User Attribute and Properties Descriptions
(Last modified: 09Oct2002)
This document (10051431) is provided subject to the disclaimer at the end of this document.
goal
User Attribute and Properties Descriptions
fact
NetWare Administrator - All versions
Novell NetWare 4.1
Novell IntraNetWare 4.11
Novell IntraNetWare for Small Business
Formerly TID 2909062
fix
This Document describes all of the User Attributes available to the Network Administrator in the User Details.
A user object represents a person who uses the network. In the User object properties, login restrictions, intruder detection limits, password and password restrictions, security equivalencies, etc., can be set for every user who needs to log in to the network.
When you create a User object, you can create a home directory for that user who then has default rights to that home directory. You can also provide default property values by applying a user template to new user objects as they are created.
For users who have NetWare 4.1 workstations, you can create the User objects anywhere in the Directory tree, but the users must know their context in order to log in. Create User objects in the container where the users typically log in.
For users who have other workstations, create the User objects in the container where the bindery services context is set for the server that they need to log in to. Bindery-based users do not need to know their context because they log in to the server rather than to the Directory tree.
Account Balance: - This property is displayed under the Account Balance page. Use the Account Balance page to manage the credit on a user's account. Giving property rights to this property will allow the user to see or edit this property. The Account Balance property shows the credit that this user has remaining.
To install or remove accounting, or to change the rate charged tor particular services, go to the NetWare Server (NCP Server) object dialog and choose Accounting.
Account Disabled: - This property is displayed under the Login Restrictions page. The Login Restrictions page allows you to restrict how this user can use the network. Giving property rights to this property will allow the user to see or edit Account Disabled property. This property will allow or prevents the user from logging in.
Account Has Expiration Date: - This property is displayed under the Login Restrictions page. The Login Restrictions page allows you to restrict how a user can use the network. Giving property rights to this property will allow the user to see and edit the Account Has Expiration Date. This property allows you to set an expiration date for this account. The Expiration Date and Time, sets the date and time this user's account expires.
Account Locked: - This property is displayed under the Intruder Lockout page. The Intruder Lockout page displays the status of a user's account after it has been locked. An account is locked when someone enters the wrong password too many times consecutively. (The limit for incorrect login attempts is set from the Intruder Detection page of the user's container object.) Giving property rights to this object will allow the user to see and edit the Account Locked property. Account Locked indicates whether the account is locked because an incorrect password was used too many times.
Account Reset Time: - This property is displayed under the Intruder Lockout page. The Intruder Lockout page displays the status of a user's account after it has been locked. Giving property rights to this object will allow the user to see and edit the Account Reset Time property. Account Reset Time shows the time when the account will be reactivated if this account is locked. If it is not locked, this field shows when the Incorrect Login Count is reset.
Allow Unlimited Credit: - This property is displayed under the Account Balance page. Use the Account Balance page to manage the credit on a user's account. Giving property rights to this object will allow the user to see or edit the Account Balance property. The Allow Unlimited Credit property allows this user unlimited use of network services. Low Balance Limit shows the balance at which this user is denied. When Allow Unlimited Credit in enabled "Account balance" is ignored. To install or remove accounting, or to change the rate charged for particular services, go to the NetWare Server object dialog and choose Accounting. The discussion of Accounting is beyond the scope of this document.
Allow User to Change Password: - This property is displayed under the Password Restrictions page. The Password Restrictions page controls how passwords for this user are handled. Giving property rights to this object will allow the user to see and edit this property. This property allows the user to change his or her own passwords.
Authority Revocation: - This property is not viewed on any of the information pages. This property or attribute is used in partition operations and by software developers. For more information on this property reference Novell's Software Developer's Kit. The Authority Revocation attribute is a time-stamped list of revoked public keys of all Certification Authorities known and certified by the Certification Authority.
Back Link: - This property is not viewed on any of the information pages. Two important concepts in understanding the internal workings of NDS are external references and Back Links.
A server usually stores replicas of only some of an NDS Directory's partition. Sometimes a server must hold information about entries in partitions that the server does not store.
NDS stores this type of information in external references, which are place holders containing information about entries that the server does not hold. External references are not "real" entries because they do not contain complete entry information. An external reference is a reference to an entry that is not physically located on the local server. An external reference allows a reference to an entry without duplicating the entry on every server in the Directory tree.
