Active Directory Schema

Previous Topic Next Topic

attributeSchema Objects

Attributes are data items that are used to describe the classes that are defined in the schema. They are defined in the schema separately from the classes, which allows a single attribute definition to be applied to many classes.

Attributes are attributeSchema objects. Each attributeSchema object is an instance of the attributeSchema class. The attributeSchema object lists, among other things, the following information:

Single-Value or Multivalue Attributes

Attributes might be single-value or multivalue. Single-value and multivalue attributes are defined by the singleValued attribute being set to TRUE or FALSE. The Active Directory Schema console reports this as "single-valued" or "multivalued" rather than as an attribute-value pair.

A multivalue attribute can contain multiple values, all of uniform syntax. Note that multivalue attributes hold a set of values with no particular order. There is no guarantee that multivalue properties are ever going to be returned in the order in which they were stored (or any other order).


note-icon

Note

The LDAP protocol reads a multivalue attribute as a single entity. This can be inconvenient or even impossible when the number of values in a multivalue attribute becomes large. An Internet draft titled "Incremental Retrieval of Multivalued Properties" defines an option called Range that can be specified as part of an attribute description to retrieve the values of a multivalue attribute incrementally. Servers might or might not honor the range option. Servers that support the range option include the object identifier 1.2.840.113556.1.4.802 in the supportedControls operational attribute on the rootDSE. Clients must not use the range option unless this object identifier is present. The range option is a constant, case-insensitive string value (Range=), followed by a range-specifier that lists the initial and terminal values in the range.

For more information about the retrieval of multivalue attributes, see the Internet Engineering Task Force (IETF) link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources. Follow the links to Internet Drafts, and then use a keyword search.

Indexed Attributes

Making an attribute indexed means that directory searches involving that attribute are going to be more efficient than if the attribute had no index. Attributes are indexed when the least significant bit in their searchFlags attribute is set to the value 1. Changing the value of the bit to 1 dynamically builds an index; changing the value to 0 or deleting it drops an index for the attribute in question. The index is built automatically by a background thread on the directory server.

Ideally, indexed attributes are single value with highly unique values that are evenly distributed across the set of instances. Multivalue attributes can be indexed, but the cost to build the index is larger in terms of storage and updating. Even with single-value attributes, keep in mind that the more indexed attributes a class has, the longer it takes to modify or create instances of the class.

Attributes for attributeSchema Class Objects

Attributes for the attributeSchema class are described in Table 4.1.

Table 4.1 Attributes for the attributeSchema Class


Attribute

Syntax

Mandatory
Multi-
value

Description
cn Unicode Yes No Descriptive relative distinguished name for the schema object.
attributeID Object identifier Yes No Object identifier that uniquely identifies this attribute.
lDAPDisplayName Unicode Yes, but filled in automatically No Name by which LDAP clients identify this attribute.
schemaIDGUID String(Octet) Yes No GUID that uniquely identifies this attribute.
mAPIID Integer No No Integer by which Messaging Application Programming Interface (MAPI) clients identify this attribute.
attributeSecurityGUID GUID No No GUID by which the security system identifies the property set of this attribute.
attributeSyntax Object identifier Yes No Syntax object identifier of this attribute.
oMSyntax Integer Yes No Syntax of this attribute as defined by the XAPIA X/Open Object Model (XOM) specification.
isSingleValued BOOL Yes No Indicates whether this attribute is a single-value or multivalue attribute. Note that multivalue attributes hold a set of values with no particular order. There is no guarantee that multivalue attributes are ever going to be returned in the order in which they were stored (or in any other order).
extendedCharsAllowed BOOL No No Indicates whether extended characters are allowed in the value of this attribute. Only applies to attributes of syntax String(teletex).
rangeLower Integer No No Lower range of values that are allowed for this attribute.2
rangeUpper Integer No No Upper range of values that are allowed for this attribute.2
systemFlags Integer No No Flags that determine specific system operations. Note: this attribute cannot be set or modified.

The systemFlags that are relevant to the schema objects are the following:

Attribute is required to be a member of the partial set = 0x00000002.

Attribute is not replicated = 0x00000001.

Attribute is a constructed attribute = 0x00000004.

searchFlags Integer No No The searchFlags property of each property's attributeSchema object defines whether a property is indexed.

The four currently defined bits for this attribute are as follows:

1 = Index over attribute only;
2 = Index over container and attribute;
4 = Add this attribute to the Ambiguous Name Resolution (ANR) set (should be used in conjunction with 1);
8 = Preserve this attribute on logical deletion (that is, make this attribute available on tombstones).

isMemberof PartialAttributeSet BOOL No No A Boolean value that defines whether the attribute is replicated to the global catalog (if replicated to the global catalog, it has a value of TRUE, if not, its value is FALSE).

For more information, see "Active Directory Replication" in this book.

SystemOnly BOOL No No System-only attributes are those attributes on which Windows 2000 and Active Directory depend for normal operations.

If TRUE, only the system can modify this attribute. No user-defined attribute must ever have the systemOnly flag set.

objectClass Object identifier Yes Yes Class of this object, which is always attributeSchema.
nTSecurityDescriptor NT-Sec-Des Yes No Security descriptor on the attributeSchema object itself.
oMObjectClass String(Octet) No No For object-syntaxed attributes (OM-syntax = 127), the Basic Encoding Rules (BER) encoded object identifier of the XOM object class. For more information about BER encoding, see RFC 2251.
LinkID Integer No No Whether a linked attribute or not, an even integer denotes a forward link, an odd integer a back link.

A forward link is a pointer to another object in the directory; a back link points back to the first object that has a forward link to it. (For more information about links, see "Active Directory Data Storage" in this book.)

1. Unicode is a 16-bit character set that contains all of the characters commonly used in information processing.

2. When rangeLower and rangeUpper are defined for attributes that are integers, they define the limits of the value held by the attribute. When they are defined for attributes that are strings, they define the number of characters that can be held in the string.

© 1985-2000 Microsoft Corporation. All rights reserved.