4.2 Attributes (attributeSchema Objects)
Just as class
information is stored in Active Directory as instances of the class
called classSchema, attributes are represented by instances of the
class called attributeSchema. As with all objects, the
attributeSchema class has a number of attributes that can be set when
specifying a new instance. The attributeSchema class inherits
attributes from the class called Top. However, most of the Top
attributes are not really relevant here. Table 4-1
shows the defining attributes of an instance of the attributeSchema
class (i.e., an attribute) that can be set.
Table 4-1. The defining attributes of an attributeSchema object instance
attributeId
|
OID
|
Yes
|
No
|
The OID that uniquely identifies this attribute.
|
cn
|
Unicode string
|
Yes
|
No
|
The Relative Distinguished Name (RDN).
|
isSingleValued
|
Boolean
|
Yes
|
No
|
Whether this attribute is multivalued.
|
lDAPDisplayName
|
Unicode string
|
Yes
|
No
|
The name by which LDAP clients identify this attribute.
|
attributeSyntax
|
OID
|
Yes
|
No
|
Half of a pair of properties that define the syntax of an attribute.
This one is an OID.
|
oMSyntax
|
Integer
|
Yes
|
No
|
Half of a pair of properties that define the syntax of an attribute.
This one is an integer.
|
schemaIDGUID
|
Octet string
|
Yes
|
No
|
Globally Unique Identifier (GUID) to uniquely identify this attribute.
|
objectClass
|
OID
|
Yes
|
Yes
|
This will hold the values
"attributeSchema" and
"Top" to indicate that the value is
an instance of those classes.
|
accessCategory
|
Integer
|
No
|
No
|
Used by the system.
|
attributeSecurityGUID
|
GUID
|
No
|
No
|
GUID used by Active Directory to identify the security of this
attribute.
|
classDisplayName
|
Unicode string
|
No
|
No
|
The name displayed when viewing instances of the attribute.
|
defaultHidingValue
|
Boolean
|
No
|
No
|
Whether the object is to be hidden or displayed within tools by
default.
|
description
|
Unicode string
|
No
|
No
|
A description of the attribute.
|
extendedCharsAllowed
|
Boolean
|
No
|
No
|
Whether extended characters are allowed in the value of this
attribute.
|
isDefunct
|
Boolean
|
No
|
No
|
Whether the attribute is marked as disabled (i.e., unusable) in
Active Directory.
|
isEphemeral
|
Boolean
|
No
|
No
|
Used by the system.
|
isMemberOfPartialAttributeSet
|
Boolean
|
No
|
No
|
Whether the attribute is held in the GC.
|
linkID
|
Integer
|
No
|
No
|
Whether the attribute is linked with another attribute (e.g.,
memberOf and members).
|
mAPIDisplayType
|
Integer
|
No
|
No
|
The integer by which MAPI clients identify this attribute.
|
oIDType
|
Integer
|
No
|
No
|
Used by the system.
|
oMObjectClass
|
Octet string
|
No
|
No
|
Used by the system.
|
rangeLower
|
Integer
|
No
|
No
|
For strings, this is the minimum character length; for integers, it
is the minimum value; otherwise, it is unused. It must be less than
range- Upper.
|
rangeUpper
|
Integer
|
No
|
No
|
For strings, this is the maximum character length; for integers, it
is the maximum value; otherwise, it is unused.
|
schemaFlags
|
Integer
|
No
|
No
|
Used by the system.
|
schemaFlagsEx
|
Integer
|
No
|
No
|
Used by the system.
|
searchFlags
|
Integer
|
No
|
No
|
Whether this attribute is indexed: 0=Not Indexed,
1=Indexed.
|
systemOnly
|
Boolean
|
No
|
No
|
If true, once the initial value has been set, only the system can
create instances of this attribute. Administrators cannot create
instances of the attribute if this is set, but they can add this
attribute to new or existing classes as required. The default is false.
|
The syntax of an attribute indicates the
type of data that it holds, which we'll cover in a
moment. The "Mandatory" column
indicates whether the attribute must be set when initially creating
an attributeSchema object. Attributes that are not mandatory do not
have to be set when creating the object and can be defined later, if
they are needed at all. The
"Multi-valued" column indicates
whether the particular attribute can accept an array of values or
whether it accepts only a single value; there are no multivalued
attributes here other than objectClass.
