Attribute Syntax

The syntax of an attribute represents the kind of data it can hold; people with a programming background are probably more familiar with the term “data type.” Unlike attributes and classes, the supported syntaxes are not represented as objects in Active Directory. Instead, Microsoft has coded these syntaxes internally into Active Directory itself. Consequently, any new attributes you create in the schema must use one of the predefined syntaxes.

Whenever you create a new attribute, you must specify its syntax. To uniquely identify the syntax among the total set of 21 syntaxes, you must specify 2 pieces of information: the OID of the syntax and a so-called OM syntax. This pair of values must be set together and correctly correlate with Table 4-3. More than one syntax has the same OID, which may seem strange; and to distinguish between different syntaxes uniquely, you thus need a second identifier. This is the result of Microsoft requiring some syntaxes that X.500 did not provide. Table 4-3 shows the 21 expanded syntaxes, including the name of the syntax with alternate names followed in parentheses.

Table 4-3. Syntax definitions

Syntax

OID

OM syntax

Description

Undefined

2.5.5.0

N/A

Not a valid syntax

Distinguished Name

2.5.5.1

127

The Fully Qualified Domain Name (FQDN) of an object in Active Directory

Object ID

2.5.5.2

6

OID

Case-sensitive string

2.5.5.3

20

A string that differentiates between uppercase and lowercase

Case-insensitive string

2.5.5.4

20

A string that does not differentiate between uppercase and lowercase

Print case string (Printable-String)

2.5.5.5

19

A normal printable string

Print case string (IA5- String)

2.5.5.5

22

A normal printable string

Numeric string

2.5.5.6

18

A string of digits

OR name

2.5.5.7

127

An X.400 email address

Boolean

2.5.5.8

1

True or false

Integer (integer)

2.5.5.9

2

A 32-bit number

Integer (enumeration)

2.5.5.9

10

A 32-bit number

Octet string (Octet-String)

2.5.5.10

4

A byte string

Octet string (object)

2.5.5.10

127

A byte string

Time

2.5.5.11

23

The number of seconds elapsed since 1 January 1970

Unicode

2.5.5.12

64

A wide string

Address

2.5.5.13

127

Used internally by the system

Distname-Address

2.5.5.14

127

Used internally by the system

NT Security Descriptor

2.5.5.15

66

A Security Descriptor (SD)

Large integer

2.5.5.16

65

A 64-bit number

SID

2.5.5.17

4

A Security Identifier (SID)

Most of these are standard programming types. If you’re not sure which syntax to use, take a look at a preexisting attribute and see if you can find an appropriate syntax for the attribute you wish to create. For example, the userPrincipalName attribute has an attributeSyntax of 2.5.5.12 and an oMSyntax of 64, so it must contain Unicode strings.

Get Active Directory, Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.