active Directory Home Directory Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonBadgeIDs	Badge IDs	String	Y	-	Person’s Associated Proximity Badge IDs Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonEnrollDate	Student Enrollment Date	Date	N	eq	Student Person’s Enrollment Date Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonStartDate	Student Start Date	DateTime	N	eq	Student Person’s Start Date Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonStaffStartDate	Staff Start Date	DateTime	N	eq	Staff Person’s Start Date (specifically for employees) Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonStaffEndDate	Staff End Date	DateTime	N	eq	Staff Person’s End Date (specifically for employees) Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonStaffAccessTermDate	Staff Access Termination Date	DateTime	N	eq	Staff Person’s Access Termination Date (specifically for employees) Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonStaffLastDateWorked	Staff Last Date Worked	DateTime	N	eq	Staff Person’s Final Day of work (specifically for employees) Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonContractStartDate	Contractor Start Date	DateTime	N	eq	Contractor Person’s Start Date (specifically for contract employees) Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonContractEndDate	Contractor End Date	DateTime	N	eq	Contractor Person’s End Date (specifically for contract employees) Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonContractAccessTermDate	Contractor Access Termination Date	DateTime	N	eq	Contractor Person’s Access Termination Date (specifically for contract employees) Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonContractLastDateWorked	Contractor Last Date Worked	DateTime	N	eq	Contractor Person’s Final Day of work (specifically for contract employees) Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonAllAccessTermDate	All access termination date	DateTime	N	-	Person’s Complete access termination date (student, staff, contractor) Note: Introduced in amazon-ricloud-2023-07-01

Education Attributes

None of these attributes have unique constraints

Attribute Name	Friendly Name	DataType	Multi-Valued	Indexes	Description / Constraints
idautoPersonTeachers	Teachers	DN	Y	eq	DNs of all teachers associated with a Student person
idautoPersonStudents	-	DN	Y	eq	DNs of all students associated with a Teacher person Automatically managed / Not writeable
idautoPersonGradeLevel	Grade Level	String	Y	eq	Student grade level Valid values: https://ceds.ed.gov/CEDSElementDetails.aspx?TermId=7100 In the rare case where an individual Student is associated with multiple grade levels, the policy for working out the discrepancy will be implemented in Connect Was made multi-valued in: amazon-ricloud-2022-11-22
idautoPersonSchoolCodes	School Codes	String	Y	eq	Codes for all schools associated with the person Used by Insights/Analytics Often used for dynamic role membership and other RapidIdentity ACLs
idautoPersonSchoolNames	School Names	String	Y	eq, sub	Names of all schools associated with the person Often used for dynamic role membership and other RapidIdentity ACLs Often on display in Delegation Profiles
idautoPersonActivityCodes	Activity Codes	String	Y	-	Activity codes are used in determining permissions based on organizational attachment. For students, they are course related values, for employees they are related to positions and / or functions within the organization. Note: Introduced in amazon-ricloud-2022-12-21
idautoPersonCourseIDs	Course IDs	String	Y	eq,sub	Course IDs for students Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonCourseCodes	Course Codes	String	Y	eq,sub	Course codes for students Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonWorkStreetAddress	Work Street Address		Y	-	Person’s Work Street Address in a multi-line format Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonWorkCity	Work City		N	-	Person’s Work City Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonWorkState	Work State		N	-	Person’s Work State or Region Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonWorkCountry	Work Country		N	-	Person’s Work Country Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonWorkPostalCode	Work Postal Code		N	-	Person’s Work Postal Code Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonManagedOrgs	Managed Orgs		Y	-	Person’s List of organizations being managed (Organization IDs) Note: Introduced in amazon-ricloud-2023-07-01