When NDS creates a new external reference for an entry not stored on the local server, NDS attempts to place a Back Link on the real entry. The Back Link points to the server that holds the external reference. For more information on this property reference Novell's Software Developer's Kit.
Bindery Property: - This property is used by Bindery emulation. The user does not have access to this property. In NetWare 4.x, the Bindery has been replaced by Novell Directory Services. However, the Directory can emulate the Bindery if Bindery emulation is enabled. The bindery property attribute is used to emulate bindery properties that cannot be represented with other attribute types. In the bindery, properties of any name and data structure could be attached to objects. This is not the case with the Directory. Bindery Property attributes are used to hold the information stored in bindery properties through the bindery API and the bindery emulator.
CA Public Key / CA Private Key: - This properties is not viewed on any of the information pages. The CA Public Key (Certification Authority Public Key) attribute contains the certification authority public key while the CA Private Key (Certification Authority Private Key) contains the certification authority private key. Because NDS replicates and distributes information across the network, this information must be kept secure from eavesdropping or tampering. To provide secure authentication services, NDS users Public Key encryption technology to support public and private key encryption. Encryption allows authentication information to be transmitted in unreadable forms. The receiving entity then can decrypt the information, making it readable.
The following is a general example of how a public and private key is used. When secure information must be set across the communication channel (i.e. LAN or WAN) the information is encrypted using an algorithm and public key. This encrypted text is now sent across the communication channel (i.e. LAN or WAN) to its target where it is decrypted using an algorithm and a private key. Only information related to authentication is encrypted by NDS.
Certificate Revocation: - This property is not displayed on any of the information pages rather this property is used by Novell Directory Services database. The user does not have access to this property. For more information on how to use this property in software development refer to Novell's Software Developer's Kit for NetWare 4.x. The Certificate Revocation attribute is a time-stamped list of all public keys revoked by the Certification Authority.
Certificate Validity Interval: - This property is not displayed on any of the information pages rather this property is used by Novell Directory Services database. The user does not have access to this property. For more information on how to use this property in software development refer to Novell's Software Developer's Kit for NetWare 4.x.
City: - This property is displayed under the Postal Address page. The Postal Address page shows the postal address of the object you selected. Giving property rights to this object will allow the user to see and edit this property. The City property show the name of the City or Town.
Date Password Expires: - This property is displayed under the Password Restriction page. The Password Restrictions page controls how passwords for this user are handled. Giving property rights to this object will allow the user to see and edit this property. The Date Password Expires property displays the password expiration date or the day the password will expire.
Days Between Forced Changes: - This property is displayed under the Password Restriction page. The Password Restrictions page controls how passwords for this user are handled. Giving property rights to this object will allow the user to see and edit this property. The Days Between Forced Changes property specifies the number of days a password can be used.
Default Queue: - The Default Queue attribute specifies a queue where jobs submitted to the specified printer will go unless a different queue is specified.
Default Server: - This property is displayed under the Environment page. Giving property rights to this object will allow the user to see and edit this property. This property allows you to specify the Network server that you will receive messages from when a message is sent using the SEND utility. Normally you would set the default server to be the same as the server specified in the Preferred Server field in your NET.CFG. The Default Server field is also the name of the server that your workstation is going to authenticate to (make a connection to) when you log in to NetWare Directory Services.
Department: - This property is displayed under the Identification page. The Identification page describes this User object. Giving property rights to this object will allow the user to see and edit this property. Department property shows the user's department or division.
Description: - This property is displayed under the Identification page. The Identification page describes this User object. Giving property rights to this object will allow the user to see and edit this property. The Description property describes the function of this user performs. (Up to 30 lines of 37 characters each can be entered.)
E-mail Address: - The E-mail Address attribute contains the E-mail address of the user. The name must conform to the established conventions for E-mail names.
Fax Number: - This property is displayed under the Identification page. The Identification page describes this User object. Giving property rights to this object will allow the user to see and edit this property. This property lists the telephone numbers of fax machines available to the user.
Full Name: - This property is displayed under the Identification page. The Identification page describes this User object. Giving property rights to this object will allow the user to see and edit this property. The Full Name property displays or allows you to enter the user's full name.
