---
title: Glossary
description: Control to grant or to deny access to a resource.
component: pingds
version: 8.1
page_id: pingds:getting-started:glossary
canonical_url: https://docs.pingidentity.com/pingds/8.1/getting-started/glossary.html
revdate: 2025-10-22T14:42:39Z
---

# Glossary

* access control

  Control to grant or to deny access to a resource.

* access control instruction (ACI)

  An instruction or rule that can be used to grant or deny access to users to perform operations on a server.

* access control list (ACL)

  A list connecting a user or group of users to one or more security entitlements.

* access log

  A server log tracing the operations the server processes including timestamps, connection information, and information about the operation itself.

* account lockout

  The act of making an account temporarily or permanently inactive after successive authentication failures.

* active user

  A user with valid credentials and the ability to authenticate and use the services.

* approximate index

  Matches values that sound like those provided in the filter.

* attribute value assertion (AVA)

  An attribute description and a matching rule assertion value for the attribute used to determine whether an entry matches the assertion.

* audit log

  A server access log with changes in LDIF format.

* authentication

  The act of confirming the identity of a principal.

* authorization

  The act of determining whether to grant or deny a user access to a resource.

* backend

  A repository to store directory data. Different implementations with different capabilities exist.

* branch

  The distinguished name of a non-leaf entry in the Directory Information Tree and its subordinates.

* certificate authority (CA)

  An entity that issues digital certificates.

* change sequence number (CSN)

  An opaque string uniquely identifying a single change to directory data and when it occurred.

* collective attribute

  A standard mechanism for defining attributes on all the entries in a particular subtree.

* database cache

  Memory space set aside for database content.

* directory information tree (DIT)

  A set of directory entries organized hierarchically in a tree structure.

* directory server agent (DSA)

  A single directory server.

* directory superuser (superuser)

  An account with full administration privileges to bypass access control evaluation, change access controls, and change administrative privileges. Analogous to the Linux root and Windows Administrator accounts.

* distinguished name (DN)

  A name uniquely identifying an object within the hierarchy of a directory tree.

* DSA-specific entry (DSE)

  An entry holding information for use by the directory, not returned in searches by default.

* dynamic group

  A group specifying members with LDAP URLs.

* elapsed time (etime)

  Time to process a request, starting from the moment a worker thread can process the decoded operation.

* entry

  An object in the directory having one of more object classes and their attributes.

* entry cache

  Memory space set aside for frequently accessed, large entries.

* equality index

  Matches values that correspond exactly, optionally for case sensitivity, to those provided in the filter.

* errors log

  A server log tracing server events, error conditions, and warnings, categorized and identified by severity.

* export

  Save directory data to an LDIF file.

* extensible match index

  Matches with a matching rule like generalized time other than approximate, equality, ordering, presence, substring or VLV.

* generation ID

  An initial state identifier for a replication base DN based on the first 1000 entries.

* HDAP gateway

  A standalone HDAP web application.

* HTTP directory access protocol (HDAP)

  The DS feature providing REST APIs and HTTP access to directory data.

* import

  Read in and index directory data from an LDIF file.

* inactive user

  A user who can't authenticate or use the services.

* index

  A backend feature for quick entry lookup based on attribute values.

* index entry limit

  The maximum number of entries listed for an index key, beyond which the server stops maintaining the list for that key.

* LDAP abandon operation (abandon)

  Stop processing a request in progress and drop the connection without a reply to the client application.

* LDAP add operation (add)

  Adds a new entry or entries to the directory.

* LDAP anonymous bind operation (anonymous bind)

  Simple authentication with an empty DN and an empty password, allowing anonymous access like reading public information.

* LDAP attribute (attribute)

  A property of a directory entry, stored as one or more key-value pairs.

* LDAP bind operation (bind)

  Authenticates the client application. The server uses the identity to make authorization decisions.

* LDAP compare operation (compare)

  Compares a specified attribute value with the value stored on an entry in the directory.

* LDAP control (control)

  An addition to an LDAP message to specify how to process the operation.

* LDAP Data Interchange Format (LDIF)

  An IETF standard file format for representing LDAP directory content and modifications to directory content. Typically used to import and export LDAP-based directory information.

* LDAP delete operation (delete)

  Removes an existing entry or entries from the directory.

* LDAP extended operation (extended operation)

  An LDAP operation not included in the original standards.

* LDAP group (group)

  An entry identifying a set of member entries in the directory.

* LDAP modify DN operation (rename)

  Changes the distinguished name of an entry.

* LDAP modify operation (modify)

  Changes one or more attributes of an entry.

* LDAP operational attribute (operational attribute)

  An attribute with a special, operational meaning for the server, not returned in searches by default.

* LDAP schema (schema)

  Definitions of object classes, attributes types, attribute value syntaxes, matching rules, and other constrains on entries.

* LDAP search filter (filter)

  An expression the server uses to find entries matching a search request.

* LDAP search operation (search)

  Return entries based on an LDAP filter, a base DN, and a scope.

* LDAP static group (static group)

  An entry enumerating member entries.

* LDAP subentry (subentry)

  An entry residing with user data but holding operational data, not returned in searches by default.

* LDAP unbind operation (unbind)

  Release resources at the end of a session.

* LDAP Uniform Resource Locator (LDAP URL)

  A standard uniform resource locator for accessing entries in a directory.

* LDAP user attribute (user attribute)

  An attribute for storing user or application data on a directory entry.

* LDAP virtual attribute (virtual attribute)

  An attribute with dynamically generated values not persistently stored in the backend.

* LDAP virtual static group (virtual static group)

  An entry representing dynamic groups as static groups.

* LDAPS

  LDAP over TLS.

* Lightweight Directory Access Protocol (LDAP)

  An open, cross-platform protocol used for interacting with directory services.

* matching rule

  A rule for matching operations against assertion values, associated with attribute syntaxes.

* naming context

  A base DN under which client applications can look for user data.

* object identifier (OID)

  A hierarchical string of digits and dots to uniquely identify an object.

* ordering index

  Matches values for a filter that specifies a range.

* password policy

  A set of rules for sequence of characters constituting an acceptable password.

* password reset

  Password change performed by a user other than the user who owns the entry.

* password storage scheme

  A mechanism for encoding user passwords stored on directory entries.

* password validator

  A mechanism to accept or reject a proposed password.

* presence index

  Matches when an attribute's present on the entry, regardless of the value.

* principal

  Represents a successfully authenticated entity, such as a user, a device, or an application.

* privilege

  A server setting controlling access to an administrative operation.

* referential integrity

  The act of ensuring group membership remains consistent following changes to member entries.

* referint log

  A server log tracing referential integrity events, with entries similar to the errors log.

* referral

  A reference to another directory location where the server can process the current operation.

* relative distinguished name (RDN)

  The initial portion of a DN distinguishing the entry from all others at the same level.

* replica

  A directory server configured to use replication.

* replication

  Data synchronization to ensure all participating servers eventually share a consistent set of directory data.

* root DSA-specific entry (root DSE)

  The entry with an empty string DN ("") exposing information about the directory server itself.

* simple authentication

  Bind with a user's entry DN and password.

* substring index

  Matches values specified with wildcards in the filter.

* suffix

  The DN of a root entry in the DIT and all its subordinate entries taken together as a single object of administrative tasks.

* task

  A mechanism for remote access to server administrative actions.

* unindexed search

  A search operation for which the server has no appropriate index.

* virtual list view index (VLV index)

  Matches browsing requests for paging through a long list of results.

* X.500 directory standards (X.500)

  A family of standardized protocols for accessing, browsing, and maintaining a directory, predating LDAP.