Special Attributes

None of these attributes are multi-valued or have unique constraints

Attribute Name	Friendly Name	DataType	Indexes	Description / Constraints
idautoPersonStatusOverride	Override Source Status	Boolean	eq	If TRUE then the account's idautoDisabled value should not be changed automatically from source system data The attribute should be cleared instead of set to FALSE
idautoPersonStatusOverrideReason	Override Source Status Reason	String	-	When a status override is applied to an account, this free text attribute can be used to note the reasoning for future re-evaluation Note: Introduced in amazon-ricloud-2022-12-21
idautoPersonStatusOverrideExpiration	Override Source Status Expiration	DateTime	-	Used to apply a long-term status override automatic expiration date, if it is known when an account is overridden when the override should automatically expire. This would allow a simple actionset to revoke the status override on the specified date. Note: Introduced in amazon-ricloud-2022-12-21
idautoPersonRenameUsername	Rename Username	String	-	The new username which will be assigned to the account on the rename date For Connect: Any value populated here should also be populated in the idautoPersonUserNameMV attribute to “reserve” it For ID Hub customers, this attribute is managed. Will be made multi-valued in: amazon-ricloud-2025-01-23-001
idautoPersonRenameOverride	Override Renames	Boolean	eq	If TRUE then the account’s username should not be changed automatically from source system data The attribute should be cleared instead of set to FALSE Will be made available in: amazon-ricloud-2025-01-23-001
idautoPersonRenameFlagDate	Rename Date	Date	eq	The date which the account will be renamed Set by Connect to n days in the future where n is specified by some customer-defined policy Format: yyyy-MM-dd
idautoPersonActivationDate	Activation Date	Date	-	The date which the account should be automatically enabled Used by Connect in cases where an account needs to be created now but not enabled until a specific date Format: yyyy-MM-dd
idautoPersonSourceStatus	Source System Status	String	-	Contains arbitrary status value from source system (e.g. HR) Connect will use this as a basis for automatic RapidIdentity status changes
idautoPersonToSystem1	Sync Person to System 1	Boolean	-	Indicates whether Connect should sync the account to “System 1”
idautoPersonToSystem2	Sync Person to System 2	Boolean	-	Indicates whether Connect should sync the account to “System 2”
idautoPersonToSystem3	Sync Person to System 3	Boolean	-	Indicates whether Connect should sync the account to “System 3”
idautoPersonToSystem4	Sync Person to System 4	Boolean	-	Indicates whether Connect should sync the account to “System 4”
idautoPersonToSystem5	Sync Person to System 5	Boolean	-	Indicates whether Connect should sync the account to “System 5”
idautoPersonSafeIdCompromisedDate	Account Compromised Date	DateTime	pres	Indicates when a user’s account was marked as compromised via the SafeID feature Introduced in version amazon-ricloud-2022-03-01 Equality index changed to Presence index in version amazon-ricloud-2022-07-11
idautoPersonPreferredLanguage	Preferred Language	String	-	Person’s List of organizations being managed (Organization IDs) Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonPreferredLastName	Preferred Last Name	String	N	The last name the user wants or has elected to be known by Introduced in version: amazon-ricloud-2023-04-21
idautoPersonPreferredName	Preferred Name	String	N	The name the user wants or has elected to be known by Introduced in version: amazon-ricloud-2023-04-21
idautoPersonPasswordSet	Password Set	Boolean	N	Indicates that a user’s password has been set through some operation in RapidIdentity Introduced in version: amazon-ricloud-2024-06-21
idautoPersonSponsoredAccountStatus	-	String	N	Indicates a delayed status result for Sponsored Account operations that are synced via IDHub Introduced in version: amazon-riclound-2024-07-16

Other IDs

All of these attributes have a unique constraint.

