RapidIdentity Cloud Directory Schema
  • 22 Dec 2024
  • 12 Minutes to read
  • Dark
    Light

RapidIdentity Cloud Directory Schema

  • Dark
    Light

Article summary

RapidIdentity Cloud Metadirectory Schema

The directory schema for RapidIdentity Cloud provides a set of rules that define the data elements to be stored and used by RapidIdentity.

To ensure consistency and continuity between RapidIdentity software releases, Identity Automation maintains a comprehensive change management process for the RapidIdentity Cloud Metadirectory. All proposed changes are reviewed by the Directory Change Control Board on a periodic basis and evaluated based on a myriad of factors including but not limited to the business justification and resulting impact associated with the proposed change.

As an integral component of the RapidIdentity System, proposed changes to the RapidIdentity Cloud Metadirectory are considered to be a new feature or a feature enhancement and submitted as Product Ideas via the Identity Automation Support Community. Idea submissions are evaluated on a periodic basis and approved based product fit, alignment with product strategy and customer and market demand.

People/Accounts

  • All account entries must be put directly under ou=Accounts,dc=meta.
  • All LDAP entries MUST contain objectClass=idautoPerson , a unique idautoID value and at least one unique idautoPersonUserNameMV value.
  • The DN for all accounts must look like idautoID=<idautoID_value>,ou=Accounts,dc=meta .

Core Attributes

Attribute NameFriendly NameDataTypeMulti-ValuedUniqueIndexesDescription / Constraints
idautoIDIDUUIDNYeq
  • Required unique GUID of the account
  • Must not be changed after initial creation
idautoPersonUserNameMVUsernamesStringYYeq, sub
  • Required unique usernames for the account
givenNameFirst NameStringNNeq, sub
  • Person’s first name
snLast NameStringNNeq, sub
  • Person’s last name
displayNameDisplay NameStringNNeq, sub
  • Constructed by Connect, generally as “<givenName> <sn>
mailEmailStringNYeq, sub
  • Primary organizational email account
  • Must contain an '@'
idautoPersonEmailAddresses Email AddressesStringYYeq, sub
  • Current and past email addresses
idautoPersonHomeEmailPersonal Email AddressStringNYeq, sub
  • Personal/Home email address for email to reset forgotten password and use as an auth method
idautoDisabled-BooleanNNeq
  • If TRUE, the account is considered DISABLED in RapidIdentity
  • The attribute should be cleared instead of set to FALSE
userPassword-BinaryNN-
  • Hashed account password
idauto-pwdPrivate-BinaryNN-
  • Encrypted password managed by the Identity Automation password filter
  • Automatically managed / Not writeable
idauto-pwdPrivateTS-DateTimeNNeq
  • The date/time in which the idauto-pwdPrivate value was last set
  • Automatically managed / Not writeable
idautoPersonPhotoURLPhoto URLStringNN-
  • URL to the person’s profile image
mobileMobile NumbersStringYN-
  • Person’s mobile phone numbers
managerManagerDNYNeq
  • DNs of the person’s managers
directReports-DNYNeq
  • DNs of all of the person’s direct reports
  • Automatically managed / Not writeable
idautoPersonEndDateExpiration DateDateTimeNNeq
  • Expiration date for Sponsored Accounts
  • Can be used to store disable date from source systems for non-Sponsored Student Accounts
employeeTypeRoleStringYNeq
  • Valid values include: staff, student, teacher, sponsored, parent
  • ID Hub only supports polices on staff, student, teacher
  • RapidIdentity calls this Account Type
idautoChallengeSet-StringYN-
  • Stores RapidIdentity challenge question/answer data for the person
  • Existing data MUST NOT be updated by Connect
idautoChallengeSetTimestamp-DateTimeNN-
  • Date/time when the person last set up their challenge questions/answers
  • Can be cleared to force the user to do challenge setup again at next login if their Challenge Policy requires it
idautoRequestAssociations-StringYNeq
  • Contains the IDs of all granted, “bound” Workflow Entitlements for the person
  • Data MUST NOT be updated by Connect
  • Can be read to make policy or other decisions based on current RapidIdentity workflow entitlements
idautoPersonClaimCodeClaim CodeStringNNeq
  • Stores an arbitrary “claim code” used by the out-of-the-box RapidIdentity Claim Policy
  • Uniqueness and other constraints are not enforced by the data store
idautoPersonClaimFlagClaimedBooleanNN-
  • Set to TRUE by RapidIdentity when an account is successfully claimed
  • Used as a filter term in the out-of-the-box RapidIdentity Claim Policy to ensure that an account may not be claimed more than once
    • The attribute should be cleared instead of set to FALSE
memberOf

