| Platform SDK: Active Directory, ADSI, and Directory Services |
Each attribute in the directory has an associated syntax. For example, integer, string, numeric, and so on. ADSI defines its own syntax that maps to the native directory syntax. This section describes the types of attribute syntaxes you will find in ADSI. In the next section, you will find a table that maps NDS and Active Directory syntax.
Syntax Type: ADSTYPE_DN_STRING
The distinguished name is very useful for linking two objects together. For example, it can create a link that makes the Alice object a manager of the Bob object. If the Alice object moves to different place, the manager link between Alice and Bob is updated automatically.
The distinguished name must contain a valid distinguished name object. If the distinguished name does not correspond to a valid existing object, most servers reject the request and give the user a constraint violation error.
Examples:
Set x = GetObject("LDAP://CN=Bob, OU=Sales,DC=Microsoft, DC=com)
x.Put "manager", "CN=Alice, OU=Sales, DC=Microsoft, DC=COM"
x.SetInfo
PADS_ATTR_INFO pInfo;
// .. IDirectoryObject::GetObjectAttribute
printf("%S\n", pInfo->pADsValues->DNString );
Syntax Types: ADSTYPE_CASE_IGNORE_STRING, ADSTYPE_CASE_EXACT_STRING.
Case Exact String is a case-sensitive string while Case Ignore String is a case-insensitive string. A large percentage of attributes in the directory use this syntax.
Note The directory may or may not store this as a Unicode string. However, ADSI accepts and returns wide strings.
Example:
Dim propList As IADsPropertyList
Set propList = GetObject("LDAP://DC=Microsoft,DC=com")
Set propVal = New PropertyValue
'--- Property Value-----
propVal.CaseIgnoreString = "Fabrikam, Inc - Seattle, WA"
propVal.ADsType = ADSTYPE_CASE_IGNORE_STRING
Syntax Type: ADSTYPE_PRINTABLE_STRING
This syntax is used for attributes with string values where upper and lower case are considered unequal for comparisons (for example, "DUNDEE" and "Dundee" do not match). ADSI will accept any contents for a Printable-String; it will not attempt to verify that they are indeed printable.
Syntax Type: ADSTYPE_NUMERIC_STRING
In this syntax, strings match as in Printable String, except that all space characters are ignored in comparisons. ADSI does not do value checking to ensure that only numerals and spaces appear in values of this syntax. Active Directory will accept any content for a numeric string; it will not attempt to verify that the characters are indeed numeric.
Syntax Type: ADSTYPE_UTC_TIME
This syntax stores the date and time in a single string. The string format consists of three concatenated parts: (1) YYMMDD; (2) hhmm or hhmmss (both are acceptable); and (3) "Z" to indicate that the time given is coordinated universal time, or "-HHMM" to indicate that the time given is local time which is HHMM behind Greenwich Mean Time (GMT), or "+HHMM" to indicate that the time given is local time which is HHMM ahead of GMT.
Note The first two digits of the year are not stored in this string but can be easily deduced (at least until the year 2080 or so).
Some examples of legal values are "9101311455Z", "910131145503Z", "9101314455-0500", "910131145503+0130". This string is stored as single-byte ASCII characters, and no code page number is stored with it.
Although ordering is supported, it is done only as an ASCII case-insensitive string sort, not by properly interpreting the meaning of the strings.
Any valid string value is accepted. No attempt is made to ensure that the string contains a valid time string.
Example:
sTemp.Format("%02d/%02d/%04d %02d:%02d:%02d", pValues->UTCTime.wMonth, pValues->UTCTime.wDay, pValues->UTCTime.wYear, pValues->UTCTime.wHour, pValues->UTCTime.wMinute, pValues->UTCTime.wSecond );
Syntax Type: ADSTYPE_BOOLEAN
Active Directory will only accept a signed 32-bit value for this syntax. It will treat zero as FALSE and all nonzero values as TRUE.
Syntax Type: ADSTYPE_INTEGER
A 32-bit signed numeric value.
Syntax Type: ADSTYPE_LARGE_INTEGER
A 64-bit signed numeric value. Large integers are actually implemented as COM objects on the IADsLargeInteger interface. The HighPart and LowPart methods are used to access the two 32-bit halves of the large integer value.
Example:
Dim x as IADsLargeInteger
Set o = GetObject("LDAP://DC=Microsoft,DC=com")
Set x = o.Get("UsnCreated")
Debug.Print x.HighPart
Debug.Print x.LowPart
Syntax Type: ADSTYPE_OCTET_STRING
An octet string is returned as a variant array of bytes. This consists of a size count (number of octets) followed by a series of octets. An octet is an 8-bit byte, so a series of octets is a string of binary data.
Syntax Type: ADSTYPE_OBJECT_CLASS
Object Class is a unique object identifier for a given schema class. The class of each object instance is identified by the objectClass attribute. Once created, you can never change an object's class. objectClass is a multiple valued attribute. It lists the specific class of the object, and the classes of all structural or abstract classes from which the specific class was derived. This includes Top, the class from which all other classes are ultimately derived. Active Directory does not list auxiliary classes in the objectClass attribute.
Syntax Type: ADSTYPE_NT_SECURITY_DESCRIPTOR
Access rights define what abilities a security principal has when it attempts to perform an operation on an Active Directory object. A security descriptor describes the access control information associated with an object.
The security descriptor is stored as a property of a directory object in the nTSecurityDescriptor property. When an authenticated user attempts to access a directory object, the directory server determines the access granted or denied to the user based on the object's security descriptor.
The ADS_SD_CONTROL_ENUM enumeration specifies control flags for a security descriptor.
Example:
' Getting a security descriptor.
Dim x as IADs
Dim sd as IADsSecurityDescriptor
Dim acl as IADsAccessControlList
Set x = GetObject("LDAP://DC=Microsoft, DC=com")
Set sd = x.Get("ntSecurityDescriptor")
Debug.Print sd.Control
Debug.Print sd.Group
Debug.Print sd.Owner
Debug.Print sd.Revision
Set acl = sd.DiscretionaryAcl
Set sacl = sd.SystemAcl