Just as class information is stored in Active Directory as instances of the class called classSchema, attributes are represented by instances of the class called attributeSchema. As with all objects, the attributeSchema class has a number of attributes that can be set when specifying a new instance. The attributeSchema class inherits attributes from the class called Top. However, most of the Top attributes are not really relevant here. Table 4-1 shows the defining attributes of an instance of the attributeSchema class (i.e., an attribute) that can be set.
Table 4-1. The defining attributes of an attributeSchema object instance
|
Attribute |
Syntax |
Mandatory |
Multivalued |
Description |
|---|---|---|---|---|
|
attributeId |
OID |
Yes |
No |
The OID that uniquely identifies this attribute. |
|
cn |
Unicode string |
Yes |
No |
The Relative Distinguished Name (RDN). |
|
isSingleValued |
Boolean |
Yes |
No |
Whether this attribute is multivalued. |
|
lDAPDisplayName |
Unicode string |
Yes |
No |
The name by which LDAP clients identify this attribute. |
|
attributeSyntax |
OID |
Yes |
No |
Half of a pair of properties that define the syntax of an attribute. This one is an OID. |
|
oMSyntax |
Integer |
Yes |
No |
Half of a pair of properties that define the syntax of an attribute. This one is an integer. |
|
schemaIDGUID |
Octet string |
Yes |
No |
Globally Unique Identifier (GUID) to uniquely identify this attribute. |
|
objectClass |
OID |
Yes |
Yes |
This will hold the values “attributeSchema” and “Top” to indicate that the value is an instance of those classes. |
|
accessCategory |
Integer |
No |
No |
Used by the system. |
|
attributeSecurityGUID |
GUID |
No |
No |
GUID used by Active Directory to identify the security of this attribute. |
|
classDisplayName |
Unicode string |
No |
No |
The name displayed when viewing instances of the attribute. |
|
defaultHidingValue |
Boolean |
No |
No |
Whether the object is to be hidden or displayed within tools by default. |
|
description |
Unicode string |
No |
No |
A description of the attribute. |
|
extendedCharsAllowed |
Boolean |
No |
No |
Whether extended characters are allowed in the value of this attribute. |
|
isDefunct |
Boolean |
No |
No |
Whether the attribute is marked as disabled (i.e., unusable) in Active Directory. |
|
isEphemeral |
Boolean |
No |
No |
Used by the system. |
|
isMemberOfPartialAttributeSet |
Boolean |
No |
No |
Whether the attribute is held in the GC. |
|
linkID |
Integer |
No |
No |
Whether the attribute is linked with another attribute (e.g., memberOf and members). |
|
mAPIDisplayType |
Integer |
No |
No |
The integer by which MAPI clients identify this attribute. |
|
oIDType |
Integer |
No |
No |
Used by the system. |
|
oMObjectClass |
Octet string |
No |
No |
Used by the system. |
|
rangeLower |
Integer |
No |
No |
For strings, this is the minimum character length; for integers, it is the minimum value; otherwise, it is unused. It must be less than range- Upper. |
|
rangeUpper |
Integer |
No |
No |
For strings, this is the maximum character length; for integers, it is the maximum value; otherwise, it is unused. |
|
schemaFlags |
Integer |
No |
No |
Used by the system. |
|
schemaFlagsEx |
Integer |
No |
No |
Used by the system. |
|
searchFlags |
Integer |
No |
No |
Whether this attribute is indexed: 0=Not Indexed, 1=Indexed.[a] |
|
systemOnly |
Boolean |
No |
No |
If true, once the initial value has been set, only the system can create instances of this attribute. Administrators cannot create instances of the attribute if this is set, but they can add this attribute to new or existing classes as required. The default is false. |
[a] Indexing an object allows you to locate instances of the object or objects containing a particular value of an attribute by consulting the index rather than looking at each object. As with databases, index-aided searches run much faster than other searches. | ||||
The syntax of an attribute indicates the type of data that it holds, which we’ll cover in a moment. The “Mandatory” column indicates whether the attribute must be set when initially creating an attributeSchema object. Attributes that are not mandatory do not have to be set when creating the object and can be defined later, if they are needed at all. The “Multi-valued” column indicates whether the particular attribute can accept an array of values or whether it accepts only a single value; there are no multivalued attributes here other than objectClass.
The userPrincipalName (UPN) attribute is used on user objects to provide a unique method of identifying each user across a forest. Users can log on to a workstation in any domain in the forest using the UPN if they so desire. The UPN attribute, in fact, accepts valid RFC 822 (email) addresses, so the UPN for user tpood in the emea.mycorp.com domain could be either tpood@mycorp.com or tpood@emea.mycorp.com. In fact, any UPN suffix, such as @mycorp.com, can be used in a forest. The only requirement is that the UPN value for a user is unique across all users in a forest.
Tip
Active Directory does not enforce uniqueness of a UPN when it is set. If two different users in the same forest are assigned the same UPN, neither will be able to log on.
To dissect the attribute, we need to find out what values had been
set for it. Perhaps the easiest way to do this is to use ADSI Edit
from the Windows Support Tools, which can be installed from a Windows
Server CD by running \Support\Tools\setup.exe.
Table 4-2 shows the values of attributes that have
been set for the userPrincipalName attribute.
Table 4-2. userPrincipalName’s attributes
|
Attribute lDAPDisplayName |
Attribute syntax |
Attribute value |
|---|---|---|
|
adminDescription |
CASE_IGNORE_ STRING |
User-Principal-Name |
|
adminDisplayName |
CASE_IGNORE_ STRING |
User-Principal-Name |
|
cn |
CASE_IGNORE_ STRING |
User-Principal-Name |
|
distinguishedName |
DN_STRING |
|
|
instanceType |
INTEGER |
4 |
|
name |
CASE_IGNORE_ STRING |
User-Principal-Name |
|
nTSecurityDescriptor |
SECURITY_ DESCRIPTOR |
<SID> |
|
objectCategory |
DN_STRING |
|
|
objectClass |
CASE_IGNORE_ STRING |
top; attributeSchema (two values of a multi-valued attribute) |
|
objectGUID |
OCTET_STRING |
<GUID> |
|
showInAdvancedViewOnly |
BOOLEAN |
True |
|
systemFlags |
INTEGER |
18 |
|
uSNChanged |
LARGE_INTEGER |
USN when last changed |
|
uSNCreated |
LARGE_INTEGER |
USN when created |
|
whenChanged |
UTC_TIME |
Time when last changed |
|
whenCreated |
UTC_TIME |
Time when created |
|
attributeID |
CASE_IGNORE_ STRING |
1.2.840.113556.1.4.656 |
|
attributeSecurityGUID |
OCTET_STRING |
<GUID> |
|
attributeSyntax |
CASE_IGNORE_ STRING |
2.5.5.12 |
|
isMemberOfPartialAttributeSet |
BOOLEAN |
True |
|
isSingleValued |
BOOLEAN |
True |
|
lDAPDisplayName |
CASE_IGNORE_ STRING |
userPrincipalName |
|
oMSyntax |
INTEGER |
64 |
|
schemaIDGUID |
OCTET_STRING |
<GUID> |
|
searchFlags |
INTEGER |
1 |
|
systemOnly |
BOOLEAN |
False |
We can see that the name of the attribute is User-Principal-Name (adminDescription, adminDisplayName, cn, name), that it is an instance of the attributeSchema class (objectCategory and objectClass), that it inherits attributes from both top and attributeSchema (objectClass), and that the UPN attribute is not visible to casual browsing (showInAdvancedViewOnly).
The userPrincipalName attributes show the following:
It is to be stored in the GC (isMemberOfPartialAttributeSet).
It is to be indexed (searchFlags).
It has an OID of 1.2.840.113556.1.4.656 (attributeID).
When binding to it with ADSI, we should use userPrincipalName (lDAPDisplayName).
Instances can be created by anyone (systemOnly).
It stores single (isSingleValued) Unicode strings (attributeSyntax and oMSyntax).
In Figure 4-3, you can see many of the values for the UPN attribute. We have indicated which attributes are changed by checking or unchecking each checkbox.
Get Active Directory, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
