Re: [ActiveDir] List Attribute Syntaxes?
Hi Joe, Actually I think my terminology is a little off. From snooping around a bit I think I want the attributeSchema information under CN=Schema,CN=Configuration,DC=example,DC=com. What I was thinking of originally are the attribute syntax definitions like: ( 2.5.18.3 NAME 'creatorsName' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) But it's clear now that AD doesn't really use these textual definitions (at least not anywhere I can see). Anyway, the overall objective here is to do is to give my custom LDAP client API intellegence (see previous post about scripting language binding) about attributeSchema information so that the API can properly type attribute values. In particular I need to create a table of at least lDAPDisplayName, isSingleValued, and attributeSyntax. This table will be consulted by the API to determine how to compare and present values whether they be binary, multivalued, strings, etc. To make it efficient I will need an index which will be just a hashmap where the lDAPDisplayName is the key and the attributeSchema entry is the datum. Additionally the attributeSyntax value should be one of several predefined OID constants (e.g. ADSTYPE_CASE_IGNORE_STRING) so that attributeSyntaxes can be comared logically. Does any of this make sense? I suppose you don't get a little programmer double talk here :-) Mike On Fri, 20 Oct 2006 23:50:03 -0400 joe [EMAIL PROTECTED] wrote: First off... anything you do with LDIF will be an LDAP query... It speaks pure LDAP. Next off, if I understand what you are asking, yes, you query the schema and you can find all attribute syntaxes assigned, it won't tell you what they are, but you will know all in use. Multivalue status has nothing to do with attribute syntax, that is separate. Whether something is binary or text depends on what you ask for and how you ask for it. You can ask for anything to come back in a binary format with the standard LDAP binary modifier. What that exactly means though depends on the attribute, asking, for instance for a unicode text field in binary really isn't going to look all that different to you either way. But asking for say one of the replication attributes will result in dramatically different results being returned. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B Allen Sent: Friday, October 20, 2006 8:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] List Attribute Syntaxes? How can I get a list of attribute syntaxes? For each attribute used by a system I would like to know if it is a multivalue attribute and if it is binary or text. Can I get such a list using an LDAP query? If not can I use ldifde? Thanks, Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] List Attribute Syntaxes?
Are you maybe looking for the extendedAttributeInfo of the Aggregate object from the schema? That is the closest thing to that format in AD that I am aware of. AD's schema is entirely within the LDAP directory and is readable directly with LDAP, there is no need to go to extra files etc. The downside is that the schema doesn't tell the whole story unfortunately. For instance, the description attribute is multivalued, but on certain SAM type objects the SAM enforces that attribute to be single valued. Try it, add values to description on say an OU and then on a user. One allows it, one throws an error. Another issue is there there is no easy way to determine what attributes are say GUIDS. I have come up with a mechanism in AdFind to do that programmatically but that is far from 100%, I sometimes treat things as GUIDs that aren't. But it is far better than having to maintain a list in my eyes which I initially did, then I started getting quite a few emails from folks who wanted me to add their custom GUID attributes to the decoding. There are other items such as rangeupper saying one thing in the schema and being something else due to SAM, etc. The attributeSyntaxes combined with the oMSyntax is what you want to mostly look at for handling attributes. See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad schema/syntaxes.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/choos ing_a_syntax.asp And actually overall reading everything under the following link will probably be helpful http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad schema/active_directory_schema.asp There isn't a lot of programmer talk on this list but the list has some extremely high powered programming resources available here both from inside and outside of Microsoft and in native and NET topics. There are also quite a few non-programmer resources (or maybe they programmed in the past but don't any longer) that can lend great insight into the products overall and their experiences with folks who do write code and where they may want to reconsider. My overall posting recommendation would be to try and keep questions focused to very tight specific scopes, the bigger the scope andm question, the more likely people are not going to respond because they either don't want to tackle something so large in scope or their response needs to be so big it isn't worth their time or maybe something is so big they just don't have time to read it. It could be that there is concern that if a problem can't be summed up in a short space, the poster may not actually have an understanding of the problem and is fishing and hope someone reads through all of the chafe to come out with the actual problem. That does happen and the answers do come out, but I think the number of respondents and sometimes the quality can be impacted. I know when I walk through the newsgroups and this list looking for posts to respond to, if someone has more than one or two small paragraphs unless they completely hook me with the subject or the first paragraph I won't read it and just move on to something else. Subject is #1 thing I look at and that tells me which messages to even open, then it is how long is it. I usually do newsgroups and listservs in short bursts of time between other things, so anything that can be read, understood, and responded to quickly is what I tend to go after. My responses are often long but that is simply because I type rather quickly. If I was slower at it, I would respond a lot less. There are others that even though they can type fast, if they can't answer the question in a sentence or two they don't want to respond at all unless something else sucked them into the problem like some kind of issue they haven't ever seen before or a pet problem (aka something that they have worked on and are still gathering info). :) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: Michael B Allen [mailto:[EMAIL PROTECTED] Sent: Saturday, October 21, 2006 2:39 AM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: Re: [ActiveDir] List Attribute Syntaxes? Hi Joe, Actually I think my terminology is a little off. From snooping around a bit I think I want the attributeSchema information under CN=Schema,CN=Configuration,DC=example,DC=com. What I was thinking of originally are the attribute syntax definitions like: ( 2.5.18.3 NAME 'creatorsName' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) But it's clear now that AD doesn't really use these textual definitions (at least not anywhere I can see). Anyway, the overall objective here is to do is to give my custom LDAP client API intellegence (see previous post about scripting language binding) about attributeSchema information so that the API can
Re: [ActiveDir] List Attribute Syntaxes?
