Click above to get retro games delivered to your door ever month!

 NetWare-defined properties
------------------------------------------------------------------------------
    Property fields
    How the bindery is used for network security
    User Groups


          Property Flags Security Application
                W=Write  Program
    Property Name  Object Type Static/  Item/ R=Read   Interface
          Dynamic  Set   W  R  (API)

    ACCOUNT_BALANCE   User  Static   Item  3  2  Accounting
    ACCOUNT_HOLDS     User  Dynamic  Item  3  2  Accounting
    ACCOUNT_SERVERS   File Server Static   Set   3  1
 Accounting
    ACCT_LOCKOUT   File Server Static   Item  3  3
 Security
    BLOCKS_READ File Server Static   Item  3  1
 Accounting
    BLOCKS_WRITTEN File Server Static   Item  3  1
 Accounting
    CONNECT_TIME   File Server Static   Item  3  1
 Accounting
    DISK_STORAGE   File Server Static   Item  3  1
 Accounting
    GROUP_MEMBERS  User Group  Static   Set   3  1
 Bindery

    GROUPS_I'M_IN  User        Static   Set   3  1  Bindery
    IDENTIFICATION User        Static   Item  3  1  Bindery
    LOGIN_CONTROL  User        Static   Item  3  2  Security
    NET_ADDRESS    File Server Dynamic  Item  4  0
 Service Adv.
    NODE_CONTROL   User  Static   Item  3  2  Security
    OLD_PASSWORDS  User  Static   Item  3  3  Security
    OPERATORS   File Server Static   Set   3  3
 Bindery
    PASSWORD    User  Static         Set   4  4  Bindery
    Q_DIRECTORY Print Queue Static   Item  3  3
 Queue Man.
    Q_OPERATORS Print Queue Static   Set   3  1
 Queue Man.
    Q_SERVERS   Print Queue Static   Set   3  1
 Queue Man.
    Q_USERS  Print Queue Static   Set   3  1  Queue Man.

    REQUESTS_MADE  File Server Static   Item  3  1
 Accounting
    SECURITY_EQUALS   User        Static   Set   3  2  Bindery
    USER_DEFAULTS     Supervisor  Static   Item  3  1
 Security
    MANAGERS User              Static   Set   3  1  Bindery
    OBJ_SUPERVISORS   User     Static   Set   3  1  Bindery
    PS_USERS Print    Server   Static   Set   3  1
 Queue Man.
    PS_OPERATORS   Print Server   Static   Set   3  1
 Queue Man.
    MISC_LOGIN_INFO   User  Static   Item  3  1  Bindery

 Property fields

 Each property has a property name, property flags, and a property security
 associated with it. The property name identifies an object's property. The
 property flags field contains two flags: the static/dynamic flag and the
 item/set flag. The static/dynamic flag indicates the expected lifetime of a
 property. The item/set flag specifies the type of information that is
 stored in the property's value. The property security determines who has
 access to the property.
 Property Structure
    Property Name                    1-16 bytes
    Static/Dynamic Flag (low-order)  1 byte
    Item/Set Flag (high-order)       1 byte
    Write/Read Security              1 byte

 Property Name

 A property name is a zero delimited string of 1 to 15 characters and must
 contain only printable characters (21h through 7Dh). Control characters,
 spaces, slashes (/), backslashes (\), colons (:), semi-colons (;), commas
 (,), asterisks (*), question marks (?), and tildes (~) are invalid
 characters. Property names are recorded in uppercase in the bindery.
 The asterisk (*) and question mark (?) are wild characters and can be used
 to specify a search pattern when scanning the properties of a bindery
 object. An asterisk (*) matches 0 or more characters. Thus, the pattern "*"
 will match any property name. A question mark (?) matches exactly one
 character, so the pattern "??" will only match two-character property
 names.

 Property Flags

 The property flags field contains two flags: the static/dynamic flag and
 the item/set flag. The static/dynamic flag indicates the expected lifetime
 of a property. A property is either static or dynamic.
 A static property is a long-term property that must be explicitly deleted
 from the bindery when it is no longer useful. The ACCOUNT_BALANCE property
 is an example of a static property. A dynamic property is one that is
 created and deleted frequently, and therefore, is deleted when the file
 server is brought down and re-initialised. The ACCOUNT_HOLDS property is an
 example of a dynamic property.
 The item/set flag indicates whether the property's value contains an item
 or a set of object IDs. The contents of item property values are defined
 and interpreted by programs. The contents of set property values are
 interpreted by the bindery process as a series of object ID numbers, each 4
 bytes long.

