attributeSchema Objects
Attributes are data items that are used to describe the classes that are defined in the schema. They are defined in the schema separately from the classes, which allows a single attribute definition to be applied to many classes.
Attributes are attributeSchema objects. Each attributeSchema object is an instance of the attributeSchema class. The attributeSchema object lists, among other things, the following information:
The LDAP display name of the attribute.
The object identifier for the attribute.
The globally unique identifier (GUID) for the attribute.
The syntax of the attribute.
The range for the attribute. For integers, range defines the minimum and maximum value; for strings, range defines the minimum and maximum length.
Whether the attribute is a multivalue attribute. Note that multivalue attributes hold a set of values with no particular order. There is no guarantee that multivalue attributes are ever going to be returned in the order in which they were stored (or in any other order).
Whether and how the attribute is indexed.
Attributes might be single-value or multivalue. Single-value and multivalue attributes are defined by the singleValued attribute being set to TRUE or FALSE. The Active Directory Schema console reports this as "single-valued" or "multivalued" rather than as an attribute-value pair.
A multivalue attribute can contain multiple values, all of uniform syntax. Note that multivalue attributes hold a set of values with no particular order. There is no guarantee that multivalue properties are ever going to be returned in the order in which they were stored (or any other order).
Note
The LDAP protocol reads a multivalue attribute as a single entity. This can be inconvenient or even impossible when the number of values in a multivalue attribute becomes large. An Internet draft titled "Incremental Retrieval of Multivalued Properties" defines an option called Range that can be specified as part of an attribute description to retrieve the values of a multivalue attribute incrementally. Servers might or might not honor the range option. Servers that support the range option include the object identifier 1.2.840.113556.1.4.802 in the supportedControls operational attribute on the rootDSE. Clients must not use the range option unless this object identifier is present. The range option is a constant, case-insensitive string value (Range=), followed by a range-specifier that lists the initial and terminal values in the range.
For more information about the retrieval of multivalue attributes, see the Internet Engineering Task Force (IETF) link on the Web Resources page at https://windows.microsoft.com/windows2000/reskit/webresources . Follow the links to Internet Drafts, and then use a keyword search.
Making an attribute indexed means that directory searches involving that attribute are going to be more efficient than if the attribute had no index. Attributes are indexed when the least significant bit in their searchFlags attribute is set to the value 1. Changing the value of the bit to 1 dynamically builds an index; changing the value to 0 or deleting it drops an index for the attribute in question. The index is built automatically by a background thread on the directory server.
Ideally, indexed attributes are single value with highly unique values that are evenly distributed across the set of instances. Multivalue attributes can be indexed, but the cost to build the index is larger in terms of storage and updating. Even with single-value attributes, keep in mind that the more indexed attributes a class has, the longer it takes to modify or create instances of the class.
Attributes for the attributeSchema class are described in Table 4.1.
Table 4.1 Attributes for the attributeSchema Class
Attribute |
Syntax |
Mandatory |
Multi- value |
Description |
---|---|---|---|---|
cn |
Unicode |
Yes |
No |
Descriptive relative distinguished name for the schema object. |
attributeID |
Object identifier |
Yes |
No |
Object identifier that uniquely identifies this attribute. |
lDAPDisplayName |
Unicode |
Yes, but filled in automatically |
No |
Name by which LDAP clients identify this attribute. |
schemaIDGUID |
String(Octet) |
Yes |
No |
GUID that uniquely identifies this attribute. |
mAPIID |
Integer |
No |
No |
Integer by which Messaging Application Programming Interface (MAPI) clients identify this attribute. |
attributeSecurityGUID |
GUID |
No |
No |
GUID by which the security system identifies the property set of this attribute. |
attributeSyntax |
Object identifier |
Yes |
No |
Syntax object identifier of this attribute. |
oMSyntax |
Integer |
Yes |
No |
Syntax of this attribute as defined by the XAPIA X/Open Object Model (XOM) specification. |
isSingleValued |
BOOL |
Yes |
No |
Indicates whether this attribute is a single-value or multivalue attribute. Note that multivalue attributes hold a set of values with no particular order. There is no guarantee that multivalue attributes are ever going to be returned in the order in which they were stored (or in any other order). |
extendedCharsAllowed |
BOOL |
No |
No |
Indicates whether extended characters are allowed in the value of this attribute. Only applies to attributes of syntax String(teletex). |
rangeLower |
Integer |
No |
No |
Lower range of values that are allowed for this attribute. 2 |
rangeUpper |
Integer |
No |
No |
Upper range of values that are allowed for this attribute. 2 |
systemFlags |
Integer |
No |
No |
Flags that determine specific system operations. Note: this attribute cannot be set or modified. |
searchFlags |
Integer |
No |
No |
The searchFlags property of each property's attributeSchema object defines whether a property is indexed. |
isMemberof PartialAttributeSet |
BOOL |
No |
No |
A Boolean value that defines whether the attribute is replicated to the global catalog (if replicated to the global catalog, it has a value of TRUE, if not, its value is FALSE). |
SystemOnly |
BOOL |
No |
No |
System-only attributes are those attributes on which Windows 2000 and Active Directory depend for normal operations. |
objectClass |
Object identifier |
Yes |
Yes |
Class of this object, which is always attributeSchema . |
nTSecurityDescriptor |
NT-Sec-Des |
Yes |
No |
Security descriptor on the attributeSchema object itself. |
oMObjectClass |
String(Octet) |
No |
No |
For object-syntaxed attributes (OM-syntax = 127), the Basic Encoding Rules (BER) encoded object identifier of the XOM object class. For more information about BER encoding, see RFC 2251. |
LinkID |
Integer |
No |
No |
Whether a linked attribute or not, an even integer denotes a forward link, an odd integer a back link. |
1 . Unicode is a 16-bit character set that contains all of the characters commonly used in information processing. |