This section lists every attribute maintained and used directly by APS. APS assumes that all attributes exist and processing will fail if an attribute does not exist. Except for encrypted fields and those otherwise noted, your site can change the values of these attributes. However, you must take care to format the information in the attribute correctly so that APS can read it. For performance reasons, APS has little format verification.
Note that the fields used to handle FPS verification (such as secret questions) are not maintained by APS at all; they are compared by FPS and, in some cases updated (as in the control data). However, the field names and contents are entirely defined by the site and actually maintained by the site's user management tools, not APS.
The attributes listed in this section are in alphabetical order.
All dates and times are in Greenwich (ZULU) time zone. This eliminates all complications of multiple policy/web servers in different time zones and daylight savings time. These values are stored in the format:
yyyymmddhhmmssZ
For example,
20010307164130Z
is Wednesday, March 7, 2001 at 11:41:30am Eastern time.
The Attribute/Column names used in this chapter can be changed on a per-site (or even per-directory server) basis. The names used here are the names that APS will use internally. If not remapped, APS will also use these names externally. To rename an attribute/column, use the [MAPPING] section of the APS.cfg file.
Some fields are suppressible, meaning that an entry can exist in the [MAPPING] section to map the field to a null name. In this case, APS will not store or use a value for that field. If an attribute is not suppressible, but a mapping to a null value exists in APS.cfg, the internal name of the attribute will be used. This will probably result in an error.
Note: Between APS Version 3 and Version 4, one attribute (smapsInactivityWarning) was dropped from use and a new attribute (smapsNextAction) was added. smapsOldBlob is also no longer used, except for sites upgrading from versions of APS prior to version 3.0.
LDAP Type: cis/Single Valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.2
RDBMS Type: character
Max Length: 24 (see note)
suppressible: Yes
Format: <integer> <reason>
Examples: 0 Admin account
7 Wire Room Op
365
This attribute is used to override, on a per-user basis, the amount of time that can elapse between this user's logins before the user is disabled due to inactivity. As a general rule, this value should not be used; it is intended for a small number of users.
The first part of the value must be the number of days to use. The rest of the field is ignored and can be used to store any information (for example, why the override is there, who put it there, etc.).
Setting this value to zero tells APS that this user is never disabled due to inactivity, even if this conflicts with settings in the APS.cfg file.
If this field is null or contains no value, then the settings in the APS.cfg file will be used.
APS never writes to this field, except as part of APSAdmin.
Note on length: This field contains a number, followed by a comment, thus the length is truly variable. APSAdmin allows 3 characters for the integer value, a space, and up to 20 characters of user-entered comment. If your site has a custom interface to this field, you may want to make this field longer. APS itself, outside of APSAdmin, never updates this field.
LDAP Type: cis/Single Valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.3
RDBMS Type: character
Max Length: 36 (see note)
suppressible: No
Format: <date/time> <reason>
Examples: 20010307164130Z Conversion
This is, essentially, the creation date of the user. It is used as the base date for all calculations if smapsLastPasswordChange or smapsLastLogin are not set or if this date is later. If not set, the current date/time is used. APSExpire will initialize this field, if necessary.
User creation utilities should set this value, but it is not required, since APSExpire will set it the next time that utility is run and APS will initialize a null value when the user authenticates.
If this field is later than smapsLastPasswordChange or smapsLastLogin, this field's value will be used instead. The reason for this is best demonstrated by an example: smapsLastLogin is used to calculate when an account expires. If a user's account has expired and the user is disabled, the user will immediately be expired again at next login, since smapsLastLogin is still too old. The old solution was to reset smapsLastLogin, but that caused the "real" date of last login to be lost. Instead, sites may reset this date instead in these cases (and in the similar case of password expiration).
Note on length: This field contains a date, followed by a comment, thus the length is truly variable. APSAdmin allows 15 characters for the date value, a space, and up to 20 characters of user-entered comment. If your site has a custom interface to this field, you may want to make this field longer. APS only writes the date/time (without a comment) to this field when it is initialized.
LDAP Type: cis/Single Valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.4
RDBMS Type: character
Max Length: 36 (see note)
suppressible: Yes
Format: <date/time> <reason>
Examples: 20010601000000Z End of semester
20010601000000Z End of subscription
APS will not allow users to login after this date/time, regardless of activity. APS will not cancel an existing session when this time arrives, it will only prevent authentication after the specified date/time.
Sites may use this field freely. APS will never set or modify this value, but it will honor it if the date is readable. The <reason> is not used by APS, but may be passed to event redirection pages as the value of the DISABLEDREASON macro.
