Active Directory Schema |
Attributes are data items that are used to describe the classes that are defined in the schema. They are defined in the schema separately from the classes, which allows a single attribute definition to be applied to many classes.
Attributes are attributeSchema objects. Each attributeSchema object is an instance of the attributeSchema class. The attributeSchema object lists, among other things, the following information:
Attributes might be single-value or multivalue. Single-value and multivalue attributes are defined by the singleValued attribute being set to TRUE or FALSE. The Active Directory Schema console reports this as "single-valued" or "multivalued" rather than as an attribute-value pair.
A multivalue attribute can contain multiple values, all of uniform syntax. Note that multivalue attributes hold a set of values with no particular order. There is no guarantee that multivalue properties are ever going to be returned in the order in which they were stored (or any other order).
Note
The LDAP protocol reads a multivalue attribute as a single entity. This can be inconvenient or even impossible when the number of values in a multivalue attribute becomes large. An Internet draft titled "Incremental Retrieval of Multivalued Properties" defines an option called Range that can be specified as part of an attribute description to retrieve the values of a multivalue attribute incrementally. Servers might or might not honor the range option. Servers that support the range option include the object identifier 1.2.840.113556.1.4.802 in the supportedControls operational attribute on the rootDSE. Clients must not use the range option unless this object identifier is present. The range option is a constant, case-insensitive string value (Range=), followed by a range-specifier that lists the initial and terminal values in the range.
For more information about the retrieval of multivalue attributes, see the Internet Engineering Task Force (IETF) link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources. Follow the links to Internet Drafts, and then use a keyword search.
Making an attribute indexed means that directory searches involving that attribute are going to be more efficient than if the attribute had no index. Attributes are indexed when the least significant bit in their searchFlags attribute is set to the value 1. Changing the value of the bit to 1 dynamically builds an index; changing the value to 0 or deleting it drops an index for the attribute in question. The index is built automatically by a background thread on the directory server.
Ideally, indexed attributes are single value with highly unique values that are evenly distributed across the set of instances. Multivalue attributes can be indexed, but the cost to build the index is larger in terms of storage and updating. Even with single-value attributes, keep in mind that the more indexed attributes a class has, the longer it takes to modify or create instances of the class.
Attributes for the attributeSchema class are described in Table 4.1.
Table 4.1 Attributes for the attributeSchema Class
Attribute |
Syntax |
Mandatory |
Multi- value |
Description |
---|---|---|---|---|
cn | Unicode | Yes | No | Descriptive relative distinguished name for the schema object. |
attributeID | Object identifier | Yes | No | Object identifier that uniquely identifies this attribute. |
lDAPDisplayName | Unicode | Yes, but filled in automatically | No | Name by which LDAP clients identify this attribute. |
schemaIDGUID | String(Octet) | Yes | No | GUID that uniquely identifies this attribute. |
mAPIID | Integer | No | No | Integer by which Messaging Application Programming Interface (MAPI) clients identify this attribute. |
attributeSecurityGUID | GUID | No | No | GUID by which the security system identifies the property set of this attribute. |
attributeSyntax | Object identifier | Yes | No | Syntax object identifier of this attribute. |
oMSyntax | Integer | Yes | No | Syntax of this attribute as defined by the XAPIA X/Open Object Model (XOM) specification. |
isSingleValued | BOOL | Yes | No | Indicates whether this attribute is a single-value or multivalue attribute. Note that multivalue attributes hold a set of values with no particular order. There is no guarantee that multivalue attributes are ever going to be returned in the order in which they were stored (or in any other order). |
extendedCharsAllowed | BOOL | No | No | Indicates whether extended characters are allowed in the value of this attribute. Only applies to attributes of syntax String(teletex). |
rangeLower | Integer | No | No | Lower range of values that are allowed for this attribute.2 |
rangeUpper | Integer | No | No | Upper range of values that are allowed for this attribute.2 |
systemFlags | Integer | No | No | Flags that determine specific system operations. Note: this attribute cannot be set or modified.
The systemFlags that are relevant to the schema objects are the following: Attribute is required to be a member of the partial set = 0x00000002. Attribute is not replicated = 0x00000001. Attribute is a constructed attribute = 0x00000004. |
searchFlags | Integer | No | No | The searchFlags property of each property's attributeSchema object defines whether a property is indexed.
The four currently defined bits for this attribute are as follows: 1 = Index over attribute only; |
isMemberof PartialAttributeSet | BOOL | No | No | A Boolean value that defines whether the attribute is replicated to the global catalog (if replicated to the global catalog, it has a value of TRUE, if not, its value is FALSE).
For more information, see "Active Directory Replication" in this book. |
SystemOnly | BOOL | No | No | System-only attributes are those attributes on which Windows 2000 and Active Directory depend for normal operations.
If TRUE, only the system can modify this attribute. No user-defined attribute must ever have the systemOnly flag set. |
objectClass | Object identifier | Yes | Yes | Class of this object, which is always attributeSchema. |
nTSecurityDescriptor | Yes | No | Security descriptor on the attributeSchema object itself. | |
oMObjectClass | String(Octet) | No | No | For object-syntaxed attributes ( |
LinkID | Integer | No | No | Whether a linked attribute or not, an even integer denotes a forward link, an odd integer a back link.
A forward link is a pointer to another object in the directory; a back link points back to the first object that has a forward link to it. (For more information about links, see "Active Directory Data Storage" in this book.) |
1. Unicode is a 2. When rangeLower and rangeUpper are defined for attributes that are integers, they define the limits of the value held by the attribute. When they are defined for attributes that are strings, they define the number of characters that can be held in the string. |