DNYN

  • read-only - comes from slapo-memberof overlay

Profile Attributes

None of these attributes have a unique constraint.
Attribute NameFriendly NameData TypeMulti-ValuedIndexesDescription / Constraints
lCityStringYeq, sub
  • Person’s cities
stStateStringYeq, sub
  • Person’s states
idautoPersonCountryCountryStringY-
  • Person’s countries
Note: Introduced in amazon-ricloud-2022-12-21
idautoPersonStreetAddressStreet AddressStringY-
  • Person’s street addresses
Note: Introduced in amazon-ricloud-2022-12-21
postalCodePostal CodeStringY-
  • Person’s postal codes
idautoPersonMiddleNameMiddle NameStringN-
  • Person’s middle name/initial
  • Often used for username/email generation in Connect
idautoPersonOfficePhoneOffice PhoneStringN-
  • Person’s office phone number
idautoPersonPhoneExtensionPhone ExtensionStringN-
  • Person’s phone extension
idautoPersonHomePhoneHome PhoneStringN-
  • Person’s home phone number
idautoPersonBirthdateBirthdateDateN-
  • Person’s birthdate
  • Format: yyyy-MM-dd
  • Often used for account claiming or help desk identification
idautoPersonTermDateSource Termination DateLast Enroll DateDateN-
  • Account termination date originating from source systems (for Students)
  • Format: yyyy-MM-dd
  • Often useful for making decisions in Connect
idautoPersonGraduationDateGraduation DateDateN-
  • This is used to store graduation date, as institutions typically allow students to access their data beyond their graduation
Note: Introduced in amazon-ricloud-2022-12-21
idautoPersonEmployeeTypesEmployee TypesStringYeq
  • Employee Types beyond what is stored in employeeType
  • Examples: Teacher, Admin, Para
  • Often used for dynamic role membership and other RapidIdentity ACLs
idautoPersonDeptCodesDepartment CodesStringYeq, sub
  • Codes for all departments in which the person is a member
  • Often used for dynamic role membership and other RapidIdentity ACLs
idautoPersonDeptCodePrimary Department CodeStringNeq, sub
  • Person’s primary department code
  • Often used for dynamic role membership, RapidIdentity ACLs and making decisions in Connect
idautoPersonDeptDescrsDepartmentsStringYeq, sub
  • Descriptions for all departments in which the person is a member
  • Often used for dynamic role membership and other RapidIdentity ACLs
  • Often on display in Delegation Profiles
idautoPersonDeptDescrDepartmentStringNeq, sub
  • Person’s primary department description
  • Often used for dynamic role membership and other RapidIdentity ACLs
  • Often on display in Delegation Profiles
idautoPersonLocCodesLocation CodesStringYeq, sub
  • Codes for all locations associated with the person
  • Often used for dynamic role membership and other RapidIdentity ACLs
idautoPersonLocCodePrimary Location CodeStringNeq, sub
  • Person’s primary location code
  • Often used for dynamic role membership, RapidIdentity ACLs and making decisions in Connect
idautoPersonLocNamesLocationsStringYeq, sub
  • Names for all locations associated with the person
  • Often used for dynamic role membership and other RapidIdentity ACLs
  • Often on display in Delegation Profiles
idautoPersonLocNamePrimary LocationStringNeq, sub
  • Person’s primary location name
  • Often used for dynamic role membership and other RapidIdentity ACLs
  • Often on display in Delegation Profiles
idautoPersonJobCodesJob CodesStringYeq, sub
  • Codes for all jobs associated with the person
  • Often used for dynamic role membership and other RapidIdentity ACLs
idautoPersonJobCodeJob CodeStringNeq, sub
  • Person’s primary job code
  • Often used for dynamic role membership, RapidIdentity ACLs and making decisions in Connect
idautoPersonJobTitlesJob TitlesStringYeq, sub
  • Titles for all jobs associated with the person
  • Often used for dynamic role membership and other RapidIdentity ACLs
  • Often on display in Delegation Profiles
idautoPersonJobTitleJob TitleStringNeq, sub
  • Person’s primary job title
  • Often used for dynamic role membership and other RapidIdentity ACLs
  • Often on display in Delegation Profiles
idautoPersonAffiliationsAffiliationsStringYeq,sub
  • Used to store granular affiliations, such as Faculty, Staff, Emeritus, Retiree, Student Applicant, Student Admitted, Student Enrolled, Student Graduated, etc.
Note: Introduced in amazon-ricloud-2022-12-21
idautoPersonAffiliationPrimary AffiliationStringNeq,sub
  • Used to store primary affiliation associated with user
Note: Introduced in amazon-ricloud-2022-12-21
idautoPersonGenderGenderStringN-
  • Person’s gender
Note: Introduced in amazon-ricloud-2022-12-21
idautoPersonPronounsPronounsStringY-
  • Person’s pronouns
Note: Introduced in amazon-ricloud-2022-12-21
idautoPersonProfileUrlProfile UrlStringN-
  • Person's Profile URL for Online directory, contact cards, brings up bio page
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonADProfilePathAD Profile PathStringN-
  • Person’s Active Directory Home Directory
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonBadgeIDsBadge IDsStringY-
  • Person’s Associated Proximity Badge IDs
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonEnrollDateStudent Enrollment DateDateNeq
  • Student Person’s Enrollment Date
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonStartDateStudent Start DateDateTimeNeq
  • Student Person’s Start Date
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonStaffStartDateStaff Start DateDateTimeNeq
  • Staff Person’s Start Date (specifically for employees)
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonStaffEndDateStaff End DateDateTimeNeq
  • Staff Person’s End Date (specifically for employees)
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonStaffAccessTermDateStaff Access Termination DateDateTimeNeq
  • Staff Person’s Access Termination Date (specifically for employees)
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonStaffLastDateWorkedStaff Last Date WorkedDateTimeNeq
  • Staff Person’s Final Day of work (specifically for employees)
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonContractStartDateContractor Start DateDateTimeNeq
  • Contractor Person’s Start Date (specifically for contract employees)
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonContractEndDateContractor End DateDateTimeNeq
  • Contractor Person’s End Date (specifically for contract employees)
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonContractAccessTermDateContractor Access Termination DateDateTimeNeq
  • Contractor Person’s Access Termination Date (specifically for contract employees)
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonContractLastDateWorkedContractor Last Date WorkedDateTimeNeq
  • Contractor Person’s Final Day of work (specifically for contract employees)
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonAllAccessTermDateAll access termination dateDateTimeN-
  • Person’s Complete access termination date (student, staff, contractor)
Note: Introduced in amazon-ricloud-2023-07-01