This field may need to be cleared to enable a user to authenticate.
Note on length: This field contains a date, followed by a comment, thus the length is truly variable. APSAdmin allows 15 characters for the date value, a space, and up to 20 characters of user-entered comment. If your site has a custom interface to this field, you may want to make this field longer.
LDAP Type: cis/Single Valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.5
RDBMS Type: character
Max Length: 36 (see note)
suppressible: Yes
Format: <date/time> <reason>
FOREVER <reason>
Examples: 20010207164130Z Failure Count
FOREVER Failure Count
APS will not allow users to login until this date/time, regardless of whether the user successfully authenticates. APS uses this field to implement the Auto Reset Failure Count functionality.
If the Use Internal Disables is in effect for LDAP directories, APS will use this field to disable users and will use the word FOREVER instead of a date. For ODBC (RDBMS) directories, APS will always use this field for this purpose (regardless of the Use Internal Disables setting).
Sites may use this field freely. The reason is not used by APS, but may be passed to event redirection pages as the value of the DISABLEDREASON macro.
This field may need to be cleared to enable a user to authenticate.
Note on length: This field contains a date, followed by a comment, thus the length is truly variable. APSAdmin allows 15 characters for the date value, a space, and up to 20 characters of user-entered comment. If your site has a custom interface to this field, you may want to make this field longer. APS can write to this field, but never more than 36 characters.
LDAP Type: cis/Single Valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.6
RDBMS Type: character
Max Length: 24 (see note)
suppressible: Yes
Format: <integer> <reason>
Examples: 0 Administrator
7 Wire Room Op
365
This attribute is used to override, on a per-user basis, the expiration period of a user's password. The performance impact of this value is nominal. As a general rule, it should not be used, since it creates maintenance overhead and thus can be an administrative nightmare.
The first part of the value must be the number of days to use. The rest of the field is ignored and can be used to store any information (for example, why the override is there, who put it there, etc.).
If the integer value is set to zero, then the user's password will never expire.
If this field is null or contains no value, then the settings in the APS.cfg file will be used.
APS never writes to this field, except as part of APSAdmin.
Note on length: This field contains a number, followed by a comment, thus the length is truly variable. APSAdmin allows 3 characters for the integer value, a space, and up to 20 characters of user-entered comment. If your site has a custom interface to this field, you may want to make this field longer. APS never writes to this field.
LDAP Type: cis/Single Valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.7
RDBMS Type: character
Max Length: 24
suppressible: No
Format: <integer> <date/time>
Examples: 0 20010307170000Z
2 20010307173022Z
This attribute is used by APS to track the current authentication failure count. When reset, this field should not cleared; it must be set to zero with a date and time. This is required because APS also keeps this value in memory so that a server outage will not open a security hole. APS will read the value from disk and compare the date/time against its in-memory value. The later value will be used.
The first part of the value is the counter, which is followed by the effective date of the most recent failure (or reset).
Note that just setting a value into this field is insufficient to disable a user (at the next login), since if the date/time is over Failure Count Timeout minutes old, the user will not be disabled.
This field may need to be updated to enable a user account.
LDAP Type: cis/Single Values
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.8
RDBMS Type: character
Max Length: 56 (see note)
suppressible: Yes
Format: <integer> <date/time> <IP address> <reason>
Examples: 2 20010307170000Z 192.158.7.10 SiteMinder
This attribute is maintained by APS and is informational only. The <integer> component is the number of failed logins since smapsLastLogin (or smapsBaseDate, if the user has never logged in).
The <date/time> is when the most recent failure actually occurred.
The <IP address> is the reported tcp/IP address of the client. Note that this value is not trustworthy due to network address translation and spoofing.
The <reason> is why the login was rejected (if known).
APS copies the current value of this attribute to smapsFailuresSincePreviousLogin when the user successfully authenticates and then clears this attribute.
This value may be significantly different than smapsFailureCount, since the failure count times out and only includes password rejections. This is the actual total and includes all types of failures.
Note that if your site wishes to display failure count information on a user's screen, you should use smapsFailuresSincePreviousLogin, since the user just logged in and this value has been cleared.
Note on length: This field contains a number, followed by a comment, thus the length is truly variable. APSAdmin allows 3 characters for the integer value, a space, 15 characters for the date, another space, 15 characters for the IP address, yet another space and up to 20 characters of comment. If your site has a custom interface to this field, you may want to make this field longer.
