A schema object, named classSchema, defines each class in the schema. Another schema object, the attributeSchema object, defines each attribute in the schema. Therefore, every class is actually an instance of the classSchema class, and every attribute is an instance of the attributeSchema class.
Table A-1 Some Attributes for the Attribute Schema Object
Attribute |
Syntax |
Description |
---|---|---|
cn |
Unicode |
Descriptive relative distinguished name for the schema object. cn is a mandatory attribute. |
attributeID |
Object identifier |
Object identifier that uniquely identifies this attribute. attributeID is a mandatory attribute. |
lDAPDisplayName |
Unicode |
Name by which LDAP clients identify this attribute. lDAPDisplayName is not a mandatory attribute. |
schemaIDGUID |
String (Octet) |
GUID that uniquely identifies this attribute. schemaIDGUID is a mandatory attribute. |
mAPIID |
Integer |
Integer by which Messaging API (MAPI) clients identify this attribute. mAPIID is not a mandatory attribute. |
attributeSecurityGUID |
GUID |
GUID by which the security system identifies the property set of this attribute. attributeSecurityGUID is not a mandatory attribute. |
attributeSyntax |
Object identifier |
Syntax object identifier of this attribute. attributeSyntax is a mandatory attribute. |
oMSyntax |
Integer |
Syntax of this attribute as defined by the XAPIA X/Open Object Model (XOM) specification. oMSyntax is a mandatory attribute. |
isSingleValued |
BOOL |
Indicates whether this attribute is a single-value or multivalue attribute. isSingleValued is a mandatory attribute. NOTE:Multivalue attributes hold a set of values with no particular order. Multivalue attributes are not always returned in the order in which they were stored (or in any other order). |
extendedCharsAllowed |
BOOL |
Indicates whether extended characters are allowed in the value of this attribute. Applies only to attributes of syntax String (teletex). extendedCharsAllowed is not a mandatory attribute. |
rangeLower |
Integer |
Lower range of values that are allowed for this attribute. rangeLower is not a mandatory attribute. |
rangeUpper |
Integer |
Upper range of values that are allowed for this attribute. rangeUpper is not a mandatory attribute. |
systemFlags |
Integer |
Flags that determine specific system operations. This attribute cannot be set or modified. The following systemFlags attributes are relevant to the schema objects:
systemFlags is not a mandatory attribute. |
searchFlags |
integer |
The searchFlags property of each property’s attributeSchema object defines different behaviors, including whether a property is indexed.The seven currently defined bits for this attribute are:
searchFlags is not a mandatory attribute. |
isMemberofPartialAttributeSet |
BOOL |
A Boolean value that defines whether the attribute is replicated to the global catalog. A value of TRUE means that the attribute is replicated to the global catalog. isMemberof PartialAttributeSet is not a mandatory attribute. |
systemOnly |
BOOL |
If TRUE, only the system can modify this attribute. A user-defined attribute must never have the systemOnly flag set. systemOnly is not a mandatory attribute. |
objectClass |
Object identifier |
The class of this object, which is always attributeSchema. objectClass is a mandatory and multivalued attribute. |
nTSecurityDescriptor |
NT-Sec-Des |
The security descriptor on the attributeSchema object itself. inTSecurityDescriptor is a mandatory attribute. |
oMObjectClass |
String (Octet) |
For attributes with object syntax (OM-syntax = 127), this is the Basic Encoding Rules (BER) encoded object identifier of the XOM object class.For more information about BER encoding, see Request for Comments (RFC) 2251 in the IETF RFC Database. oMObjectClass is not a mandatory attribute. |
LinkID |
Integer |
The value that determines whether the attribute is a linked attribute. Linked attributes make it possible to associate one object with another object. A linked attribute represents an interobject distinguished-name reference. A forward link references a target object in the directory; a back link refers back to the source object that has a forward link to it.An even integer denotes a forward link; an odd integer denotes a back link. LinkID is not a mandatory attribute. |
The syntax for an attribute defines the storage representation, byte ordering, and matching rules for comparisons. When you define a new attribute, you must specify both the attributeSyntax and the oMSyntax numbers of the syntax that you want for that attribute. The attributeSyntax number is an object identifier, and the oMSyntax number is an integer. oMSyntax is defined by the XOM specification. Using this model, the syntax can provide detailed syntax definitions. For example, distinct oMSyntax attributes distinguish several types of printable strings, according to such factors as the supported character set and whether case is significant.
eDirectory comes with a predefined set of syntaxes. Most of the syntaxes required to support Active Directory applications are supported directly or indirectly by eDirectory. The following table lists the valid syntaxes for attributes in the DSfW schema. It also shows how each DSfW syntax is internally mapped to eDirectory syntax. Refer to the Section A.2, Extending the Third-Party Schema for more information on automating mapping.
