10.8.2.2 Using a command-line interface In the following command, replace with the common name not LDAP display dame of the attribute you want to view: > dsquery * cn=schema,cn=configu
Trang 1Table 10-3 attributeSyntax and oMSyntax combinations
Case-sensitive string that contains characters from the printable character set
ReplicaLink 2.5.5.10 127 Used by Active Directory internally
identifier (SID)
standards
The searchFlags attribute is a bit flag that defines special properties related to searching with the attribute Table 10-4 contains the values that can be set for this attribute The values are
cumulative; so in order to index an attribute and include it in ANR searches, you would set a value of 5 (1 + 4)
Table 10-4 searchFlags bit values
Value Description
1 Index over attribute See Recipe 10.11 for more information
2 Index over container and attribute
4 Include as part of Ambiguous Name Resolution (ANR) Should be used in addition to 1
See Recipe 10.13 for more information
8 Preserve attribute in tombstone objects
16 Copy attribute when duplicating an object See Recipe 10.12 for more information
32 Create a tuple index for this attribute This improves the response time for searches that
put a wildcard in front of the search string for the attribute, (e.g., givenname=*on)
10.7.4 See Also
Recipe 4.12 for setting a bit flag, Recipe 10.9 for adding a new class, and Recipe 10.22 for
reloading the schema
Trang 2Recipe 10.8 Viewing an Attribute
10.8.1 Problem
You want to view the properties of an attribute
10.8.2 Solution
10.8.2.1 Using a graphical user interface
1 Open the Active Directory Schema snap-in
2 In the left pane, click on the Attributes folder
3 In the right pane, double-click the attribute you want to view
4 Click on each tab to view the available properties
10.8.2.2 Using a command-line interface
In the following command, replace <AttrCommonName> with the common name (not LDAP display dame) of the attribute you want to view:
> dsquery * cn=schema,cn=configuration,<ForestRootDN> -scope onelevel -attr
*[RETURN]
-filter "(&(objectcategory=attributeSchema)(cn=<AttrCommonName>))"
10.8.2.3 Using VBScript
' This code displays the attributes for the specified attributeSchema object ' Refer to Recipe 4.2 for the DisplayAttributes( ) function code
' - SCRIPT CONFIGURATION -
' Set to the common name (not LDAP display dame) of the attribute
strAttrName = "<AttrCommonName>" ' e.g surname
' - END CONFIGURATION -
set objRootDSE = GetObject("LDAP://RootDSE")
set objAttr = GetObject("LDAP://cn=" & strAttrName & "," & _
objRootDSE.Get("schemaNamingContext"))
objAttr.GetInfo
WScript.Echo "Properties for " & strAttrName & ":"
DisplayAttributes(objAttr.ADsPath)
10.8.3 Discussion
In the CLI and VBScript solutions, I mention that you need to specify the common name or cn of the attribute you want to view The common name is a source of confusion for many people For
example, the surname attribute has the following distinguished name in the rallencorp.com forest:
cn=surname,cn=schema,cn=configuration,dc=rallencorp,dc=com
The problem is that most applications refer to attributes by their LDAP display name as defined
in the lDAPDisplayName attribute for the attributeSchema object, which is typically different
Trang 3than the cn attribute As an example, the surname attribute uses surname for its common name
(cn), but sn for its LDAP display name (lDAPDisplayName)
In the CLI solution, if you want to use the LDAP display name instead of cn, simply change
(cn=<AttrCommonName>) to (lDAPDisplayName=<AttrLDAPName>) In the VBScript solution, it
is not that simple When using cn, we can call GetObject since we know the DN of the
attributeSchema object If you want to use the lDAPDisplayName attribute instead, you'll need
to do an ADO query and use the search criteria similar to that in the CLI solution
One attribute of note that is defined on attributeSchema objects is the systemFlags bit flag, which is used to define a few miscellaneous properties about an attribute Table 10-5 contains the bits associated with systemFlags The values are cumulative, so a value of 17 (1 + 16) would indicate that the attribute is part of the base Active Directory installation and is not replicated