LDAP Type: cis/Single Valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.9
RDBMS Type: character
Max Value Length: 56 (see note)
suppressible: Yes
Format: <integer> <date/time> <IP address> <reason>
Examples: 2 20010307170000Z 192.158.7.10 SiteMinder
This attribute is maintained by APS and is informational only. This information is copied from smapsFailuresSinceLastLogin when the user successfully authenticates.
Note that if your site wishes to display failure count information on a user's screen, you should use smapsFailuresSincePreviousLogin, since the user just logged in and the other value has been cleared.
Note on value length: This field contains a number, followed by a comment. The length is truly variable. APSAdmin allows 3 characters for the integer value, a space, 15 characters for the date, another space, 15 characters for the IP address, yet another space and up to 20 characters of comment. If your site has a custom interface to this field, you may want to make this field longer.
Note on name length: This attribute name length is more than 30 characters which will exceed Oracle column name max length. So for this please add an alias like "smapsFailuresSincePrevLogin" as column name in Oracle data base and add the below entry in APS.cfg, for this alias to be picked by APS.
Example: smapsFailuresSincePreviousLogin={IsODBC()}smapsFailuresSincePrevLogin
LDAP Type: cis/Multi-Valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.10
RDBMS Type: character
Max Length: As long as possible (see note)
suppressible: Yes
Format: <key>=<integer> <date> <IP address>
Examples: LICENSE =1 20010307144130Z 10.2.2.1
PROFILE=2 20010307144633Z 10.2.2.1
This attribute is used to store information about Generational Redirect. If generational redirects are not used, this attribute can be omitted from the schema.
Each element (this is a multi-valued attribute under LDAP) tracks the last version of a page that the user was redirected to, when and what the IP address of the browser was (the IP address is not reliable).
Note on length: Under ODBC (RDBMS) directories, this is stored as a single-value, each "element" separated from others using a semicolon (";"). The length of each element can vary, since the length of the <key> name is essentially unlimited and the length of the <integer> value can vary greatly. The total length of this field can be calculated by a site, but if new generational redirects are added, additional space will have to be provided. Thus, a site should plan this length carefully.
LDAP Type: cis/Single Valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.11
RDBMS Type: character
Max Length: 35
suppressible: Yes
Format: <integer> <date/time> <IP address>
Examples: 2 20010307170000Z 192.158.7.10
APS uses this attribute to track the number of grace logins that the user has consumed since his/her password expired. The <date/time> and <IP address> are informational only. If the user changes their password, this value is reset to blank/null.
If grace logins are not used, then this attribute can be safely omitted from the schema.
LDAP Type: cis/Single Valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.12
RDBMS Type: character
Max Length: 25KB
suppressible: Yes
Format: <encrypted>
The user's password history is stored in this attribute. APS will maintain this value. This value should never be modified, except by APS.
APS will only keep about 12KB worth of history, but limit is imposed before encryption. Encryption effectively doubles the length, so a site should provide storage for up to 25KB characters of data.
Since the information is encrypted, it is impossible to just truncate it; it must be stored in its entirety. Truncating the data may cause server failures.
To reserve the full amount of storage in an ODBC directory for every user row may be unreasonable. What many sites do is set the length of this column to some smaller value (for example 2k), then run triggers within the database to alert administrators when a certain percentage of this space starts to get used (say 90% - the field grows very slowly, usually less than 100 bytes per password change). If a single test user starts to consume too much, approaching the maximum length defined, the site clears the value for that one account. If multiple users start to approach the value, either determined by triggers or by periodic examination of the data, the column is enlarged.
LDAP Type: cis/Single Valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.13
RDBMS Type: character
Max Length: 30 (see note)
suppressible: Yes
Format: <any non-blank value>
Examples: Initial Load
If this attribute is non-blank, APS will force the user to change their password the next time that the user logs in (if redirection, etc., is also configured).
APS clears/nulls this attribute when the user actually changes their password.
If sites do not wish to use the immediate change functionality, this attribute may be safely omitted from the schema.
Note on length: When set, this field contains any text comment, thus the length is truly variable. APSAdmin allows up to 30 characters of comment. If your site has a custom interface to this field, you may want to make this field longer.
This field is no longer used by APS and it may safely be removed from existing schemas.
LDAP Type: cis/Single Valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.15
RDBMS Type: character
Max Length: 32
suppressible: No
Format: <date/time> <IP address>
Examples: 20010307175245Z 192.168.42.10
This attribute holds the most recent login date and time (and IP address, if available, though it is not reliable).
Sites should not modify this value. It is used for inactivity calculations.
This field is required for proper APS operation.