Education Attributes

None of these attributes have unique constraints
Attribute NameFriendly NameDataTypeMulti-ValuedIndexesDescription / Constraints
idautoPersonTeachersTeachersDNYeq
  • DNs of all teachers associated with a Student person
idautoPersonStudents-DNYeq
  • DNs of all students associated with a Teacher person
  • Automatically managed / Not writeable
idautoPersonGradeLevelGrade LevelStringYeq
idautoPersonSchoolCodesSchool CodesStringYeq
  • Codes for all schools associated with the person
  • Used by Insights/Analytics
  • Often used for dynamic role membership and other RapidIdentity ACLs
idautoPersonSchoolNamesSchool NamesStringYeq, sub
  • Names of all schools associated with the person
  • Often used for dynamic role membership and other RapidIdentity ACLs
  • Often on display in Delegation Profiles
idautoPersonActivityCodesActivity CodesStringY-
  • Activity codes are used in determining permissions based on organizational attachment. For students, they are course related values, for employees they are related to positions and / or functions within the organization.
Note: Introduced in amazon-ricloud-2022-12-21
idautoPersonCourseIDsCourse IDsStringYeq,sub
  • Course IDs for students
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonCourseCodesCourse CodesStringYeq,sub
  • Course codes for students
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonWorkStreetAddressWork Street Address