Attribute Name	Friendly Name	DataType	Multi-Valued	Indexes	Description / Constraints
idautoPersonHRID	Employee ID	String	N	eq,sub	Meant to hold the unique identifier from the “HR System” Substring index added in version: amazon-ricloud-2022-03-01
idautoPersonStuID	Student ID	String	N	eq,sub	Meant to hold the unique identifier from the “Student Information System” Substring index added in version: amazon-ricloud-2022-03-01
idautoPersonPayrollID	Payroll ID	String	N	eq	Meant to hold the unique identifier from the “Payroll System”
idautoPersonSystem1ID	System 1 ID	String	N	eq	Meant to hold the unique identifier from “System 1”
idautoPersonSystem2ID	System 2 ID	String	N	eq	Meant to hold the unique identifier from “System 2”
idautoPersonSystem3ID	System 3 ID	String	N	eq	Meant to hold the unique identifier from “System 3”
idautoPersonSystem4ID	System 4 ID	String	N	eq	Meant to hold the unique identifier from “System 4”
idautoPersonSystem5ID	System 5 ID	String	N	eq	Meant to hold the unique identifier from “System 5”
idautoPersonStateID	State ID	String	N	eq	Meant to hold the unique identifier from “State” (Education)
idautoPersonDistrictID	District ID	String	N	eq	Meant to hold the unique identifier from “District” (Education)
idautoPersonSchoolID	School ID	String	N	eq	Meant to hold the unique identifier from “School” (Education)
idautoPersonSAMAccountName	AD Username	String	N	eq	Meant to hold the account’s current sAMAccountName value from AD Maximum length: 20
idautoPersonPrevSAMAccountNames	Previous AD Usernames	String	Y	eq	Meant to hold all of the account’s previous usernames Before ID Hub: Meant to hold the account’s current and all previous sAMAccountName values from AD Maximum length: 20 (until amazon-ricloud-2025-01-23-001when the length constraint is dropped)
idautoPersonManagerID	Manager ID	String	N	eq	Person’s Manager ID Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonNationalID	National ID	String	N	eq	Person’s National ID Note: Introduced in amazon-ricloud-2023-07-01

Extensible

None of these attribute has a unique constraint.