Table 10-5 systemFlags bit values
Value Description
1 Not replicated among domain controllers
4 Dynamically constructed by Active Directory
16 Part of the base Active Directory installation This value cannot be set
10.8.4 See Also
Recipe 4.2 for viewing the attributes of an object and Recipe 4.9 for searching with a bit-wise filter
Recipe 10.9 Adding a New Class
10.9.1 Problem
You want to add a new class to the schema
10.9.2 Solution
For Windows 2000 Active Directory you need to enable schema modifications before proceeding See Recipe 10.2 for more information
10.9.2.1 Using a graphical user interface
1 Open the Active Directory Schema snap-in
2 In the left pane, right-click on the Classes folder and select Create Class
3 Click the Continue button to confirm that you want to extend the schema
Trang 44 Enter the information for the new class and click Next
5 Enter any mandatory and optional attributes and click Finish
10.9.2.2 Using a command-line interface
You can create new classes by using ldifde and an LDIF file that contains the properties to be
set on the class The following text shows an example LDIF file called create_class.ldf that
creates a class called rallencorp-SalesUser:
dn: cn=rallencorp-SalesUser,cn=schema,cn=configuration,<ForestRootDN>
changetype: add
objectclass: classSchema
lDAPDisplayName: rallencorp-SalesUser
governsId: 1.3.6.1.4.1.999.1.1.28.4
objectClassCategory: 3
subClassOf: top
description: Auxiliary class for Sales user attributes
adminDescription: Auxiliary class for Sales user attributes
mayContain: rallencorp-Building
mayContain: rallencorp-Theatre
Then run the following command:
> ldifde -v -i -f create_class.ldf
10.9.2.3 Using VBScript
' This code creates a class in the schema called rallencorp-SalesUser
' It is assumed that the script is being run by a member of Schema Admins
set objRootDSE = GetObject("LDAP://RootDSE")
set objSchemaCont = GetObject("LDAP://" & _
objRootDSE.Get("schemaNamingContext") )
set objClass = objSchemaCont.Create("classSchema", _
"cn=rallencorp-SalesUser")
objClass.Put "lDAPDisplayName", "rallencorp-SalesUser"
objClass.Put "governsId", "1.3.6.1.4.1.999.1.1.28.4"
objClass.Put "objectClassCategory", 3
objClass.Put "subClassOf", "top"
objClass.Put "adminDescription", "Languages a user speaks"
objClass.Put "mayContain", Array("rallencorp-Building","rallencorp-Theatre") objClass.SetInfo
WScript.Echo "Class created"
10.9.3 Discussion
To create a new class, you need to create a classSchema object in the Schema container The important attributes to set include:
Defines the OID for the class
Trang 5objectClassCategory
Defines the class type
subClassOf
Defines the parent class
mayContain and mustContain
Defines any optional and mandatory attributes for instantiated objects of the class
The lDAPDisplayName also needs to be set and should be equal to the common name (cn) as a general rule Even though many of the default classes do not use the same name for the common name and LDAP display name, using the same name is highly recommended to avoid confusion when referencing the class Another best practice is to set the schemaIDGUID of the class, which
is especially important if you are doing anything with extended rights The See Also section contains references to recipes that cover some of these topics in more depth
10.9.4 See Also
Introduction in Chapter 10 for attributes of classSchema objects, Recipe 10.3 for generating an OID, Recipe 10.4 for generating a GUID, Recipe 10.17 for more on object class type, Recipe 10.19 for setting the default security for a class, and Recipe 10.22 for reloading the schema cache
Recipe 10.10 Viewing a Class
10.10.1 Problem
You want to view the attributes of a class
10.10.2 Solution
10.10.2.1 Using a graphical user interface
1 Open the Active Directory Schema snap-in
2 In the left pane, click on the Classes folder
3 In the right pane, double-click the class you want to view