Y-
  • Person’s Work Street Address in a multi-line format
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonWorkCityWork City

N-
  • Person’s Work City
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonWorkStateWork State

N-
  • Person’s Work State or Region
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonWorkCountryWork Country

N-
  • Person’s Work Country
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonWorkPostalCodeWork Postal Code

N-
  • Person’s Work Postal Code
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonManagedOrgsManaged Orgs

Y-
  • Person’s List of organizations being managed (Organization IDs)
Note: Introduced in amazon-ricloud-2023-07-01

Special Attributes

None of these attributes are multi-valued or have unique constraints
Attribute NameFriendly NameDataTypeIndexesDescription / Constraints
idautoPersonStatusOverrideOverride Source StatusBooleaneq
  • If TRUE then the account's idautoDisabled value should not be changed automatically from source system data
  • The attribute should be cleared instead of set to FALSE
idautoPersonStatusOverrideReasonOverride Source Status ReasonString-
  • When a status override is applied to an account, this free text attribute can be used to note the reasoning for future re-evaluation
Note: Introduced in amazon-ricloud-2022-12-21
idautoPersonStatusOverrideExpirationOverride Source Status ExpirationDateTime-
  • Used to apply a long-term status override automatic expiration date, if it is known when an account is overridden when the override should automatically expire. This would allow a simple actionset to revoke the status override on the specified date.
Note: Introduced in amazon-ricloud-2022-12-21
idautoPersonRenameUsernameRename UsernameString-
  • The new username which will be assigned to the account on the rename date
  • For Connect: Any value populated here should also be populated in the idautoPersonUserNameMV attribute to “reserve” it
  • For ID Hub customers, this attribute is managed.
  • Will be made multi-valued in: amazon-ricloud-2024-12-11 (version number pending)
idautoPersonRenameOverrideOverride RenamesBooleaneq
  • If TRUE then the account’s username should not be changed automatically from source system data
  • The attribute should be cleared instead of set to FALSE
  • Will be made available in: amazon-ricloud-2024-12-11 (version number pending)
idautoPersonRenameFlagDateRename DateDateeq
  • The date which the account will be renamed
  • Set by Connect to n days in the future where n is specified by some customer-defined policy
  • Format: yyyy-MM-dd
idautoPersonActivationDateActivation DateDate-
  • The date which the account should be automatically enabled
  • Used by Connect in cases where an account needs to be created now but not enabled until a specific date
  • Format: yyyy-MM-dd
idautoPersonSourceStatusSource System StatusString-
  • Contains arbitrary status value from source system (e.g. HR)
  • Connect will use this as a basis for automatic RapidIdentity status changes
idautoPersonToSystem1Sync Person to System 1Boolean-
  • Indicates whether Connect should sync the account to “System 1”
idautoPersonToSystem2Sync Person to System 2Boolean-
  • Indicates whether Connect should sync the account to “System 2”
idautoPersonToSystem3Sync Person to System 3Boolean-
  • Indicates whether Connect should sync the account to “System 3”
idautoPersonToSystem4Sync Person to System 4Boolean-
  • Indicates whether Connect should sync the account to “System 4”
idautoPersonToSystem5Sync Person to System 5Boolean-
  • Indicates whether Connect should sync the account to “System 5”
idautoPersonSafeIdCompromisedDateAccount Compromised DateDateTimepres
  • Indicates when a user’s account was marked as compromised via the SafeID feature
Introduced in version amazon-ricloud-2022-03-01 Equality index changed to Presence index in version amazon-ricloud-2022-07-11
idautoPersonPreferredLanguagePreferred LanguageString-
  • Person’s List of organizations being managed (Organization IDs)
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonPreferredLastNamePreferred Last NameStringN
  • The last name the user wants or has elected to be known by
  • Introduced in version: amazon-ricloud-2023-04-21
idautoPersonPreferredNamePreferred NameStringN
  • The name the user wants or has elected to be known by
  • Introduced in version: amazon-ricloud-2023-04-21
idautoPersonPasswordSetPassword SetBooleanN
  • Indicates that a user’s password has been set through some operation in RapidIdentity
  • Introduced in version: amazon-ricloud-2024-06-21
idautoPersonSponsoredAccountStatus-StringN
  • Indicates a delayed status result for Sponsored Account operations that are synced via IDHub
  • Introduced in version: amazon-riclound-2024-07-16