Attribute Name	Friendly Name	DataType	Multi-Valued	Unique	Indexes	Description / Constraints
idautoPersonExt1	Custom Attribute 1	String	Y	N	eq, sub	Custom attribute
idautoPersonExt2	Custom Attribute 2	String	Y	N	eq, sub	Custom attribute
idautoPersonExt3	Custom Attribute 3	String	Y	N	eq, sub	Custom attribute
idautoPersonExt4	Custom Attribute 4	String	Y	N	eq, sub	Custom attribute
idautoPersonExt5	Custom Attribute 5	String	Y	N	eq, sub	Custom attribute
idautoPersonExt6	Custom Attribute 6	String	Y	N	eq, sub	Custom attribute
idautoPersonExt7	Custom Attribute 7	String	Y	N	eq, sub	Custom attribute
idautoPersonExt8	Custom Attribute 8	String	Y	N	eq, sub	Custom attribute
idautoPersonExt9	Custom Attribute 9	String	Y	N	eq, sub	Custom attribute
idautoPersonExt10	Custom Attribute 10	String	Y	N	eq, sub	Custom attribute
idautoPersonExt11	Custom Attribute 11	String	Y	N	eq, sub	Custom attribute
idautoPersonExt12	Custom Attribute 12	String	Y	N	eq, sub	Custom attribute
idautoPersonExt13	Custom Attribute 13	String	Y	N	eq, sub	Custom attribute
idautoPersonExt14	Custom Attribute 14	String	Y	N	eq, sub	Custom attribute
idautoPersonExt15	Custom Attribute 15	String	Y	N	eq, sub	Custom attribute
idautoPersonExt16	Custom Attribute 16	String	Y	N	eq, sub	Custom attribute
idautoPersonExt17	Custom Attribute 17	String	Y	N	eq, sub	Custom attribute
idautoPersonExt18	Custom Attribute 18	String	Y	N	eq, sub	Custom attribute
idautoPersonExt19	Custom Attribute 19	String	Y	N	eq, sub	Custom attribute
idautoPersonExt20	Custom Attribute 20	String	Y	N	eq, sub	Custom attribute
idautoPersonExt21	Custom Attribute 21	String	Y	N	eq, sub	Custom attribute Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonExt22	Custom Attribute 22	String	Y	N	eq, sub	Custom attribute Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonExt23	Custom Attribute 23	String	Y	N	eq, sub	Custom attribute Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonExt24	Custom Attribute 24	String	Y	N	eq, sub	Custom attribute Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonExt25	Custom Attribute 25	String	Y	N	eq, sub	Custom attribute Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonExtBool1	Custom Boolean Attribute 1	Boolean	N	N	eq	Custom Attribute The attribute should be cleared instead of set to FALSE
idautoPersonExtBool2	Custom Boolean Attribute 2	Boolean	N	N	eq	Custom Flag The attribute should be cleared instead of set to FALSE
idautoPersonExtBool3	Custom Boolean Attribute 3	Boolean	N	N	eq	Custom Flag The attribute should be cleared instead of set to FALSE
idautoPersonExtBool4	Custom Boolean Attribute 4	Boolean	N	N	eq	Custom Flag The attribute should be cleared instead of set to FALSE
idautoPersonExtBool5	Custom Boolean Attribute 5	Boolean	N	N	eq	Custom Flag The attribute should be cleared instead of set to FALSE
idautoPersonAppRoleFriendlyNames	App Role Friendly Names	String	Y	N	-	The friendly names for the App roles Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonAppRoles1	Application 1 Roles	String	Y	N	eq	Arbitrary role values for “Application 1” (e.g. AWS SAML Roles)
idautoPersonAppRoles2	Application 2 Roles	String	Y	N	eq	Arbitrary role values for “Application 2” (e.g. AWS SAML Roles)
idautoPersonAppRoles3	Application 3 Roles	String	Y	N	eq	Arbitrary role values for “Application 3” (e.g. AWS SAML Roles)
idautoPersonAppRoles4	Application 4 Roles	String	Y	N	eq	Arbitrary role values for “Application 4” (e.g. AWS SAML Roles)
idautoPersonAppRoles5	Application 5 Roles	String	Y	N	eq	Arbitrary role values for “Application 5” (e.g. AWS SAML Roles)
idautoPersonAppRoles6	Application 6 Roles	String	Y	N	eq	Arbitrary role values for “Application 6” (e.g. AWS SAML Roles)
idautoPersonAppRoles7	Application 7 Roles	String	Y	N	eq	Arbitrary role values for “Application 7” (e.g. AWS SAML Roles)
idautoPersonAppRoles8	Application 8 Roles	String	Y	N	eq	Arbitrary role values for “Application 8” (e.g. AWS SAML Roles)
idautoPersonAppRoles9	Application 9 Roles	String	Y	N	eq	Arbitrary role values for “Application 9” (e.g. AWS SAML Roles)
idautoPersonAppRoles10	Application 10 Roles	String	Y	N	eq	Arbitrary role values for “Application 10” (e.g. AWS SAML Roles)

Groups

• All account entries must be put directly under ou=Groups,dc=meta.
• All LDAP entries MUST contain objectClass=groupOfNames , objectClass=idautoGroup, a unique idautoID value and a unique cn value.
• The DN for all accounts must look like idautoID=<idautoID value>,ou=Groups,dc=meta