Generational Qualifier: - This property is displayed under the Identification page. The identification page describes this User object. Giving property rights to this object will allow the user to see and edit this property. Generational Qualifier examples: Jr, Sr, II, III. etc.
Given Name: - This property is displayed under the Identification page. The Identification page describes this User object. Giving property rights to this object will allow the user to see and edit this property. This property is the users first name. For example, for John Smith, the given name is John.
Grace Logins Allowed: - This property is displayed under the Password Restriction page. The Password Restrictions page controls how passwords for this user are handled. Giving property rights to this object will allow the user to see and edit this property. The Grace Logins Allowed property allows you to limit the number of times an expired password can be used.
Group Membership: - The Group Membership attribute contains a list of the groups to which the object belongs.
High Privileges: - The High Privileges attribute is used to specify an alternative set of security access privileges.
Home Directory: - This property is displayed under the Environment page. Giving property rights to this object will allow the user to see and edit this property. The Home Directory shows the volume object and directory path of this user's home directory. You can change this directory, but you cannot create a new directory from here. You would need to access the file system in order to create a new directory.
Incorrect Login Attempts or Count: - This property is displayed under the Intruder Lockout page. The Intruder Lockout page displays the status of a user's account after it has been locked. An account is locked when someone enters the wrong password too many times consecutively. (The limit for incorrect login attempts is set from the Intruder Detection page of the user's container object.) The property show the number of incorrect passwords entered.
Initials: - This property is displayed under the Environment page. The Identification page describes this User object. Giving property rights to this object will allow the user to see and edit this property. The Initial property shows the user's middle initial, if one exists.
Language: -This property is displayed under the Environment page. Giving property rights to this object will allow the user to see and edit this property. The Language property determines the language that messages are displayed in.
Last Intruder Address: - This property is displayed under the Intruder Lockout page. The Intruder Lockout page displays the status of a user's account after it has been locked. Last Intruder Address shows the network address of the workstation from which the last wrong password was entered.
Last Login: - This property is displayed under the Login Restrictions page. The Login Restrictions page allows you to restrict the users access to the network. The Last Login Time shows the date and time the user last logged in.
Last Name: - This property is displayed under the Identification page. The Identification page describes this User object. Giving property rights to this object will allow the user to see and edit this property. This property is the user's last name.
Location: - This property is displayed under the Identification page. The Identification page describes a User. Giving property rights to this object will allow the user to see and edit this property. The Location shows the user's physical location (such as a mail stop). More than one value may be stored for this property.
Login Script: - This property is displayed under the Login Script page. The Login Script page lists commands that are executed when the user logs in to the network. Giving property rights to this object will allow the user to see and edit the login script. The Login Script property replaces the system login script. When a user logs in, the LOGIN program searches one level above (to either the Organization or Organizational Unit) and runs that script (if any), then runs the user's login script. For a more complete discussion of Login Scripts see the NetWare 4.x Manual Set: Concepts, and Supervising the Network.
Login Time Restriction: - This property is displayed under the Login Time Restriction page. The Login Time Restrictions page allows you to limit the time of day that the user can be logged in. You can restrict a user's login time in half-hour segments. Giving property rights to this object will allow the user to see and edit the Login Time Restriction.
Note: NetWare Directory Services (NDS) uses a time standard based on Greenwich Mean Time (GMT) which adjusts for time zone differences. However, login restrictions do not account for time zone differences. Example 1: If login time restrictions are set in California while on Pacific daylight time, they will be off by one hour when California moves back to Pacific standard time. For example, if you originally denied users network access from 5 a.m. to 8 a.m., they can log in when they arrive for work at 8 a.m. When California returns to Pacific standard time, NetWare server time is adjusted back one hour, but login time restrictions are not adjusted. This means that users will not be able to log in until 9 a.m., even though the Login Time Restrictions screen is set to allow users to log in at 8 a.m.
Suggestion: To compensate for time differences within a time zone, set login time restrictions with a buffer of one hour before and after normal login time restrictions. The problem in the example above could be solved by setting the login time restrictions from 7 a.m. to 6 p.m.
Example 2: If you originally denied network access to Jean in Toronto (Canada) from 5 a.m. to 8 a.m., and Jean travels to London (UK), her login time restrictions will be off by five hours. While Jean could be logged in to the network from 8 a.m. to 5 p.m. in Toronto, her authorized access time in London will be 3 a.m. to noon.