Other IDs

All of these attributes have a unique constraint.
Attribute NameFriendly NameDataTypeMulti-ValuedIndexesDescription / Constraints
idautoPersonHRIDEmployee IDStringNeq,sub
  • Meant to hold the unique identifier from the “HR System”
Substring index added in version: amazon-ricloud-2022-03-01
idautoPersonStuIDStudent IDStringNeq,sub
  • Meant to hold the unique identifier from the “Student Information System”
Substring index added in version: amazon-ricloud-2022-03-01
idautoPersonPayrollIDPayroll IDStringNeq
  • Meant to hold the unique identifier from the “Payroll System”
idautoPersonSystem1IDSystem 1 IDStringNeq
  • Meant to hold the unique identifier from “System 1”
idautoPersonSystem2IDSystem 2 IDStringNeq
  • Meant to hold the unique identifier from “System 2”
idautoPersonSystem3IDSystem 3 IDStringNeq
  • Meant to hold the unique identifier from “System 3”
idautoPersonSystem4IDSystem 4 IDStringNeq
  • Meant to hold the unique identifier from “System 4”
idautoPersonSystem5IDSystem 5 IDStringNeq
  • Meant to hold the unique identifier from “System 5”
idautoPersonStateIDState IDStringNeq
  • Meant to hold the unique identifier from “State” (Education)
idautoPersonDistrictIDDistrict IDStringNeq
  • Meant to hold the unique identifier from “District” (Education)
idautoPersonSchoolIDSchool IDStringNeq
  • Meant to hold the unique identifier from “School” (Education)
idautoPersonSAMAccountNameAD UsernameStringNeq
  • Meant to hold the account’s current sAMAccountName value from AD
  • Maximum length: 20
idautoPersonPrevSAMAccountNamesPrevious AD UsernamesStringYeq
  • Meant to hold the account’s current and all previous sAMAccountName values from AD
  • Maximum length: 20
idautoPersonManagerIDManager IDStringNeq
  • Person’s Manager ID
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonNationalIDNational IDStringNeq
  • Person’s National ID
Note: Introduced in amazon-ricloud-2023-07-01