4 Click on each tab to view the available properties
10.10.2.2 Using a command-line interface
In the following command, replace <ClassCommonName> with the common name (not LDAP display name) of the class you want to view:
Trang 6> dsquery * cn=<ClassCommonName>,cn=schema,cn=configuration,<ForestRootDN>
-scope[RETURN]
base -attr *
10.10.2.3 Using VBScript
' This code prints out the attributes for the specified class
' Recipe 4.2 for the code for the DisplayAttributes( ) function
' - SCRIPT CONFIGURATION -
' Set to the common name (not LDAP display dame)
' of the class you want to view
strClassName = "<ClassCommonName>" ' e.g user
' - END CONFIGURATION -
set objRootDSE = GetObject("LDAP://RootDSE")
set objClass = GetObject("LDAP://cn=" & strClassName & "," & _
objRootDSE.Get("schemaNamingContext"))
objClass.GetInfo
WScript.Echo "Properties for " & strClassName
DisplayAttributes(objClass.ADsPath)
10.10.3 Discussion
See Table 10-1 for a list of the important classSchema attributes and their descriptions
10.10.4 See Also
Recipe 4.2 for viewing the attributes of an object
Recipe 10.11 Indexing an Attribute
10.11.1 Problem
You want to index an attribute so that searches using that attribute are faster
10.11.2 Solution
For Windows 2000 Active Directory you need to enable schema modifications before proceeding See Recipe 10.2 for more information
10.11.2.1 Using a graphical user interface
1 Open the Active Directory Schema snap-in
2 In the left pane, click on the Attributes folder
3 In the right pane, double-click the attribute you want to index
4 Check the box beside Index this attribute in the Active Directory
5 Click OK
10.11.2.2 Using a command-line interface
Trang 7You can index an attribute by using the ldifde utility and an LDIF file that contains the
following:
dn: cn=<AttrCommonName>,cn=schema,cn=configuration,<ForestRootDN>
changetype: modify
replace: searchFlags
searchFlags: 1
-
If the LDIF file were named index_attribute.ldf, you would run the following command:
> ldifde -v -i -f index_attribute.ldf
10.11.2.3 Using VBScript
' This code indexes an attribute
' - SCRIPT CONFIGURATION -
' Set to the common name (not LDAP display name) of the attribute
strAttrName = "<AttrCommonName>" ' e.g rallencorp-LanguagesSpoken
' - END CONFIGURATION -
set objRootDSE = GetObject("LDAP://RootDSE")
set objAttr = GetObject("LDAP://cn=" & strAttrName & "," &
objRootDSE.Get("schemaNamingContext"))
objAttr.Put "searchFlags", 1
objAttr.SetInfo
WScript.Echo "Indexed attribute: " & strAttrName
The CLI and VBScript solutions assume that searchFlags wasn't previously set and just blindly overwrites whatever value is present if one was See Recipe 4.12 for a better solution that will enable the bit you want without overwriting any previous settings
10.11.3 Discussion
To index an attribute, you need to enable the 1 bit (0001) in the searchFlags attribute for the attributeSchema object
searchFlags is a bit flag attribute that is used to set various properties related to searching with the attribute Table 10-5 contains the various bit flags that can be set with searchFlags When setting searchFlags, you may often need to set a couple bits together For example, all
Ambiguous Name Resolution (ANR) attributes must also be indexed, which means
searchFlags should be set to 5 (1 + 4)
You can find the attributes that are indexed in the schema by using the following search criteria:
Base
cn=Schema,cn=Configuration,<ForestRootDN>
Filter
(&(objectcategory=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:= 1))
Trang 8Scope
onelevel
Alternatively, to find attributes that aren't indexed, change the previous search filter to the
following:
(&(objectcategory=attributeSchema)(!(searchFlags:1.2.840.113556.1.4.803:=1)))
10.11.4 See Also
Recipe 4.12 for modifying a bit-flag attribute, Recipe 10.7 for adding a new attribute, and MS
KB 243311 (Setting an Attribute's searchFlags Property to Be Indexed for ANR)
Recipe 10.12 Modifying the Attributes That Are Copied When Duplicating a User
10.12.1 Problem
