ADAM: Using a custom attribute for the rDnAttId for a class?
Michael Herman (Parallelspace)
rDnAttId for our custom AD classes.
We need to use an rDnAttId attribute that is a string at least 92 characters
long; CN is too short (64 chars). Can an attribute other than the "famous
five" be used for the rDnAttId attribute for a class?
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/characteristics_of_object_classes.asp?frame=true
states fairly clearly (but not absolutely) that:
<quote>
[rDnAttId] identifies the naming attribute, which is the attribute that
provides the RDN for this class - if different than the default (cn). Use of
a naming attribute other than cn is discouraged. Naming attributes should be
drawn from the well-known set (OU, CN, O, L, and DC) that is understood by
all LDAP version 3 clients. For more information, see Object Names and
Identities and Syntaxes for Active Directory Attributes. A naming attribute
must have the Directory String syntax. For more information, see Syntaxes
for Active Directory Attributes.
</quote>
L has an upperRange of 128 and DC, 255. We could use one of these but the
semantics wouldn't be correct. (We're trying to use Exchange public folder
EntryID values for our RDNs and as hex strings, they're 92 characters long.)
Suggestions? Should we just use DC to store these EntryIDs (when we want to
also use the attribute value as the class RDN)?
Thanks,
Michael.
--
Michael Herman
Parallelspace Corporation
Developers of Advanced Business Collaboration Solutions for Microsoft
SharePoint, Microsoft Live Communications Server, Active Directory and
Groove Workspace
Portal and Content Migration Specialists:
http://www.parallelspace.net/sharepoint
SharePoint Migration Knowledge Center:
http://groups.yahoo.com/group/sharepointmigration
Lee Flight
attribute, I think some schema have that with syntax Directory String and
length 255. So using such an attribute for rDnAttId is not without
precedent.
I am not sure if attribute length poses any issues for indexing, if
required,
in AD/ADAM.
Lee Flight
"Michael Herman (Parallelspace)"
<mwherman@parallelspace.$nospam$.net.$please$> wrote in message
news:uF$56491E...@TK2MSFTNGP10.phx.gbl...
Dmitri Gavrilov [MSFT]
should be done at class creation time, and the attribute must satisfy some
specific constraints. Which error(s) do you get when you attempt to create
the class? Also, please post the ldifde definition of both rdn attribute and
the class you are attempting to create.
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Michael Herman (Parallelspace)"
<mwherman@parallelspace.$nospam$.net.$please$> wrote in message
news:uF$56491E...@TK2MSFTNGP10.phx.gbl...
Michael Herman (Parallelspace)
Michael.
"Lee Flight" <l...@le.ac.uk-nospam> wrote in message
news:OFMN33%231EH...@TK2MSFTNGP15.phx.gbl...
Lee Flight
I believe I have seen some examples based on the OpenLDAP core schema
and InetOrgPerson schema that had UID as an rdn.
FWIW
Below is an ad hoc class testClass1 that has an attribute employeeNumber1
as the rDNAttID.
The attribute has syntax 2.5.5.12 [Unicode string (directory string)]
and it is singleValued. The class has the attribute as a systemMustContain.
The class inherits directly from Top which might not be very realistic,
you would need to watch for inheriting potentially confusing mustContains
e.g. cn.
I have never used this in production but it seems to work in a test setup.
If you went down this route you would need to bear in mind the
recommendation from MSDN that you quoted about whether LDAPv3
clients could handle this form of RDN.
Hopefully Dmitri will point out anything that might be missing or just
tell you not to use it :)
Hope this helps
Lee Flight
# sample ldif
dn: CN=Employee-Number1,CN=Schema,CN=Configuration,DC=X
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: Employee-Number1
attributeID: 1.2.840.113556.1.2.610.1
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
rangeLower: 1
rangeUpper: 512
showInAdvancedViewOnly: TRUE
adminDisplayName: Employee-Number1
adminDescription: Employee-Number1
oMSyntax: 64
searchFlags: 0
lDAPDisplayName: employeeNumber1
systemOnly: FALSE
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# Classes
dn: CN=testClass1,CN=Schema,CN=Configuration,DC=X
changetype: ntdsschemaadd
objectClass: top
objectClass: classSchema
cn: testClass1
possSuperiors: domainDNS
possSuperiors: organizationalUnit
possSuperiors: container
subClassOf: top
governsID: 2.16.840.1.113730.3.2.2.1
rDNAttID: employeeNumber1
showInAdvancedViewOnly: FALSE
adminDisplayName: testClass1
objectClassCategory: 1
lDAPDisplayName: testClass1
name: testClass1
systemOnly: FALSE
systemMustContain:employeeNumber1
defaultHidingValue: FALSE
defaultObjectCategory: CN=testClass1,CN=Schema,CN=Configuration,DC=X
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
"Michael Herman (Parallelspace)"
<mwherman@parallelspace.$nospam$.net.$please$> wrote in message
news:eF2vcAB2...@TK2MSFTNGP10.phx.gbl...
Michael Herman (Parallelspace)
We found the issue with our RDN attribute: in MAPI, an EntryID is a binary
object and through an automated translation we wrote, in AD, the EntryIDs
became Octet Strings and not Unicode Strings.
Changing the EntryID attribute declarations from Octet Strings to Unicode
Strings fixed the problem.
Cheers,
Michael.
--
Michael Herman
Parallelspace Corporation
Developers of Advanced Business Collaboration Solutions for Microsoft
SharePoint, Microsoft Live Communications Server, Active Directory and
Groove Workspace
Portal and Content Migration Specialists:
http://www.parallelspace.net/sharepoint
SharePoint Migration Knowledge Center:
http://groups.yahoo.com/group/sharepointmigration
"Dmitri Gavrilov [MSFT]" <dmi...@online.microsoft.com> wrote in message
news:OaTi0h$1EHA...@TK2MSFTNGP09.phx.gbl...