Suggestion: For NetWare users who travel, avoid using login time restrictions.
Low Balance Limit: - This property is displayed under the Account Balance page. Use the Account Balance page to manage the credit on a user's account. Giving property rights to this object will allow the user to see and edit this property. The Low Balance Limit shows the balance at which this user is denied access to network services.
Mailbox ID: - This property is displayed under the Mailbox page. Use the Mailbox page to see the Mailbox Location and Mailbox ID. Giving property rights to this object will allow the user to see and edit this property. The Mailbox ID property displays a unique name that allows this object's mailbox to be located in the Messaging database.
Mailbox Location: - This property is displayed under the Mailbox page. Use the Mailbox page to see the Mailbox Location and Mailbox ID. Giving property rights to this object will allow the user to see and edit this property. The Mailbox Location property specifies the Messaging server where this objects's mailbox resides.
Mailing Label Information: - This property is displayed under the Postal Address page. The Postal Address page shows the postal address of the object you selected. Giving property rights to this object will allow the user to see and edit this property.
Maximum Connections: - This property is displayed under the Login Restrictions page. The Login Restrictions page allows you to restrict how this user can use the network. Giving property rights to this object will allow the user to see and edit this property. The Maximum Connections property defines the maximum number of workstations that this user can log in to simultaneously.
Minimum Password Length: - This property is displayed under the Password Restrictions page. The Password Restrictions page controls how passwords for this user are handled. Giving property rights to this object will allow the user to see and edit this property. The Minimum Password Length property specifies the minimum number of characters required for the password.
Network Address: -
Network Address Restrictions: - This property is displayed under the Network Address Restrictions page. The Network Address Restrictions page determines which workstations a user can log in from. Giving property rights to this object will allow the user to see and edit this property. If no addresses are listed, there are no restrictions and the user can log in from any workstation.
Object Class: - This property is not displayed on any of the information pages rather this property is used by Novell Directory Services database. The user does not have access to this property. For more information on how to use this property in software development refer to Novell's Software Developer's kit for NetWare 4.x.
The Object Class attribute contains an unordered list of object classes. These classes are the fully expanded set of super classes for the object to which this attribute is assigned. When an object is created, a single initial value for object class must be specified. When the server creates the object, it expands the value set of the object class attribute to include all of the super classes of the initially specified class. You can use NLIST to see the object class of this object by typing the following at a workstation:
Syntax: <Class Type> /D
Example: NLIST "ORGANIZATIONAL ROLE" /D
Object Trustees (ACL): - The information about who can access object properties is stored in the object itself, in a property known as the Access Control List (or ACL). An object's ACL lists all objects that are trustees of the object. The ACL property also stores the object's Inherited Rights Filter.
To change the trustee's access to an object, you would change the trustee's entry in the object's ACL. Only trustees with the Write right for the ACL property can change the trustee assignments or the Inherited Rights Filter. Each object listed in an ACL can have different rights to that object's properties. For example, if ten users are listed in the select object's ACL as trustees, each of those ten users can have different rights to the selected object and to its properties. One object might have the Read right, another might have the Delete right, etc. Giving property rights to this object will allow the user to see or edit the trustees of the object.
Postal (Zip) Code: - This property is displayed under the Postal Address page. The Postal Address page shows the postal address of the object you selected. Giving property rights to this object will allow the user to see and edit this property. The Postal Code property is where you enter the zip code for USA. For other counties, enter the appropriate information.
Postal Office Box: - This property is displayed under the Postal Address page. The Postal Address page shows the postal address of the object you selected. Giving property rights to this object will allow the user to see and edit this property. The Post Office Box property contains the post office box for this object.
Print Job Configuration: - This property is displayed under the Print Job Configuration page. The Print Job Configuration page lists the name of different print job configurations that can be used. Giving property rights to this object will allow the user to see and edit this property. You can add new job configurations or modify the parameters of existing configurations. The Print Job Configuration attribute contains information on the specified print job configuration.
Printer Control: - The Printer Control attribute is the Directory Service counterpart of the DOS printer definition file NET$PRN.DAT.
