Novell is now a part of Micro Focus

NDS Glossary

Articles and Tips: article

NDS Developer Program Manager
Developer Services

Senior Technical Writer
Developer Information

01 Sep 1999

NDS Glossary

Access Control List (ACL)

An attribute on a directory object that designates what rights and restrictions directory objects have to it.


The process of establishing your identity to a network system.


Empowers the object to grant or deny access to other entries in the directory.

Back Link

When NDS creates a new external reference for an object not stored on the local server, it locates that object on the other replica's server and stores a Back Link attribute on it. The Back Link attribute points back to the external reference. Back links maintain connectivity between the server holding the external reference and the server that holds the object.

Bindery Context

A set of containers where bindery services is set. Bindery-based clients and servers and NDS entries can access all the entries that can be represented as bindery objects within that set of containers.


Groups of entries that have similar roles, interests, or behaviors.

Container Object

An object that can contain other objects.


The object classes that can contain a specific object. For example, a user object's containment is Organization, Organizational Unit and domain (NDS 8). This means that Organization, Organizational Unit and domain objects can contain user objects.

Context, current

The container your NDAP context is currently pointing to. NDS will resolve all relative names to that container.

Context, name

An object's name context is a list of the containers between the object and [Root]. This context, or name, is a string that describes the object's position in the NDS tree. Different directory access methods can use different syntaxes for the name context. Different directory access methods might also have a different order of the naming components in the name. See Name, Distinguished and also Name, Relative Distinguished.

Context, NDAP

The NDAP context is a data structure describing how you wish to address NDS. You cannot directly access the data in an NDAP context. You must use a ContextHandle to reference it. The data is available only through the NWDSGetContext() and NWDSSetContext() accessor routines provided in the Novell libraries. You can use the following flags to access an NDAP context:


The current view of the NDS tree. As your current path changes as you run applications, your context changes as you access data in the tree.


Determines what replica type to use when processing requests.


This means that results are obtained from local cache or any convenient replica.


This means that results must be read from a writable replica.


This means that results must come only from the master replica.


Allows implementations of NDS on different protocols to communicate with each other with NDS. This flag indicates whether the underlying transport is IPX or IP.


For future use. NDS does not currently use this variable.


Determines how requests made to NDS are processed and how data is returned from the functions.


If this flag is true, NDS requests information from the object the alias points to.


If this flag is true, the client agent automatically translates unicode strings.


If this flag is true, all NDS response data is returned without types.


NDS doesn't support this flag.


If this flag is true, the client agent concatenates the passed-in name with the value of the DCK_NAME_CONTEXT ariable.


If this flag is true, the client agent won't accept a referral to another server in the tree.


This variable contains the last connection handle used to satisfy an NDS request This variable is cleared when the tree ame is changed.


Determines the NDS object information to be returned by the NWDSList, NWDSReadObjectDSIInfo, NWDSReadObjectInfo, nd NWDSSearch functions.


Determines whether NDS accepts and returns distinguished names in partial dot or slash format.


Determines how many NDS names are kept in the cache.

When the cache is full, the file with the oldest accessed date and time will be dropped.

Directory Enabled Application

An application which uses and/or contributes to the collection of information stored in the directory.

Directory Information Base (DIB)

The information about the users, resources, and network that the directory maintains. In NDS 8, the DIB includes the data storage of objects and attributes.

Directory Information Tree (DIT)

The Directory's logical structure.

Directory Service

A network database that maps resource names to network addresses. For a system to qualify as a directory, it must provide discovery, security, storage and relationship management. The difference between a database and a directory service is that directory services store information that describes people and access. A directory service also uses a directory-specific protocol, such as DAP (Directory Access Protocol), NDAP (Novell Directory Access Protocol), or LDAP (Lightweight Directory Protocol). Directory services can't be dedicated to a single application or product.

Directory System Agent (DSA)

An OSI application process that provides Directory functionality. (Similar to an NDS partition.)

Directory User Agent (DUA)

An OSI application process that represents a user in accessing the Directory and uses the Directory Access Protocol (DAP) to communicate with the DSA.


The ability of a user to browse and/or consume the contents of a directory. Discovery is recognizing people and resources, assigning characteristics to them, establishing relationships among them, updating changes to them, and optimizing searches for them. Directory services must provide a mechanism for the discovery and recognition of resources within the network.

Distinguished Name

See Name, Distinguished.

Effective Rights

The sum of all the rights a user has received to Directory entries.


An instance of an NDS object class. Entry is interchangeable with the word "Object". The NDS tree is made up of entries.

External Reference

A place holder containing copies of information about entries that a server does not hold.


An object's unique name in the directory.


Provides a location independent reference to directory objects and applications.


To apply access privileges and policies based on an object's location (or context) in the directory tree.


The process by which rights granted to a container apply to all subordinate entries and subsequent subordinate containers within the original container.


Validates data types and guarantees that all changes are synchronized between copies.

Key Management

Delivers key-based credentials for inter- and intra- network communications.


An acronym for Lightweight Directory Access Protocol (RFC 1777 and 2251, as well as RFC 2252-2256 for LDAP v3). LDAP is a cross-platform way to access directories. It's an adaptation of the X.500 Directory Access Protocol (DAP) developed by the University of Michigan and is quickly becoming the standard for Internet and intranet clients to access directory information. LDAP reduces the overhead in the DAP specification, allowing smaller client and quicker directory access.

Leaf Object

An object that can't contain other entries.

Loose Consistency

The concept that replicas are not consistent with each other at any given time; rather, their information converges over time.

Master Replica

A replica that can be used to create, modify, and delete other replicas.


The rules determining the basic elements of the schema. For example, the meta-schema determines class and attribute definition structures and syntaxes.


