Active Directory Schema

attributeSchema Objects

Attributes are data items that are used to describe the classes that are defined in the schema. They are defined in the schema separately from the classes, which allows a single attribute definition to be applied to many classes.

Attributes are attributeSchema objects. Each attributeSchema object is an instance of the attributeSchema class. The attributeSchema object lists, among other things, the following information:

The LDAP display name of the attribute.
The object identifier for the attribute.
The globally unique identifier (GUID) for the attribute.
The syntax of the attribute.
The range for the attribute. For integers, range defines the minimum and maximum value; for strings, range defines the minimum and maximum length.
Whether the attribute is a multivalue attribute. Note that multivalue attributes hold a set of values with no particular order. There is no guarantee that multivalue attributes are ever going to be returned in the order in which they were stored (or in any other order).
Whether and how the attribute is indexed.

Single-Value or Multivalue Attributes

Attributes might be single-value or multivalue. Single-value and multivalue attributes are defined by the singleValued attribute being set to TRUE or FALSE. The Active Directory Schema console reports this as "single-valued" or "multivalued" rather than as an attribute-value pair.

A multivalue attribute can contain multiple values, all of uniform syntax. Note that multivalue attributes hold a set of values with no particular order. There is no guarantee that multivalue properties are ever going to be returned in the order in which they were stored (or any other order).

Note

The LDAP protocol reads a multivalue attribute as a single entity. This can be inconvenient or even impossible when the number of values in a multivalue attribute becomes large. An Internet draft titled "Incremental Retrieval of Multivalued Properties" defines an option called Range that can be specified as part of an attribute description to retrieve the values of a multivalue attribute incrementally. Servers might or might not honor the range option. Servers that support the range option include the object identifier 1.2.840.113556.1.4.802 in the supportedControls operational attribute on the rootDSE. Clients must not use the range option unless this object identifier is present. The range option is a constant, case-insensitive string value (Range=), followed by a range-specifier that lists the initial and terminal values in the range.

For more information about the retrieval of multivalue attributes, see the Internet Engineering Task Force (IETF) link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources. Follow the links to Internet Drafts, and then use a keyword search.

Indexed Attributes

Making an attribute indexed means that directory searches involving that attribute are going to be more efficient than if the attribute had no index. Attributes are indexed when the least significant bit in their searchFlags attribute is set to the value 1. Changing the value of the bit to 1 dynamically builds an index; changing the value to 0 or deleting it drops an index for the attribute in question. The index is built automatically by a background thread on the directory server.

Ideally, indexed attributes are single value with highly unique values that are evenly distributed across the set of instances. Multivalue attributes can be indexed, but the cost to build the index is larger in terms of storage and updating. Even with single-value attributes, keep in mind that the more indexed attributes a class has, the longer it takes to modify or create instances of the class.

Attributes for attributeSchema Class Objects

Attributes for the attributeSchema class are described in Table 4.1.

Table 4.1 Attributes for the attributeSchema Class

Attribute	Syntax	Mandatory	Multi- value	Description
cn	Unicode	Yes	No	Descriptive relative distinguished name for the schema object.
attributeID	Object identifier	Yes	No	Object identifier that uniquely identifies this attribute.
^lDAPDisplayName	Unicode	Yes, but filled in automatically	No	Name by which LDAP clients identify this attribute.
schemaIDGUID	String(Octet)	Yes	No	GUID that uniquely identifies this attribute.
mAPIID	Integer	No	No	Integer by which Messaging Application Programming Interface (MAPI) clients identify this attribute.
attributeSecurityGUID	GUID	No	No	GUID by which the security system identifies the property set of this attribute.
attributeSyntax	Object identifier	Yes	No	Syntax object identifier of this attribute.
oMSyntax	Integer	Yes	No	Syntax of this attribute as defined by the XAPIA X/Open Object Model (XOM) specification.
isSingleValued	BOOL	Yes	No	Indicates whether this attribute is a single-value or multivalue attribute. Note that multivalue attributes hold a set of values with no particular order. There is no guarantee that multivalue attributes are ever going to be returned in the order in which they were stored (or in any other order).
extendedCharsAllowed	BOOL	No	No	Indicates whether extended characters are allowed in the value of this attribute. Only applies to attributes of syntax String(teletex).
rangeLower	Integer	No	No	Lower range of values that are allowed for this attribute.²
rangeUpper	Integer	No	No	Upper range of values that are allowed for this attribute.²
systemFlags	Integer	No	No	Flags that determine specific system operations. Note: this attribute cannot be set or modified. The systemFlags that are relevant to the schema objects are the following: Attribute is required to be a member of the partial set = 0x00000002. Attribute is not replicated = 0x00000001. Attribute is a constructed attribute = 0x00000004.
searchFlags	Integer	No	No	The searchFlags property of each property's attributeSchema object defines whether a property is indexed. The four currently defined bits for this attribute are as follows: 1 = Index over attribute only; 2 = Index over container and attribute; 4 = Add this attribute to the Ambiguous Name Resolution (ANR) set (should be used in conjunction with 1); 8 = Preserve this attribute on logical deletion (that is, make this attribute available on tombstones).
isMemberof PartialAttributeSet	BOOL	No	No	A Boolean value that defines whether the attribute is replicated to the global catalog (if replicated to the global catalog, it has a value of TRUE, if not, its value is FALSE). For more information, see "Active Directory Replication" in this book.
SystemOnly	BOOL	No	No	System-only attributes are those attributes on which Windows 2000 and Active Directory depend for normal operations. If TRUE, only the system can modify this attribute. No user-defined attribute must ever have the systemOnly flag set.
objectClass	Object identifier	Yes	Yes	Class of this object, which is always attributeSchema.
nTSecurityDescriptor	NT-Sec-Des	Yes	No	Security descriptor on the attributeSchema object itself.
oMObjectClass	String(Octet)	No	No	For object-syntaxed attributes (OM-syntax = 127), the Basic Encoding Rules (BER) encoded object identifier of the XOM object class. For more information about BER encoding, see RFC 2251.
LinkID	Integer	No	No	Whether a linked attribute or not, an even integer denotes a forward link, an odd integer a back link. A forward link is a pointer to another object in the directory; a back link points back to the first object that has a forward link to it. (For more information about links, see "Active Directory Data Storage" in this book.)
¹. Unicode is a 16-bit character set that contains all of the characters commonly used in information processing. ². When rangeLower and rangeUpper are defined for attributes that are integers, they define the limits of the value held by the attribute. When they are defined for attributes that are strings, they define the number of characters that can be held in the string.