LDAP Type: cis/Single Valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.16
RDBMS Type: character
Max Length: 128 (see note)
suppressible: No
Format: <date/time> <comment>
Examples: 20010307175245Z APS Interface
This attribute holds the date and time that the user's password last changed, if known. APS will update this field when the password is changed using any APS interface. It is up to the site to update this field if the password is changed in any other way.
This value is used for password expiration calculations and is required for APS operation.
Note on length: This field contains a date, followed by a comment, thus the length is truly variable. APSAdmin can set this to 15 characters for the date, a space, and the full length of the administrator's DN plus 12 characters. Thus, this field needs to accommodate the largest DN of your site. If your site has a custom interface to this field, you may want to make this field even longer.
LDAP Type: cis/Multi-valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.17
RDBMS Type: special, see description
suppressible: Yes
Format: <date/time> <result> <IP address> <comment>
Examples: 20010307175245Z SUCCESS 10.2.3.2
20010307175245Z FAILED 10.2.3.2 SiteMinder
APS uses this attribute to track all authentication activity for this user since the smapsPreviousLogin date. This includes both successes and failures.
This data is informational only. APS does not use it for anything.
In ODBC (RDBMS) directories, this information is kept in a separate table. This table should contain 2 columns: one to store the user's id and another to store the log entry. The names of the fields are discussed in the section on ODBC queries later in this chapter. The maximum length of the Log Entry column is about 60 characters (15 for date, a space, 7 for status, a space, 15 for the IP address, another space, and a comment).
If this field is suppressed, no authentication history will be kept. To suppress its use, be sure to specify this attribute in the [MAPPINGS] section of the APS.cfg file.
LDAP Type: cis/Single Valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.18
RDBMS Type: character
Max Length: 60 (see note)
suppressible: Yes
Format: <integer> <date/time> <IP address> <reason>
Examples: 12 20010307170000Z 192.158.7.10 SiteMinder
This attribute is maintained by APS and is informational only. This information is identical to the information maintained in smapsFailuresSinceLastLogin except that it contains the highest value that the account ever reached.
If this field is suppressed, no such information will be kept. To suppress its use, be sure to specify this attribute in the [MAPPINGS] section of the APS.cfg file.
Note on length: This field contains a number, followed by a comment, thus the length is truly variable. APSAdmin allows 3 characters for the integer value, a space, 15 characters for the date, another space, 15 characters for the IP address, yet another space and up to 20 characters of comment. If your site has a custom interface to this field, you may want to make this field longer.
LDAP Type: cis/Single Valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.19
RDBMS Type: character
Max Length: 36 (see note)
suppressible: Yes
Format: <date/time> <reason>
Examples: 20010307171211Z Forgotten Password
20010307171211Z Admin Reset
If set, if the user fails to login by the specified date and time, the authentication attempt will be rejected. If the user successfully authenticates before this date/time, APS will clear the value.
If the writable directory server is down when the user authenticates, APS will be unable to clear this attribute and the user may not be able to login at a later date.
APS will never set this field, but it will clear it upon a successful authentication prior to the specified date/time.
This field may need to be cleared to enable a user account.
Note on length: This field contains a date, followed by a comment, thus the length is truly variable. APSAdmin allows 15 characters for the date value, a space, and up to 20 characters of user-entered comment. If your site has a custom interface to this field, you may want to make this field longer.
LDAP Type: cis/Single Valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.20
RDBMS Type: character
Max Length: 45
suppressible: No
Format: <date/time> <reason>
Examples: 20010307171211Z ACCOUNT INACTIVITY EXPIRE
20010307171211Z ACCOUNT PURGE
This field is used by APSExpire to trigger activity for the account. It is only concerned with the date/time value; the reason is ignored.
APS will update (or at least check for updates to) this field every time that it modifies any value in the user's entry.
APSExpire will process any entries that have a null value for this field, so if a site performs maintenance on a record that may change this value, it should null out the field so that APSExpire will process this account.
This field is required for APS operation and may not be omitted.
LDAP Type: cis/Single Valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.21
RDBMS Type: not used
suppressible: Yes
Format: <32-bit checksum>
Examples: 2165
This attribute is only used by sites that have converted from a pre-version 3.0 release of APS and, even then, only for a short period of time, in order to detect old copies of APS utilities at their site.
This attribute is not used or needed in any other case.
LDAP Type: cis/Single Valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.22
RDBMS Type: not used
suppressible: Yes
Format: <encrypted>
Note: This description applies to LDAP directories only. ODBC (RDBMS) directories uses a stored procedure to obtain the functionality described (the stored procedure will probably need a column to store its data). See the ODBC Queries section later in this chapter).