Extensible

None of these attribute has a unique constraint.
Attribute NameFriendly NameDataTypeMulti-ValuedUniqueIndexesDescription / Constraints
idautoPersonExt1Custom Attribute 1StringYNeq, sub
  • Custom attribute
idautoPersonExt2Custom Attribute 2StringYNeq, sub
  • Custom attribute
idautoPersonExt3Custom Attribute 3StringYNeq, sub
  • Custom attribute
idautoPersonExt4Custom Attribute 4StringYNeq, sub
  • Custom attribute
idautoPersonExt5Custom Attribute 5StringYNeq, sub
  • Custom attribute
idautoPersonExt6Custom Attribute 6StringYNeq, sub
  • Custom attribute
idautoPersonExt7Custom Attribute 7StringYNeq, sub
  • Custom attribute
idautoPersonExt8Custom Attribute 8StringYNeq, sub
  • Custom attribute
idautoPersonExt9Custom Attribute 9StringYNeq, sub
  • Custom attribute
idautoPersonExt10Custom Attribute 10StringYNeq, sub
  • Custom attribute
idautoPersonExt11Custom Attribute 11StringYNeq, sub
  • Custom attribute
idautoPersonExt12Custom Attribute 12StringYNeq, sub
  • Custom attribute
idautoPersonExt13Custom Attribute 13StringYNeq, sub
  • Custom attribute
idautoPersonExt14Custom Attribute 14StringYNeq, sub
  • Custom attribute
idautoPersonExt15Custom Attribute 15StringYNeq, sub
  • Custom attribute
idautoPersonExt16Custom Attribute 16StringYNeq, sub
  • Custom attribute
idautoPersonExt17Custom Attribute 17StringYNeq, sub
  • Custom attribute
idautoPersonExt18Custom Attribute 18StringYNeq, sub
  • Custom attribute
idautoPersonExt19Custom Attribute 19StringYNeq, sub
  • Custom attribute
idautoPersonExt20Custom Attribute 20StringYNeq, sub
  • Custom attribute
idautoPersonExt21Custom Attribute 21StringYNeq, sub
  • Custom attribute
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonExt22Custom Attribute 22StringYNeq, sub
  • Custom attribute
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonExt23Custom Attribute 23StringYNeq, sub
  • Custom attribute
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonExt24Custom Attribute 24StringYNeq, sub
  • Custom attribute
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonExt25Custom Attribute 25StringYNeq, sub
  • Custom attribute
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonExtBool1Custom Boolean Attribute 1BooleanNNeq
  • Custom Attribute
  • The attribute should be cleared instead of set to FALSE
idautoPersonExtBool2Custom Boolean Attribute 2BooleanNNeq
  • Custom Flag
  • The attribute should be cleared instead of set to FALSE
idautoPersonExtBool3Custom Boolean Attribute 3BooleanNNeq
  • Custom Flag
  • The attribute should be cleared instead of set to FALSE
idautoPersonExtBool4Custom Boolean Attribute 4BooleanNNeq
  • Custom Flag
  • The attribute should be cleared instead of set to FALSE
idautoPersonExtBool5Custom Boolean Attribute 5BooleanNNeq
  • Custom Flag
  • The attribute should be cleared instead of set to FALSE
idautoPersonAppRoleFriendlyNamesApp Role Friendly NamesStringYN-
  • The friendly names for the App roles
Note: Introduced in amazon-ricloud-2023-07-01
idautoPersonAppRoles1Application 1 RolesStringYNeq
  • Arbitrary role values for “Application 1” (e.g. AWS SAML Roles)
idautoPersonAppRoles2Application 2 RolesStringYNeq
  • Arbitrary role values for “Application 2” (e.g. AWS SAML Roles)
idautoPersonAppRoles3Application 3 RolesStringYNeq
  • Arbitrary role values for “Application 3” (e.g. AWS SAML Roles)
idautoPersonAppRoles4Application 4 RolesStringYNeq
  • Arbitrary role values for “Application 4” (e.g. AWS SAML Roles)
idautoPersonAppRoles5Application 5 RolesStringYNeq
  • Arbitrary role values for “Application 5” (e.g. AWS SAML Roles)
idautoPersonAppRoles6Application 6 RolesStringYNeq
  • Arbitrary role values for “Application 6” (e.g. AWS SAML Roles)
idautoPersonAppRoles7Application 7 RolesStringYNeq
  • Arbitrary role values for “Application 7” (e.g. AWS SAML Roles)
idautoPersonAppRoles8Application 8 RolesStringYNeq
  • Arbitrary role values for “Application 8” (e.g. AWS SAML Roles)
idautoPersonAppRoles9Application 9 RolesStringYNeq
  • Arbitrary role values for “Application 9” (e.g. AWS SAML Roles)
idautoPersonAppRoles10Application 10 RolesStringYNeq
  • Arbitrary role values for “Application 10” (e.g. AWS SAML Roles)

Groups

  • All account entries must be put directly under ou=Groups,dc=meta.
  • All LDAP entries MUST contain objectClass=groupOfNames , objectClass=idautoGroup, a unique idautoID value and a unique cn value.
  • The DN for all accounts must look like idautoID=<idautoID value>,ou=Groups,dc=meta