Profile: - This property is displayed under the Login Script page. The Login Script page lists commands that are excecuted when a user logs into the network. Giving property rights to this object will allow the user to see and edit this property. The Profile attribute identifies the login profile to be used if the user doesn't specify one at login time.
Profile Membership: -
Public Key / Private Key: - The Public Key attribute contains a certified RSA public key. This property is not viewed on any of the information pages. The Private Key attribute contains a certified RSA public key. This property is also not viewed on any of the information pages.
Because NDS replicates and distributes information across the network, this information must be kept secure from eavesdropping or tampering. To provide secure authentication services, NDS users RSA Public Key encryption technology to support public and private key encryption. Encryption allows authentication information to be transmitted in unreadable forms. The receiving entity then can decrypt the information, making it readable.
The following is a general example of how a public and private key is used. When a client wishes to authenticate to a server. The client sends the request to the server. The server in turn requests a password. To kept this information secure from eavesdropping or tampering the client uses an algorithm and public key to encrypt the text. This encrypted text is now sent across the communication channel (i.e. LAN or WAN) to the server where it is decrypted using an algorithm and a private key. Only information related to authentication is encrypted by NDS.
Remaining Grace Logins: - This property is displayed under the Password Restriction page. The Password Restrictions page controls how passwords for this user are handled. Giving property rights to this object will allow the user to see and edit this property. The Remaining Grace Logins property shows how many grace logins are left. Grace Logins Allowed specifies the number of times an expired password can be used.
Require a Password: - This property is displayed under the Password Restriction page. The Password Restrictions page controls how passwords for this user are handled. Giving property rights to this object will allow the user to see and edit this property. The Require a Password property requires a user to enter a password.
Require Unique Password: - This property is displayed under the Password Restriction page. The Password Restrictions page controls how passwords for this user are handled. Giving property rights to this object will allow the user to see and edit this property. The Require Unique Passwords property prevents the user from using the same password again.
Revision: - This property is not displayed on any of the information pages rather this property is used by Novell Directory Services database. This property shows the number of times the object has been changed by a user or Admin. You can use NLIST to see this property by typing the following at a workstation.
Syntax: NLIST <Class Type> /D
Example: NLIST "USER" /D
Security Equal to: - This property is displayed under the Security Equal To page. The Security Equal To page shows objects that this User object is security equal to. This means that any rights granted to the objects listed on this page are also granted to this User object. The Security Equals property shows all objects that this User object is security equal to.
Security Flags: - This property is not displayed on any of the information pages rather this property is used by Novell Directory Services database. The user does not have access to this property. For more information on how to use this property in software development refer to Novell's Software Developer's kit for NetWare 4.x.
See Also: - This property is displayed under the See Also page. The See Also page gives you a place to list the names of objects related to the object you selected. Giving property rights to this object will allow the user to see and edit this property.
State or Province: - This property is displayed under the Postal Address page. The Postal Address page shows the postal address of the user object you selected. Giving property rights to this object will allow the user to see and edit this property. The State or Province property shows the state or province that this user is located in.
Street: - This property is displayed under the Postal Address page. The Postal Address page shows the postal address of the object you selected. Giving property rights to this object will allow the user to see and edit this property. The Street property contains the number and street name for a user.
Telephone: - This property is displayed under the Identification page. The Identification page describes a User's object. Giving property rights to this object will allow the user to see and edit this property. This property lists the user's telephone numbers.
Title: - This property is displayed under the Identification page. The Identification page describes a User represented by the object. Giving property rights to this object will allow the user to see and edit this property. The Title property shows the position or function of the user. (Maximum length of each is 60 characters.)
Type Creator Map: - This property is not viewed on any of the information pages. The Type Creator Map attribute identifies an object as a Macintosh file system client. For more information on this property reference to Novell's software developer's kit for NetWare 4.10.
UID: - (User ID) This property is not viewed on any of the information pages. The UID attribute
specifies a unique user ID for use by UNIX clients.
--------------------------------------------------------------------------------.
document
| Document Title: | User Attribute and Properties Descriptions |
| Document ID: | 10051431 |
| Solution ID: | NOVL4776 |
| Creation Date: | 06Apr2000 |
| Modified Date: | 09Oct2002 |
| Novell Product Class: | NetWare Novell eDirectory |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.