4.2.1 Dissecting an Example Attribute
The
userPrincipalName (UPN)
attribute is used on user objects to provide a unique method of
identifying each user across a forest. Users can log on to a
workstation in any domain in the forest using the UPN if they so
desire. The UPN attribute, in fact, accepts valid RFC 822 (email)
addresses, so the UPN for user tpood in the
emea.mycorp.com domain could be either
tpood@mycorp.com or
tpood@emea.mycorp.com. In fact, any UPN suffix,
such as @mycorp.com, can be used in a forest.
The only requirement is that the UPN value for a user is unique
across all users in a forest.
|
Active Directory does not enforce uniqueness of a UPN when it is set.
If two different users in the same forest are assigned the same UPN,
neither will be able to log on.
|
|
To dissect the attribute, we need to find out what values had been
set for it. Perhaps the easiest way to do this is to use ADSI Edit
from the Windows Support Tools, which can be installed from a Windows
Server CD by running \Support\Tools\setup.exe.
Table 4-2 shows the values of attributes that have
been set for the userPrincipalName attribute.
Table 4-2. userPrincipalName's attributes
adminDescription
|
CASE_IGNORE_ STRING
|
User-Principal-Name
|
adminDisplayName
|
CASE_IGNORE_ STRING
|
User-Principal-Name
|
cn
|
CASE_IGNORE_ STRING
|
User-Principal-Name
|
distinguishedName
|
DN_STRING
|
cn=User-Principal-Name, cn=Schema,
cn=Configuration,dc=mycorp,dc=com
|
instanceType
|
INTEGER
|
4
|
name
|
CASE_IGNORE_ STRING
|
User-Principal-Name
|
nTSecurityDescriptor
|
SECURITY_ DESCRIPTOR
|
<SID>
|
objectCategory
|
DN_STRING
|
cn=Attribute-Schema, cn=Schema, cn=Configuration,
dc=mycorp,dc=com
|
objectClass
|
CASE_IGNORE_ STRING
|
top; attributeSchema (two values of a multi-valued attribute)
|
objectGUID
|
OCTET_STRING
|
<GUID>
|
showInAdvancedViewOnly
|
BOOLEAN
|
True
|
systemFlags
|
INTEGER
|
18
|
uSNChanged
|
LARGE_INTEGER
|
USN when last changed
|
uSNCreated
|
LARGE_INTEGER
|
USN when created
|
whenChanged
|
UTC_TIME
|
Time when last changed
|
whenCreated
|
UTC_TIME
|
Time when created
|
attributeID
|
CASE_IGNORE_ STRING
|
1.2.840.113556.1.4.656
|
attributeSecurityGUID
|
OCTET_STRING
|
<GUID>
|
attributeSyntax
|
CASE_IGNORE_ STRING
|
2.5.5.12
|
isMemberOfPartialAttributeSet
|
BOOLEAN
|
True
|
isSingleValued
|
BOOLEAN
|
True
|
lDAPDisplayName
|
CASE_IGNORE_ STRING
|
userPrincipalName
|
oMSyntax
|
INTEGER
|
64
|
schemaIDGUID
|
OCTET_STRING
|
<GUID>
|
searchFlags
|
INTEGER
|
1
|
systemOnly
|
BOOLEAN
|
False
|
We can see that the name of the attribute is User-Principal-Name
(adminDescription, adminDisplayName, cn, name), that it is an
instance of the attributeSchema class (objectCategory and
objectClass), that it inherits attributes from both top and
attributeSchema (objectClass), and that the UPN attribute is not
visible to casual browsing (showInAdvancedViewOnly).
The userPrincipalName attributes show the following:
It is to be stored in the GC (isMemberOfPartialAttributeSet).
It is to be indexed (searchFlags).
It has an OID of 1.2.840.113556.1.4.656 (attributeID).
When binding to it with ADSI, we should use userPrincipalName
(lDAPDisplayName).
Instances can be created by anyone (systemOnly).
It stores single (isSingleValued) Unicode strings (attributeSyntax
and oMSyntax).
In Figure 4-3, you can see many of the values for
the UPN attribute. We have indicated which attributes are changed by
checking or unchecking each checkbox.
|