Novell Directory Access Protocol. A method of accessing NDS using the C programming language and Novell's SDK libraries. NDAP is dependent on Novell's installed client.

Name, Distinguished (DN)

An object name that contains the name of all the other entries in its path.

Another way to think of Distinguished Name is to think of it as an entry's object name combined with its context. For example, suppose a printer's name is lpIII, and its context is marketing.VerySmallCompany. The printer's Distinguished Name would be: You would read this name as: the lpIII printer which is in marketing, which is in VerySmallCompany.

Distinguished Names are also sometimes called Complete Names.

The Distinguished Name doesn't use a leading period.

Name, Fully Distinguished

A Fully Distinguished Name is a Distinguished Name that includes the leading period. The leading period means that NDS will resolve the name from the Root, regardless of the object's current context. An example of a printer's Fully Distinguished Name would be:

Name, Relative Distinguished (RDN)

A portion of the Distinguished Name that includes the leaf-most object name. NDS resolves relative names from the workstation's current context, not from [Root]. For example, if the workstation's current context is marketing.VerySmallCompany, and the user's relative name is, NDS reads the name as jsmith in marketing in the current context (marketing.VerySmallCompany.). Never use a leading period with a relative name.

Name, Typed

Typeful names are either Full Distinguished Names or Distinguished names that include the type of each object in the context. They are also called Typed Names. The object types use the definitions in the list below:

Object Class



Leaf objects

Common Name





Organizational Unit

Organizational Unit





The typeful name uses the type abbreviation, an equals sign, and the object's name. For example, if a printer were located in the VerySmallCompany's development department, its typeful name would be:


Name, Typeless

Typeless name is the same as the either Full Distinguished Name or the Distinguished Name without object types. A printer's typeless name might be

Name Server

A network node that administers zero or more Directory replicas.

Name Service

A service that maps network names to addresses.

Name Space

A set of rules that defines how all network users and resources are named and identified.

Novell Directory Services (NDS)

NDS is a multiple platform, globally accessible, distributed database that stores information about the hardware and software resources that are available within a given network. NDS can be described as a hierarchal tree.

Novell Script

A scripting language formerly known as NetBasic 7 which is 100% compatible with Microsoft's popular VBScript programming language.


A Directory object, as seen by an end user. "Object" is interchangeable with the word "Entry".

Object Class

A definition of a type of object that can exist in the Directory tree. The schema contains valid object class definitions.


An open interface for relational databases. ODBC allows developers to write applications and tools that will work with any database that supports ODBC.


A partition or object superior to another in the Directory tree.


A distinct portion of the Directory tree that stores and replicates Directory information.

Partition Root

The most superior object in a given partition.


Grants entries special consideration, such as desktop preferences, bandwidth, configuration settings, etc., according to task-specific requirements.


An operating system abstraction layer between NDS and the operating system services that NDS uses, such as thread support, memory allocation, and process support.

Private Key

This key is assigned to an object, and that object keeps the key secret. Authentication depends on the private key's mathematical relation to the public key.


An attribute as viewed by an end-user or client.

Public Key

This key is assigned to an object, and that object can publish it openly to any other object wanting to send a message to it. Authentication depends on the public key's mathematical relation to the private key.


The process of determining an object's level of access to a directory information.

Read-Only Replica

A replica that clients can read information from, but can't use to create, modify, or delete entries. Read-only replicas synchronize with other replicas.

Read/Write Replica

A replica that clients can use to create, modify, and delete entries.


A link between the object and a membership list, or from a membership list back to an object.


The address of a server containing the information requested by a client.


The process of applying a set of rules that enforce an object's unique ID.

Relative Distinguished Name (RDN)

See Name, Relative Distinguished (RDN)


A single instance of a partition.

Resolving a Name

The process of matching an NDS name to a location in the network where you can read information about the object, such as network address or group membership.


The privileges granted in Access Control Lists (ACLs) that enable trustees to perform specific operations on a given object.


This most often refers to the tree root, or the most superior object in the Directory tree. You can visualize this object as being at the top of the hierarchal NDS tree. See also Partition Root.


The set of rules governing the Directory's structure, entries, object classes, and attributes.


The process of confirming the identity of people and resources.

Secret Key

A key used both to encrypt and decrypt a given message.

Security Equivalence

One object's having the same rights as another object in the Directory tree.


Two or more objects that are contained by the same container object so they appear in the same level in the Directory tree.

Single sign-on

The ability to log-in only once, using one password, and access any authorized resource on the network.


Allows an object to enroll for a particular service.


An object or partition that is contained by another object or partition in the Directory tree. Also referred to as a "child."

Subordinate Reference Replica

A replica that links a parent partition and a child partition. Each file server that contains a replica of the parent partition also contains a subordinate reference of every child partition that is not located physically on that server.


A conceptual subsection of a tree. It usually contains one or more partitions.

Super Class

An object class that defines specific attributes that subordinate classes can inherit. For example, in the NDS schema, the user class inherits attributes from the organizational person class. So, Organizational Person is a super class to user.


An object or partition that logically contains another object or partition below it in the Directory tree. Also referred to as a "parent."


The propagation of Directory information from one replica to another so the information in each partition is consistent with the other.

Time Stamp

Indicates the time a modification was made and the replica making the modification.


An object granted a particular set of access privileges to another object. For example, users that have rights to a server volume are trustees of that volume.

Top Fundamental

The super class on the NDS schema. All classes inherit from the top.

Typed Name

See Name, Typed

Typeless Name

See Name, Typeless

Universal Component System (UCS)

Universal Component System allows scripting engines to use a wide variety of software components that are running either locally on the server or remotely on another machine.


An instance of the information specified by an attribute type.


An industry standard for directory services.

* Originally published in Novell AppNotes


The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.

© Copyright Micro Focus or one of its affiliates