When a user changes their own password, APS will attempt to read back the password (after it has been changed) to obtain the hashed value that the Directory has stored and store it back into this attribute.
If the Auto Force Change setting is in effect, APS will compare this value with the value stored in the user's password attribute. If they differ, APS assumes that the user's password changed using an interface other than one provided by APS and the user will be forced to change their password.
Note that this functionality requires that users have the right to read their own password back and that the administrator credentials specified in the SiteMinder User Directory also have this ability. If not, then APS cannot read the current value of the user's password. Some LDAP implementations (such as Microsoft Active Directory) will not allow the hashed value to be read back in any case.
LDAP Type: cis/Single Valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.23
RDBMS Type: character
Max Length: 32
suppressible: Yes
Format: <date/time> <IP address>
Examples: 20010307175245Z 192.168.42.10
This attribute holds the login date and time prior to the current login date and time (and IP address, if available, though it is not reliable).
If the last login date is to be displayed on user screens, this value should be used rather than smapsLastLogin, since that value will reflect the current login date and time.
Sites should not modify this value. It is informational only. APS does not use this value for any reason.
If this field is suppressed, no such information will be kept. To suppress its use, be sure to specify this attribute in the [MAPPINGS] section of the APS.cfg file.
LDAP Type: cis/Single Valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.24
RDBMS Type: character
Max Length: 9
suppressible: Yes
Format: <number>
Examples: 12
This attribute is informational only. APS will maintain it, but does not use it for any calculations.
This attribute contains the total number of failed logins (for any reason) for this user. It is often displayed on Help Desk panels to give the administrator an idea of the level and pattern of usage for the particular user record.
Sites should not modify this value.
If this field is suppressed, no such information will be kept. To suppress its use, be sure to specify this attribute in the [MAPPINGS] section of the APS.cfg file.
LDAP Type: cis/Single Valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.25
RDBMS Type: character
Max Length: 9
suppressible: Yes
Format: <number>
Examples: 25
This attribute is informational only. APS will maintain it, but does not use it for any calculations.
This attribute contains the total number of successful logins for this user. It is often displayed on Help Desk panels to give the administrator an idea of the level and pattern of usage for the particular user record. In other words, a support desk operator can differentiate, using the value in this field, between a new user, an occaisional user, or a user that authenticates to the site on a regular basis.
Sites should not modify this value.
If this field is suppressed, no such information will be kept. To suppress its use, be sure to specify this attribute in the [MAPPINGS] section of the APS.cfg file.
LDAP Type: cis/Single Valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.26
RDBMS Type: character
Max Length: 5
suppressible: Yes
Format: <number>
Examples: 2
This attribute is used by the Forgotten Password Services component of APS to track the number of failed attempts (for lockout purposes).
Sites should not modify this value.
This field can be completely omitted if FPS is not used by a site.
If this field is to be suppressed at a site using FPS, be sure to specify this attribute in the [MAPPINGS] section of the APS.cfg file.
LDAP Type: cis/Multi-valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.27
RDBMS Type: special, see description
suppressible: Yes
Format: <date/time> <comment>
Examples: 20010401173244Z Requesting verification
This attribute is used by the Forgotten Password Services component of APS to record the use of FPS. It is used by FPS to track successful and failed uses of FPS in order to enforce the Max Success Frequency and Max Attempts Frequency settings.
In ODBC (RDBMS) directories, this information is kept in a separate table. This table should contain 2 columns: one to store the user's id and another to store the log entry. The names of the fields are discussed in the section on ODBC queries later in this chapter. The maximum length of the Log Entry column is about 60 characters (15 for date, a space, and a comment).
Sites should not modify this value.
This field can be completely omitted if FPS is not used by a site.
If this field is to be suppressed at a site using FPS, be sure to specify this attribute in the [MAPPINGS] section of the APS.cfg file.
LDAP Type: cis/Single Valued
LDAP OID: 1.3.6.1.4.1.2552.1.1.9.28
RDBMS Type: character
Max Length: 72
suppressible: Yes
Format: <encrypted>
If the OneShotPassword capability ( Unsupported "Page" Cross-Reference) of FPS is to be used, APS uses this attribute to store encrypted information about this use. This value will be cleared when used, but there is no security problem if it is retained.
The maximum length refers to the amount of space required to store a 32 character encrypted password.
Sites should not modify this value.
This field can be completely omitted if FPS is not used by a site or the OneShotPassword capability is not in use.
|
Copyright © 2014 CA.
All rights reserved.
|
|