 Property Flag Values
    Static Item  0 (00+00)
    Dynamic Item 1 (00+01)
    Static Set   2 (10+00)
    Dynamic Set  3 (10+01)

 Property Security

 The property security controls the read and write access of others to the
 property. The low-order nibble determines who can read (scan for and find)
 the property. The high-order nibble determines who can write to (modify)
 the property's value. For example, a property security of 49, 0x31
 (Supervisor write-logged read) indicates that any user logged in to the
 file server can find the property, but only the Supervisor can modify the
 value of the property.

 Property Value

 Each property has an associated value. For example, a value associated with
 the property GROUPS_I'M_IN must be the object ID of a user group to which
 the user belongs. The value of the property ACCOUNT_BALANCE must be the
 user's current balance. The value of the property PASSWORD must be the
 login password of the user. Although a property can only have one value,
 the value can contain multiple segments (each segment being 128 bytes
 long). Property values fall into one of two categories: set properties or
 item properties.

 Set Property Value

 A set property has an associated list or set of object IDs contained in the
 value of the property. The property value can consist of multiple segments,
 where each segment may contain up to 32 object IDs. (Each object ID is 4
 bytes. Therefore, the maximum number of object IDs that one 128-byte
 segment can hold is 32).
 The GROUPS_I'M_IN property of a user is a set property. The property value
 associated with the GROUPS_I'M_IN property contains the object IDs of the
 user group to which the user belongs. It is important that set property
 values do not contain anything other than object IDs because the operating
 system interprets each segment of a set property value to be an array of
 object IDs.

 Item Property Value

 An item property has an associated property value which can contain any
 type of data (typically a numeric value, a string or a structure). The
 bindery attaches no significance to the contents of an item property's
 value. The value of an item property is defined and interpreted by programs
 and not by the bindery process.
 A user's PASSWORD and ACCOUNT_BALANCE properties are both examples of item
 properties.  The PASSWORD property is defined to have only one segment and
 contains an encrypted password. The ACCOUNT_BALANCE property value contains
 a monetary balance in the first 4 bytes and a credit limit in the next 4
 bytes of the 128-byte segment. The rest of the segment is filled with
 zeros.

 How the bindery is used for network security

 Directory Trustees

 The security of the bindery and the file system is independent. The bindery
 does not store any of the file system's directory trustee information.
 Directory trustees are stored in directory entries which are an integral
 part of the NetWare physical directory structure. The only relationship
 between the bindery and the file system is that the file system stores each
 directory's trustee in the form of an object ID.

 Supervisor Privileges

 Each bindery has an object named Supervisor. The Supervisor is the network
 administrator and is given special access to the bindery. The Supervisor,
 for example, is the only object that can create, delete, or rename bindery
 objects. It is also the only object that can close and open the bindery for
 archiving purposes. The Supervisor may grant Supervisor privileges to other
 objects through the security equivalence feature.

 Security Equivalence

 The security equivalence feature allows a bindery object to be granted the
 same access rights as another object. For example, using security
 equivalence, the Supervisor can grant Supervisor rights to other objects.
 Once one bindery object is created and given detailed security assignments,
 another object needing the same security can be given security equivalence
 to the first object.

 SECURITY_EQUALS Property

 The SECURITY_EQUALS property of a client contains a list of objects to
 which the client is security equivalent. This property is used when
 determining the access rights of a client to the file server. When an
 object logs in to a file server, the access rights of the object are
 logically ORed together with the access rights possessed by the objects
 listed in its SECURITY_EQUALS property. When determining the directory
 access rights of an object, the file server's directory parsing algorithm
 uses ONLY the first 32 objects listed in this property, even though the
 bindery allows the SECURITY_EQUALS set to grow beyond 32 objects.
 Security equivalences are not transitive, which means an object is
 security-equivalent only to the objects explicitly listed in its
 SECURITY_EQUALS property. In other words, the security equivalence of an
 object is not extended to the equivalences held by an object to which it is
 security-equivalent. So, if MARY is security-equivalent to JOHN and JOHN is
 security-equivalent to Supervisor, MARY is not automatically
 security-equivalent to Supervisor.

 User Groups

 The security equivalence feature is also useful in defining user groups.
 User groups are a means of logically organising users into work groups.
 This allows the system Supervisor to simplify the security process.
 Generally, a user group is assigned specific directory access rights, then
 users are added to the user group.
 When a user is added to a user group with the NetWare utility SYSCON, the
 user's object ID is added to the GROUP_MEMBERS property of the group. The
 object ID of the group is then added to the GROUP'S_I'M_IN and
 SECURITY_EQUALS properties of the user.
 The GROUP_MEMBERS property of the group, and the GROUPS_I'M_IN property of
 the user are used together to logically define a group. The SECURITY_EQUALS
 property is used to ensure that a group member has the directory rights
 assigned to the group's object.