You want to add an attribute to the list of attributes that are copied when duplicating a user with the Active Directory Users and Computers snap-in
10.12.2 Solution
For Windows 2000 Active Directory you need to enable schema modifications before proceeding See Recipe 10.2 for more information
10.12.2.1 Using a graphical user interface
1 Open the Active Directory Schema snap-in
2 In the left pane, click on the Attributes folder
3 In the right pane, double-click the attribute you want to edit
4 Check the box beside Attribute is copied when duplicating a user
5 Click OK
10.12.2.2 Using a command-line interface
You can cause an attribute to get copied when duplicating a user by using the ldifde utility and
an LDIF file that contains the following:
dn: cn=rallencorp-LanguagesSpoken,cn=schema,cn=configuration,<ForestRootDN>
changetype: modify
replace: searchFlags
searchFlags: 16
-
If the LDIF file were named add_dup_user_attr.ldf, you would run the following command:
Trang 9> ldifde -v -i -f add_dup_user_attr.ldf
10.12.2.3 Using VBScript
' This code adds an attribute to the list of attributes that get
' copied when duplicating a user
' - SCRIPT CONFIGURATION -
' Set to the common name (not LDAP display dame) of the attribute
strAttrName = "<AttrCommonName>" ' e.g rallencorp-LanguagesSpoken
' - END CONFIGURATION -
set objRootDSE = GetObject("LDAP://RootDSE")
set objAttr = GetObject("LDAP://cn=" & strAttrName & "," & objRootDSE
Get("schemaNamingContext"))
objAttr.Put "searchFlags", 16
objAttr.SetInfo
WScript.Echo "New copied attribute: " & strAttrName
The CLI and VBScript solutions assume that searchFlags wasn't previously set and just blindly overwrites whatever value is present if one was Check our Recipe 4.12 for a better solution that will enable the bit you want without overwriting any previous settings
10.12.3 Discussion
The Active Directory Users and Computers snap-in queries the schema for the list of attributes that should be copied whenever you right-click on a user and select Copy This flag is purely informational and does not impose any restrictions or result in any impact on the DIT, like
indexing an attribute does
To find which attributes are copied when duplicating a user, use the following search criteria:
Base
cn=Schema,cn=Configuration,<ForestRootDN>
Filter
(&(objectcategory=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:= 16))
Scope
onelevel
Alternatively, to find attributes that aren't copied, change the search filter above to the following: (&(objectcategory=attributeSchema)(!(searchFlags:1.2.840.113556.1.4.803:=16)))
10.12.4 See Also
Recipe 4.12 for modifying a bit flag attribute and Recipe 10.7 for adding a new attribute
Trang 10Recipe 10.13 Modifying the Attributes Included with Ambiguous Name Resolution
10.13.1 Problem
You want to modify the attributes that are included as part of ANR
10.13.2 Solution
For Windows 2000 Active Directory, you need to enable schema modifications before proceeding See Recipe 10.2 for more information
10.13.2.1 Using a graphical user interface
1 In order to proceed, you must have first indexed the attribute
2 Open the Active Directory Schema snap-in
3 In the left pane, click on the Attributes folder
4 In the right pane, double-click the attribute you want to edit
5 Check the box beside ANR
6 Click OK
10.13.2.2 Using a command-line interface
You can include an attribute as part of ANR by using the ldifde utility and an LDIF file that contains the following:
dn: cn=rallencorp-LanguagesSpoken,cn=schema,cn=configuration,<ForestRootDN>
changetype: modify
replace: searchFlags
searchFlags: 5
-
If the LDIF file were named add_anr_attr.ldf, you would run the following command:
> ldifde -v -i -f add_anr_attr.ldf
10.13.2.3 Using VBScript
' This code will make an attribute part of the ANR set
' - SCRIPT CONFIGURATION -
' Set to the common name (not LDAP display dame) of the attribute
strAttrName = "<AttrCommonName>" ' e.g rallencorp-LanguagesSpoken
' - END CONFIGURATION -
set objRootDSE = GetObject("LDAP://RootDSE")
set objAttr = GetObject("LDAP://cn=" & strAttrName & "," & _
objRootDSE.Get("schemaNamingContext"))
objAttr.Put "searchFlags", 5