Table A-2 Mapping Valid Syntaxes for Attributes in the DSfW Schema
Syntax |
Attribute Syntax |
oMSyntax |
eDirectory Syntax |
Description |
---|---|---|---|---|
Object(DN-DN) |
2.5.5.1 |
127 |
SYN_DIST_NAME |
The fully qualified name of an object in the directory. |
String (Object-Identifier) |
2.5.5.2 |
6 |
SYN_CI_STRING |
The object identifier. |
Case-Sensitive String |
2.5.5.3 |
27 |
SYN_CI_STRING |
General string. Differentiates uppercase and lowercase. |
CaseIgnoreString (Teletex) |
2.5.5.4 |
20 |
SYN_CI_STRING |
Teletex. Does not differentiate uppercase and lowercase. |
String (Printable), String (IA5) |
2.5.5.5 |
19, 22 |
SYN_PR_STRINGSYN_CE_STRING |
Printable string or IA5 string. Both character sets are case sensitive. |
String (Numeric) |
2.5.5.6 |
18 |
SYN_NU_STRING |
A sequence of digits. |
Object (DN-Binary) |
2.5.5.7 |
127 |
SYN_PATH |
A distinguished name plus a binary large object. |
Boolean |
2.5.5.8 |
1 |
SYN_BOOLEAN |
TRUE or FALSE values. |
Integer, Enumeration |
2.5.5.9 |
2, 10 |
SYN_INTEGER |
A 32-bit number or enumeration. |
String (Octet) |
2.5.5.10 |
4 |
SYN_OCTET_STRING |
A string of bytes. |
String (UTC-Time), String (Generalized-Time) |
2.5.5.11 |
23, 24 |
SYN_TIME |
UTC time or generalized time. |
String (Unicode) |
2.5.5.12 |
64 |
SYN_CI_STRING |
Unicode string. |
Object (Presentation-Address) |
2.5.5.13 |
127 |
SYN_OCTET_STRING |
Presentation address. |
Object (DN-String) |
2.5.5.14 |
127 |
SYN_OCTET_STRING |
A DN string plus a Unicode string. |
String (NT-Sec-Desc) |
2.5.5.15 |
66 |
SYN_OCTET_STRING |
A Windows NT security descriptor. |
LargeInteger |
2.5.5.16 |
65 |
SYN_INTEGER64 |
A 64-bit number. |
String (Sid) |
2.5.5.17 |
4 |
SYN_OCTET_STRING |
Security identifier (SID). |
Because eDirectory attributes conflict with DSfW attributes, new attributes and mappings have been introduced. The following table summarizes them.
Table A-3 LDAP Attribute Mapping with eDirectory Attributes
LDAP Attribute Name |
eDirectory Attribute Name |
---|---|
homeDirectory |
mSDS:HomeDirectory |
mailRecipient |
msds:mailRecipient |
homePostalAddress |
msds:homePostalAddress |
objectVersion |
msds:objectVersion |
unixHomeDirectory |
homeDirectory |
uid |
uniqueID |
Some of the following attributes can be used in search query:
allowedAttributes: Returns the list of attributes that can be present on that entry.
allowedAttributesEffective: Returns the list of attributes that can be modified by the user (the logged-in entity) on that object.
allowedChildClasses: Returns the list of classes that can be created subordinate to that entry.
allowedChildClassesEffective: Returns the list of classes subordinate to an entry that can be created by the user (logged-in entity).
