Operational attributes

There are several attributes that have special meaning to the Directory Server known as operational attributes. These are attributes that are maintained by the server and either reflect information the server manages about an entry or affect server operation.

These attributes have special characteristics:

  • The attributes are not returned by a search operation unless they are specifically requested (by name) in the search request
  • The attributes are not part of any object class. The server controls what entries have the attributes.

The following sets of operational attributes are some of the operational attributes supported by the Directory Server:

  • creatorsName, createTimestamp, modifiersName, modifyTimestamp are present on every entry. These attributes show the bind DN and time when an entry was first created or last modified. You can use these attributes in search filters, for example, to find all entries modified after a specified time. These attributes cannot be modified by any user. These attributes are replicated to consumer servers and are imported and exported in LDIF files.
  • ibm-entryuuid. Present on every entry that is created while the server is at V5R3 or later. This attribute is a universally unique string identifier assigned to each entry by the server when the entry is created. It is useful for applications that need to distinguish between identically named entries on different servers. The attribute uses the DCE UUID algorithm to generate an ID that is unique across all entries on all servers using a timestamp, adapter address, and other information.
  • entryowner, ownersource, ownerpropagate, aclentry, aclsource, aclpropagate, ibm-filteracl, ibm-filteraclinherit, ibm-effectiveAcl.
  • hasSubordinates. Present on every entry and has the value TRUE if the entry has subordinates.
  • numSubordinates. Present on every entry and contains the number of entries which are children of this entry.
  • pwdChangedTime, pwdAccountLockedTime, pwdExpirationWarned, pwdFailureTime, pwdGraceUseTime, pwdReset, pwdHistory.
  • subschemasubentry - Present on every entry and identifies the location of the schema for that part of the tree. This is useful for servers with multiple schemas if you want to find the schema that you can use in that part of the tree.

For a complete list of operational attributes, use the following extended operation: ldapexop -op getattributes -attrType operational -matches true.