Attributes (attributeSchema Objects)

Just as class information is stored in Active Directory as instances of the class called classSchema, attributes are represented by instances of the class called attributeSchema. As with all objects, the attributeSchema class has a number of attributes that can be set when specifying a new instance. The attributeSchema class inherits attributes from the class called top. However, most of the top attributes are not really relevant here. Table 4-1 shows the defining attributes of an instance of the attributeSchema class (i.e., an attribute) that can be set.

Table 4-1. The defining attributes of an attributeSchema object instance

Attribute

Syntax

Mandatory

Multivalued

Description

accessCategory

Integer

No

No

Used by the system.

attributeId

OID

Yes

No

The OID that uniquely identifies this attribute.

attributeSecurityGUID

GUID

No

No

GUID used to tie an attribute to a property set.

attributeSyntax

OID

Yes

No

Half of a pair of properties that define the syntax of an attribute. This one is an OID.

classDisplayName

Unicode string

No

No

The name displayed when viewing instances of the attribute.

cn

Unicode string

Yes

No

The Relative Distinguished Name (RDN).

defaultHidingValue

Boolean

No

No

Whether the object is to be hidden or displayed within tools by default.

description

Unicode string

No

No

A description of the attribute.

extendedCharsAllowed

Boolean

No

No

Whether extended characters are allowed in the value of this attribute.

isDefunct

Boolean

No

No

Whether the attribute is marked as disabled (i.e., unusable) in Active Directory.

isEphemeral

Boolean

No

No

Used by the system.

isMemberOfPartialAttributeSet

Boolean

No

No

Whether the attribute is held in the GC.

isSingleValued

Boolean

Yes

No

Whether this attribute is multivalued.

lDAPDisplayName

Unicode string

Yes

No

The name by which LDAP clients identify this attribute.

linkID

Integer

No

No

Whether the attribute is linked with another attribute (e.g., memberOf and member).

mAPIDisplayType

Integer

No

No

The integer by which MAPI clients identify this attribute.

objectClass

OID

Yes

Yes

This will hold the values attributeSchema and top to indicate that the value is an instance of those classes.

oIDType

Integer

No

No

Used by the system.

oMObjectClass

Octet string

No

No

Used by the system.

oMSyntax

Integer

Yes

No

Half of a pair of properties that define the syntax of an attribute. This one is an integer.

rangeLower

Integer

No

No

For strings, this is the minimum character length; for integers, it is the minimum value; otherwise, it is unused. It must be less than rangeUpper.

rangeUpper

Integer

No

No

For strings, this is the maximum character length; for integers, it is the maximum value; otherwise, it is unused.

schemaFlags

Integer

No

No

Used by the system.

schemaFlagsEx

Integer

No

No

Used by the system.

schemaIDGUID

Octet string

Yes

No

Globally Unique Identifier (GUID) to uniquely identify this attribute.

searchFlags

Integer

No

No

Integer with various bit flags that specify search and indexing information.

systemFlags

Integer

No

No

Integer with bit flags that define additional properties for the attribute.

systemOnly

Boolean

No

No

If true, once the initial value has been set, only the system can create instances of this attribute. Administrators cannot create instances of the attribute if this is set, but they can add this attribute to new or existing classes as required. The default is false.

The syntax of an attribute indicates the type of data that it holds, which we'll cover in a moment. The "Mandatory" column indicates whether the attribute must be set when initially creating an attributeSchema object. Attributes that are not mandatory do not have to be set when creating the object and can be defined later, if they are needed at all. The "Multivalued" column indicates whether the particular attribute can accept an array of values or whether it accepts only a single value; there are no multivalued attributes here other than objectClass.

Dissecting an Example Active Directory Attribute

The userPrincipalName (UPN ) attribute is used on user objects to provide a unique method of identifying each user across a forest. Users can log on to a workstation in any domain in the forest using the UPN if they so desire. The UPN attribute , in fact, accepts valid RFC 822 (email) addresses, so the UPN for user tpood in the emea.mycorp.com domain could be or , or even . In fact, any UPN suffix, such as , can be used in a forest. The only requirement is that the UPN value for a user is unique across all users in a forest.

Tip

Active Directory does not enforce uniqueness of a UPN when it is set. If two different users in the same forest are assigned the same UPN, neither will be able to log on using the UPN.

To dissect the attribute, we need to find out what values had been set for it. Perhaps the easiest way to do this is to use ADSIEdit from the Windows Support Tools, which can be installed from a Windows Server CD by running \Support\Tools\setup.exe. Table 4-2 shows the values of attributes that have been set for the userPrincipalName attribute.

Table 4-2. userPrincipalName's attributes

Attribute lDAPDisplayName

Attribute syntax

Attribute value

adminDescription

CASE_IGNORE_ STRING

User-Principal-Name

adminDisplayName

CASE_IGNORE_ STRING

User-Principal-Name

attributeID

CASE_IGNORE_ STRING

1.2.840.113556.1.4.656

attributeSecurityGUID

OCTET_STRING

GUID for Public Information property set

attributeSyntax

CASE_IGNORE_ STRING

2.5.5.12

cn

CASE_IGNORE_ STRING

User-Principal-Name

distinguishedName

DN_STRING

cn=User-Principal-Name, cn=Schema, cn=Configuration,dc=mycorp,dc=com

instanceType

INTEGER

4

isMemberOfPartialAttributeSet

BOOLEAN

True

isSingleValued

BOOLEAN

True

lDAPDisplayName

CASE_IGNORE_ STRING

userPrincipalName

name

CASE_IGNORE_ STRING

User-Principal-Name

nTSecurityDescriptor

SECURITY_ DESCRIPTOR

Binary representation of the Security Descriptor for the attribute.

objectCategory

DN_STRING

cn=Attribute-Schema, cn=Schema, cn=Configuration, dc=mycorp,dc=com

objectClass

CASE_IGNORE_ STRING

top; attributeSchema (two values of a multivalued attribute)

objectGUID

OCTET_STRING

<GUID>

oMSyntax

INTEGER

64

schemaIDGUID

OCTET_STRING

<GUID>

searchFlags

INTEGER

1 (Indexed)

showInAdvancedViewOnly

BOOLEAN

True

systemFlags

INTEGER

18 (Category 1 attribute, replicated to GC)

systemOnly

BOOLEAN

False

uSNChanged

LARGE_INTEGER

USN when last changed

uSNCreated

LARGE_INTEGER

USN when created

whenChanged

UTC_TIME

Time when last changed on this DC

whenCreated

UTC_TIME

Time when created

We can see that the name of the attribute is User-Principal-Name (adminDescription, adminDisplayName, cn, name), that it is an instance of the attributeSchema class (ob-jectCategory and objectClass), that it inherits attributes from both top and attri-buteSchema (objectClass), and that the UPN attribute is not visible to casual browsing (showInAdvancedViewOnly).

The userPrincipalName attributes show the following:

  • It is to be stored in the GC (isMemberOfPartialAttributeSet and systemFlags).

  • It is to be indexed (searchFlags).

  • It has an OID of 1.2.840.113556.1.4.656 (attributeID).

  • When binding to it with ADSI, we should use userPrincipalName (lDAPDisplayName).

  • Instances can be created by anyone (systemOnly).

  • It stores single (isSingleValued) Unicode strings (attributeSyntax and oMSyntax).

In Figure 4-3, you can see many of the values for the UPN attribute. We have indicated which attributes are changed by checking or unchecking each checkbox.

Get Active Directory, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial