Attributes (attributeSchema Objects)

Just as class information is stored in Active Directory as instances of the class called classSchema, attributes are represented by instances of the class called attributeSchema. As with all objects, the attributeSchema class has a number of attributes that can be set when specifying a new instance. The attributeSchema class inherits attributes from the class called Top. However, most of the Top attributes are not really relevant here. Table 4-1 shows the defining attributes of an instance of the attributeSchema class (i.e., an attribute) that can be set.

Table 4-1. The defining attributes of an attributeSchema object instance

Attribute

Syntax

Mandatory

Multivalued

Description

attributeId

OID

Yes

No

The OID that uniquely identifies this attribute.

cn

Unicode string

Yes

No

The Relative Distinguished Name (RDN).

isSingleValued

Boolean

Yes

No

Whether this attribute is multivalued.

lDAPDisplayName

Unicode string

Yes

No

The name by which LDAP clients identify this attribute.

attributeSyntax

OID

Yes

No

Half of a pair of properties that define the syntax of an attribute. This one is an OID.

oMSyntax

Integer

Yes

No

Half of a pair of properties that define the syntax of an attribute. This one is an integer.

schemaIDGUID

Octet string

Yes

No

Globally Unique Identifier (GUID) to uniquely identify this attribute.

objectClass

OID

Yes

Yes

This will hold the values “attributeSchema” and “Top” to indicate that the value is an instance of those classes.

accessCategory

Integer

No

No

Used by the system.

attributeSecurityGUID

GUID

No

No

GUID used by Active Directory to identify the security of this attribute.

classDisplayName

Unicode string

No

No

The name displayed when viewing instances of the attribute.

defaultHidingValue

Boolean

No

No

Whether the object is to be hidden or displayed within tools by default.

description

Unicode string

No

No

A description of the attribute.

extendedCharsAllowed

Boolean

No

No

Whether extended characters are allowed in the value of this attribute.

isDefunct

Boolean

No

No

Whether the attribute is marked as disabled (i.e., unusable) in Active Directory.

isEphemeral

Boolean

No

No

Used by the system.

isMemberOfPartialAttributeSet

Boolean

No

No

Whether the attribute is held in the GC.

linkID

Integer

No

No

Whether the attribute is linked with another attribute (e.g., memberOf and members).

mAPIDisplayType

Integer

No

No

The integer by which MAPI clients identify this attribute.

oIDType

Integer

No

No

Used by the system.

oMObjectClass

Octet string

No

No

Used by the system.

rangeLower

Integer

No

No

For strings, this is the minimum character length; for integers, it is the minimum value; otherwise, it is unused. It must be less than range- Upper.

rangeUpper

Integer

No

No

For strings, this is the maximum character length; for integers, it is the maximum value; otherwise, it is unused.

schemaFlags

Integer

No

No

Used by the system.

schemaFlagsEx

Integer

No

No

Used by the system.

searchFlags

Integer

No

No

Whether this attribute is indexed: 0=Not Indexed, 1=Indexed.[a]

systemOnly

Boolean

No

No

If true, once the initial value has been set, only the system can create instances of this attribute. Administrators cannot create instances of the attribute if this is set, but they can add this attribute to new or existing classes as required. The default is false.

[a] Indexing an object allows you to locate instances of the object or objects containing a particular value of an attribute by consulting the index rather than looking at each object. As with databases, index-aided searches run much faster than other searches.

The syntax of an attribute indicates the type of data that it holds, which we’ll cover in a moment. The “Mandatory” column indicates whether the attribute must be set when initially creating an attributeSchema object. Attributes that are not mandatory do not have to be set when creating the object and can be defined later, if they are needed at all. The “Multi-valued” column indicates whether the particular attribute can accept an array of values or whether it accepts only a single value; there are no multivalued attributes here other than objectClass.