Core Attributes

Attribute NameFriendly NameDataTypeMulti-ValuedUniqueIndexesDescription / Constraints
idautoIDIDUUIDNYeq
  • Required unique GUID of the group
  • Must not be changed after initial creation
cnGroup NameStringNYeq, sub
  • Required unique name of the group
descriptionGroup DescriptionStringNNeq, sub
  • Optional group description
member-DNYNeq
  • DNs of all current group members
idautoGroupOwners-DNYNeq
  • Owners of the group
idautoGroupCoOwners-DNYNeq
  • Co-owners (membership managers) of the group
idautoGroupCoOwnerEditable-BooleanNN-
  • Whether co-owners may edit the group details
idautoGroupIncludeFilter-StringNN-
  • Dynamic membership filter
idautoGroupIncludeBaseDN-DNNN-
  • Dynamic membership search base DN
  • Consider this to be deprecated
idautoGroupExcludeFilter-StringNN-
  • Dynamic membership exclusion filter
idautoGroupExcludeBaseDN-DNNN-
  • Dynamic membership exclusion search base DN
  • Consider this to be deprecated
idautoGroupStaticIncludes-DNYNeq
  • DNs of all static group members
idautoGroupStaticExcludes-DNYNeq
  • DNs of all static group exclusions
idautoGroupSyncInterval-IntegerNN-
  • Automatic sync interval in hours (optional)
  • This attribute it made obsolete in the 2023.05.0 release, which introduces a new paradigm for syncing groups based on a cron expression.
idautoGroupLastSynced-DateTimeNNeq
  • Date/Time when the membership was last synced

Special Attributes

Attribute NameFriendly NameDataTypeMulti-ValuedUniqueIndexesDescription / Constraints
idautoGroupEmailAddressGroup Email AddressStringNYeq, sub
  • Unique email address for “distribution list” groups
idautoGroupEmailAliasesGroup Email AliasesStringYYeq, sub
  • Unique email aliases for “distribution list” groups
idautoGroupToSystem1Sync Group to System 1BooleanNN-
  • Flag indicating group should be synced to “System 1”
idautoGroupToSystem2Sync Group to System 2BooleanNN-
  • Flag indicating group should be synced to “System 2”
idautoGroupToSystem3Sync Group to System 3BooleanNN-
  • Flag indicating group should be synced to “System 3”
idautoGroupToSystem4Sync Group to System 4BooleanNN-
  • Flag indicating group should be synced to “System 4”
idautoGroupToSystem5Sync Group to System 5BooleanNN-
  • Flag indicating group should be synced to “System 5”
idautoGroupToSystem6Sync Group to System 6BooleanNN-
  • Flag indicating group should be synced to “System 6”
idautoGroupToSystem7Sync Group to System 7BooleanNN-
  • Flag indicating group should be synced to “System 7”
idautoGroupToSystem8Sync Group to System 8BooleanNN-
  • Flag indicating group should be synced to “System 8”
idautoGroupToSystem9Sync Group to System 9BooleanNN-
  • Flag indicating group should be synced to “System 9”
idautoGroupToSystem10Sync Group to System 10BooleanNN-
  • Flag indicating group should be synced to “System 10”

Extensible

None of these attribute has a unique constraint.
Attribute NameFriendly NameDataTypeMulti-ValuedIndexesDescription / Constraints
idautoGroupExt1Custom Group Attribute 1StringYeq, sub
  • Custom Attribute
idautoGroupExt2Custom Group Attribute 1StringYeq, sub
  • Custom Attribute
idautoGroupExt3Custom Group Attribute 1StringYeq, sub
  • Custom Attribute
idautoGroupExt4Custom Group Attribute 1StringYeq, sub
  • Custom Attribute
idautoGroupExt5Custom Group Attribute 1StringYeq, sub
  • Custom Attribute

Operational

  • Read-only attributes not associated with any particular class but available on all.

Operational Attributes

Attribute NameFriendly NameDataTypeMulti-ValuedUniqueIndexesDescription / Constraints
memberOf

DNYN

  • read-only - comes from slapo-memberof overlay
entryDN

DNNN

  • read-only - the DN name of the object
createTimestamp

DateTimeNN

  • read-only - the creation timestamp of the object
modifyTimestamp

DateTimeNN

  • read-only - the most recent modification timestamp of the object
creatorsName

DNNN

  • read-only - the DN of the creator of the object
modifiersName

DNNN

  • read-only - the DN of the most recent modifier of the object

Updated on Sun Dec 22 2024 03:36:15 GMT-0500 (Eastern Standard Time)


Was this article helpful?


ESC

Eddy AI, facilitating knowledge discovery through conversational intelligence