The syntax of an attribute represents the kind of data it can hold; people with a programming background are probably more familiar with the term “data type.” Unlike attributes and classes, the supported syntaxes are not represented as objects in Active Directory. Instead, Microsoft has coded these syntaxes internally into Active Directory itself. Consequently, any new attributes you create in the schema must use one of the predefined syntaxes.
Whenever you create a new attribute, you must specify its syntax. To uniquely identify the syntax among the total set of 21 syntaxes, you must specify 2 pieces of information: the OID of the syntax and a so-called OM syntax. This pair of values must be set together and correctly correlate with Table 4-3. More than one syntax has the same OID, which may seem strange; and to distinguish between different syntaxes uniquely, you thus need a second identifier. This is the result of Microsoft requiring some syntaxes that X.500 did not provide. Table 4-3 shows the 21 expanded syntaxes, including the name of the syntax with alternate names followed in parentheses.
Table 4-3. Syntax definitions
|
Syntax |
OID |
OM syntax |
Description |
|---|---|---|---|
|
Undefined |
2.5.5.0 |
N/A |
Not a valid syntax |
|
Distinguished Name |
2.5.5.1 |
127 |
The Fully Qualified Domain Name (FQDN) of an object in Active Directory |
|
Object ID |
2.5.5.2 |
6 |
OID |
|
Case-sensitive string |
2.5.5.3 |
20 |
A string that differentiates between uppercase and lowercase |
|
Case-insensitive string |
2.5.5.4 |
20 |
A string that does not differentiate between uppercase and lowercase |
|
Print case string (Printable-String) |
2.5.5.5 |
19 |
A normal printable string |
|
Print case string (IA5- String) |
2.5.5.5 |
22 |
A normal printable string |
|
Numeric string |
2.5.5.6 |
18 |
A string of digits |
|
OR name |
2.5.5.7 |
127 |
An X.400 email address |
|
Boolean |
2.5.5.8 |
1 |
True or false |
|
Integer (integer) |
2.5.5.9 |
2 |
A 32-bit number |
|
Integer (enumeration) |
2.5.5.9 |
10 |
A 32-bit number |
|
Octet string (Octet-String) |
2.5.5.10 |
4 |
A byte string |
|
Octet string (object) |
2.5.5.10 |
127 |
A byte string |
|
Time |
2.5.5.11 |
23 |
The number of seconds elapsed since 1 January 1970 |
|
Unicode |
2.5.5.12 |
64 |
A wide string |
|
Address |
2.5.5.13 |
127 |
Used internally by the system |
|
Distname-Address |
2.5.5.14 |
127 |
Used internally by the system |
|
NT Security Descriptor |
2.5.5.15 |
66 |
A Security Descriptor (SD) |
|
Large integer |
2.5.5.16 |
65 |
A 64-bit number |
|
SID |
2.5.5.17 |
4 |
A Security Identifier (SID) |
Most of these are standard programming types. If you’re not sure which syntax to use, take a look at a preexisting attribute and see if you can find an appropriate syntax for the attribute you wish to create. For example, the userPrincipalName attribute has an attributeSyntax of 2.5.5.12 and an oMSyntax of 64, so it must contain Unicode strings.
Get Active Directory, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