Dissecting an Example Attribute

The userPrincipalName (UPN) attribute is used on user objects to provide a unique method of identifying each user across a forest. Users can log on to a workstation in any domain in the forest using the UPN if they so desire. The UPN attribute, in fact, accepts valid RFC 822 (email) addresses, so the UPN for user tpood in the emea.mycorp.com domain could be either tpood@mycorp.com or tpood@emea.mycorp.com. In fact, any UPN suffix, such as @mycorp.com, can be used in a forest. The only requirement is that the UPN value for a user is unique across all users in a forest.

Tip

Active Directory does not enforce uniqueness of a UPN when it is set. If two different users in the same forest are assigned the same UPN, neither will be able to log on.

To dissect the attribute, we need to find out what values had been set for it. Perhaps the easiest way to do this is to use ADSI Edit from the Windows Support Tools, which can be installed from a Windows Server CD by running \Support\Tools\setup.exe. Table 4-2 shows the values of attributes that have been set for the userPrincipalName attribute.

Table 4-2. userPrincipalName’s attributes

Attribute lDAPDisplayName

Attribute syntax

Attribute value

adminDescription

CASE_IGNORE_ STRING

User-Principal-Name

adminDisplayName

CASE_IGNORE_ STRING

User-Principal-Name

cn

CASE_IGNORE_ STRING

User-Principal-Name

distinguishedName

DN_STRING

cn=User-Principal-Name, cn=Schema, cn=Configuration,dc=mycorp,dc=com

instanceType

INTEGER

4

name

CASE_IGNORE_ STRING

User-Principal-Name

nTSecurityDescriptor

SECURITY_ DESCRIPTOR

<SID>

objectCategory

DN_STRING

cn=Attribute-Schema, cn=Schema, cn=Configuration, dc=mycorp,dc=com

objectClass

CASE_IGNORE_ STRING

top; attributeSchema (two values of a multi-valued attribute)

objectGUID

OCTET_STRING

<GUID>

showInAdvancedViewOnly

BOOLEAN

True

systemFlags

INTEGER

18

uSNChanged

LARGE_INTEGER

USN when last changed

uSNCreated

LARGE_INTEGER

USN when created

whenChanged

UTC_TIME

Time when last changed

whenCreated

UTC_TIME

Time when created

attributeID

CASE_IGNORE_ STRING

1.2.840.113556.1.4.656

attributeSecurityGUID

OCTET_STRING

<GUID>

attributeSyntax

CASE_IGNORE_ STRING

2.5.5.12

isMemberOfPartialAttributeSet

BOOLEAN

True

isSingleValued

BOOLEAN

True

lDAPDisplayName

CASE_IGNORE_ STRING

userPrincipalName

oMSyntax

INTEGER

64

schemaIDGUID

OCTET_STRING

<GUID>

searchFlags

INTEGER

1

systemOnly

BOOLEAN

False

We can see that the name of the attribute is User-Principal-Name (adminDescription, adminDisplayName, cn, name), that it is an instance of the attributeSchema class (objectCategory and objectClass), that it inherits attributes from both top and attributeSchema (objectClass), and that the UPN attribute is not visible to casual browsing (showInAdvancedViewOnly).

The userPrincipalName attributes show the following:

  • It is to be stored in the GC (isMemberOfPartialAttributeSet).

  • It is to be indexed (searchFlags).

  • It has an OID of 1.2.840.113556.1.4.656 (attributeID).

  • When binding to it with ADSI, we should use userPrincipalName (lDAPDisplayName).

  • Instances can be created by anyone (systemOnly).

  • It stores single (isSingleValued) Unicode strings (attributeSyntax and oMSyntax).

In Figure 4-3, you can see many of the values for the UPN attribute. We have indicated which attributes are changed by checking or unchecking each checkbox.

The UPN attribute as viewed by the Active Directory Schema snap-in

Figure 4-3. The UPN attribute as viewed by the Active Directory Schema snap-in

Get Active Directory, Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.