Table A-4 Attributes of a classSchema Object
Attribute |
Syntax |
Description |
---|---|---|
cn |
Unicode |
Descriptive relative distinguished name for the schema object. cn is a mandatory attribute. |
governsID |
Object identifier |
Object identifier that uniquely identifies this class. governsID is a mandatory attribute. |
lDAPDisplayName |
Unicode |
The name by which LDAP clients identify this class. IDAPDisplayName is a mandatory attribute. |
schemaIDGUID |
String (Octet) |
The GUID that uniquely identifies this class. schemaIDGUID is a mandatory (but defaulted) attribute. |
rDNAttID |
Object Identifier |
The relative distinguished name type of instances of this class (OU, CN). rDNAttID is not a mandatory attribute. |
subClassOf |
Object Identifier |
The class from which this object inherits attributes. subClassOf is not a mandatory attribute. |
systemMustContain |
Object identifier |
The list of mandatory attributes for instances of this class. This list cannot be changed. systemMustContain is not a mandatory attribute. |
mustContain |
Object identifier |
The mandatory attributes for instances of this class. mustContain is multivalued but not a mandatory attribute. |
systemMayContain |
Object identifier |
The optional attributes for instances of this class. systemMayContain is multivalued but not a mandatory attribute. |
mayContain |
Object identifier |
The optional attributes for instances of this class. mayContain is not a mandatory attribute. |
systemPossSuperiors |
Object identifier |
The classes that can be parents of this class in the directory hierarchy. After the class is created, this property cannot be changed. systemPossSuperiors is multivalued but not a mandatory attribute. |
possSuperiors |
Object identifier |
The classes that can be parents of this class in the directory hierarchy. For an existing classSchema object, values can be added to this property but not removed. possSuperiors is multivalued but not a mandatory attribute. |
systemAuxiliaryClass |
Object identifier |
The auxiliary classes from which this class inherits its optional (mayContain) and mandatory (mustContain) attributes. After creation of the class, this property cannot be changed. systemAuxiliaryClass is multivalued but not a mandatory attribute. |
auxiliaryClass |
Object identifier |
The auxiliary classes from which this class inherits its optional (mayContain) and mandatory (mustContain) attributes. This is a multivalue property that specifies the auxiliary classes that this class inherits from. For an existing classSchema object, values can be added to this property but not removed. auxiliaryClass is multivalued but not a mandatory attribute. |
defaultHidingValue |
BOOL |
The default hiding state for the class. If you do not want instances of the class displayed in the UI for Active Directory admin tools, New menus, you can define the class as hidden. defaultHidingValue is not a mandatory attribute. |
defaultSecurityDescriptor |
String (Octet) |
The default security descriptor that is assigned to new instances of this class if no security descriptor is specified during creation of the class or is merged into a security descriptor if a security descriptor is specified. defaultSecurityDescriptor is not a mandatory attribute. |
objectClassCategory |
Integer |
The class types are defined as follows:
objectClassCategory is a mandatory attribute. |
systemOnly |
BOOL |
An attribute of a classSchema object. systemOnly is a mandatory attribute. |
ObjectClass |
Object Identifier |
This object’s class, which is always classSchema. ObjectClass is a mandatory and multivalued attribute. |
nTSecurityDescriptor |
NT-Sec-Desc |
The security descriptor on the classSchema object. nTSecurityDescriptor is not a mandatory attribute. |
defaultObjectCategory |
Distinguished name |
The default object category of new instances of this class. If none has been specified, the objectClass value is used. For example, suppose that the objectCategory attribute for inetOrgPerson is set to Person. This has the effect of returning all user, computer, and inetOrgPerson objects when the filter in a query is objectCategory=Person. defaultObjectCategory is a mandatory attribute. |
Because the eDirectory schema conflicts with the DSfW schema, new classes and mappings are introduced. The following table summarizes them:
Table A-5 Attributes for the AttributeSchema Class
LDAP Classes |
eDirectory Classes |
---|---|
ndsComputer |
Computer |
computer |
mSDS:Computer |
ndsDmd |
dmd |
dMD |
mSDS:DMD |
ndsServer |
server |
server |
mSDS:Server |
ndsVolume |
volume |
volume |
mSDS:Volume |
organizationalPerson |
Organizational Person |
organizationalUnit |
Organizational Unit |
groupOfNames |
Group |
groupOfUniqueNames |
Group |
inetOrgPerson |
User |