Core Attributes

Attribute Name	Friendly Name	DataType	Multi-Valued	Unique	Indexes	Description / Constraints
idautoID	ID	UUID	N	Y	eq	Required unique GUID of the group Must not be changed after initial creation
cn	Group Name	String	N	Y	eq, sub	Required unique name of the group
description	Group Description	String	N	N	eq, sub	Optional group description
member	-	DN	Y	N	eq	DNs of all current group members
idautoGroupOwners	-	DN	Y	N	eq	Owners of the group
idautoGroupCoOwners	-	DN	Y	N	eq	Co-owners (membership managers) of the group
idautoGroupCoOwnerEditable	-	Boolean	N	N	-	Whether co-owners may edit the group details
idautoGroupIncludeFilter	-	String	N	N	-	Dynamic membership filter
idautoGroupIncludeBaseDN	-	DN	N	N	-	Dynamic membership search base DN Consider this to be deprecated
idautoGroupExcludeFilter	-	String	N	N	-	Dynamic membership exclusion filter
idautoGroupExcludeBaseDN	-	DN	N	N	-	Dynamic membership exclusion search base DN Consider this to be deprecated
idautoGroupStaticIncludes	-	DN	Y	N	eq	DNs of all static group members
idautoGroupStaticExcludes	-	DN	Y	N	eq	DNs of all static group exclusions
idautoGroupSyncInterval	-	Integer	N	N	-	Automatic sync interval in hours (optional) This attribute it made obsolete in the 2023.05.0 release, which introduces a new paradigm for syncing groups based on a cron expression.
idautoGroupLastSynced	-	DateTime	N	N	eq	Date/Time when the membership was last synced

Special Attributes

Attribute Name	Friendly Name	DataType	Multi-Valued	Unique	Indexes	Description / Constraints
idautoGroupEmailAddress	Group Email Address	String	N	Y	eq, sub	Unique email address for “distribution list” groups
idautoGroupEmailAliases	Group Email Aliases	String	Y	Y	eq, sub	Unique email aliases for “distribution list” groups
idautoGroupToSystem1	Sync Group to System 1	Boolean	N	N	-	Flag indicating group should be synced to “System 1”
idautoGroupToSystem2	Sync Group to System 2	Boolean	N	N	-	Flag indicating group should be synced to “System 2”
idautoGroupToSystem3	Sync Group to System 3	Boolean	N	N	-	Flag indicating group should be synced to “System 3”
idautoGroupToSystem4	Sync Group to System 4	Boolean	N	N	-	Flag indicating group should be synced to “System 4”
idautoGroupToSystem5	Sync Group to System 5	Boolean	N	N	-	Flag indicating group should be synced to “System 5”
idautoGroupToSystem6	Sync Group to System 6	Boolean	N	N	-	Flag indicating group should be synced to “System 6”
idautoGroupToSystem7	Sync Group to System 7	Boolean	N	N	-	Flag indicating group should be synced to “System 7”
idautoGroupToSystem8	Sync Group to System 8	Boolean	N	N	-	Flag indicating group should be synced to “System 8”
idautoGroupToSystem9	Sync Group to System 9	Boolean	N	N	-	Flag indicating group should be synced to “System 9”
idautoGroupToSystem10	Sync Group to System 10	Boolean	N	N	-	Flag indicating group should be synced to “System 10”

Extensible

None of these attribute has a unique constraint.

Attribute Name	Friendly Name	DataType	Multi-Valued	Indexes	Description / Constraints
idautoGroupExt1	Custom Group Attribute 1	String	Y	eq, sub	Custom Attribute
idautoGroupExt2	Custom Group Attribute 1	String	Y	eq, sub	Custom Attribute
idautoGroupExt3	Custom Group Attribute 1	String	Y	eq, sub	Custom Attribute
idautoGroupExt4	Custom Group Attribute 1	String	Y	eq, sub	Custom Attribute
idautoGroupExt5	Custom Group Attribute 1	String	Y	eq, sub	Custom Attribute

Operational

• Read-only attributes not associated with any particular class but available on all.

Operational Attributes

Attribute Name	Friendly Name	DataType	Multi-Valued	Unique	Indexes	Description / Constraints
memberOf		DN	Y	N		read-only - comes from slapo-memberof overlay
entryDN		DN	N	N		read-only - the DN name of the object
createTimestamp		DateTime	N	N		read-only - the creation timestamp of the object
modifyTimestamp		DateTime	N	N		read-only - the most recent modification timestamp of the object
creatorsName		DN	N	N		read-only - the DN of the creator of the object
modifiersName		DN	N	N		read-only - the DN of the most recent modifier of the object

Updated on Sat Jun 14 2025 03:36:15 GMT-0400 (Eastern Daylight Time)