and listservs in short bursts of time between other things, so anything that can be read, understood, and responded to quickly is what I tend to go after. My responses are often long but that is simply because I type rather quickly. If I was slower at it, I would respond a lot less. There are others that even though they can type fast, if they can't answer the question in a sentence or two they don't want to respond at all unless something else sucked them into the problem like some kind of issue they haven't ever seen before or a pet problem (aka something that they have worked on and are still gathering info). :) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: Michael B Allen [mailto:[EMAIL PROTECTED] Sent: Saturday, October 21, 2006 2:39 AM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: Re: [ActiveDir] List Attribute Syntaxes? Hi Joe, Actually I think my terminology is a little off. From snooping around a bit I think I want the attributeSchema information under CN=Schema,CN=Configuration,DC=example,DC=com. What I was thinking of originally are the attribute syntax definitions like: ( 2.5.18.3 NAME 'creatorsName' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) But it's clear now that AD doesn't really use these textual definitions (at least not anywhere I can see). Anyway, the overall objective here is to do is to give my custom LDAP client API intellegence (see previous post about scripting language binding) about attributeSchema information so that the API can properly type attribute values. In particular I need to create a table of at least lDAPDisplayName, isSingleValued, and attributeSyntax. This table will be consulted by the API to determine how to compare and present values whether they be binary, multivalued, strings, etc. To make it efficient I will need an index which will be just a hashmap where the lDAPDisplayName is the key and the attributeSchema entry is the datum. Additionally the attributeSyntax value should be one of several predefined OID constants (e.g. ADSTYPE_CASE_IGNORE_STRING) so that attributeSyntaxes can be comared logically. Does any of this make sense? I suppose you don't get a little programmer double talk here :-) Mike On Fri, 20 Oct 2006 23:50:03 -0400 joe [EMAIL PROTECTED] wrote: First off... anything you do with LDIF will be an LDAP query... It speaks pure LDAP. Next off, if I understand what you are asking, yes, you query the schema and you can find all attribute syntaxes assigned, it won't tell you what they are, but you will know all in use. Multivalue status has nothing to do with attribute syntax, that is separate. Whether something is binary or text depends on what you ask for and how you ask for it. You can ask for anything to come back in a binary format with the standard LDAP binary modifier. What that exactly means though depends on the attribute, asking, for instance for a unicode text field in binary really isn't going to look all that different to you either way. But asking for say one of the replication attributes will result in dramatically different results being returned. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B Allen Sent: Friday, October 20, 2006 8:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] List Attribute Syntaxes? How can I get a list of attribute syntaxes? For each attribute used by a system I would like to know if it is a multivalue attribute and if it is binary or text. Can I get such a list using an LDAP query? If not can I use ldifde? Thanks, Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] List Attribute Syntaxes?
On Sat, 21 Oct 2006 18:30:47 -0400 Michael B Allen [EMAIL PROTECTED] wrote: Apparently I don't have CN=Aggregate,CN=Schema,DC=X. I'm using W2K 2003 but maybe it's because it's SBS? Correction: I do have it. I left out CN=Configuration. The exact DN is available through the subschemaSubentry in the RootDSE. Mike List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
FW: [ActiveDir] List Attribute Syntaxes?
Oops sorry, accidently took everyone else off if anyone else was interested. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Saturday, October 21, 2006 8:12 PM To: 'Michael B Allen' Subject: RE: [ActiveDir] List Attribute Syntaxes? I haven't tested SBS specifically but would be entirely shocked if you didn't have an aggregate object in your schema... I can't see any point for MSFT to yank that out just for SBS. The DN for the object would be CN=Aggregate,CN=Schema,CN=Configuration,Root Domain DN. It has existed in AD since it was released. You can pull it with AdFind in any environment with a generic command adfind -schema -rb cn=aggregate -s base extendedAttributeInfo Or even just query for it adfind -schema -f name=aggregate extendedAttributeInfo I still am not completely sure why you think you need that definition, you can query the entire schema and its settings really easily, I do this with several of my tools now to make decisions on how to display/handle things. I recommend hard coding as little as possible or else you will always be playing catch-up. Get as much from reading the schema as you can and then have overrides in place. So for instance you read the schema and find out that description is multivalued, then you have some config capability that allows the user to indicate that for classes x, y, z description is NOT multivalued and supply any special cases you have encountered. I would make it generic so you can override any of the schema object properties for classes or attributes. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: Michael B Allen [mailto:[EMAIL PROTECTED] Sent: Saturday, October 21, 2006 6:31 PM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: Re: [ActiveDir] List Attribute Syntaxes? Apparently I don't have CN=Aggregate,CN=Schema,DC=X. I'm using W2K 2003 but maybe it's because it's SBS? I think it's clear that this is a problem that requires work on several fronts. These are: 1) Build a local table of attributes. The table would not be read from the schema on startup but be directly included in the code. This will handle 90% of attributes seen in scripts and tools. Anything not defined is just assumed to be multi-valued and uninterpreted (e.g. not converted to string). As for attribute definitions that may have additional constraints not represented in the schema, I suppose I can either compensate for specific cases within the code or allow the programmer to utilize method 3) below. 2) Allow new attribute definitions to be registered at runtime either by providing an LDIF path on startup, calling a registration function, etc. This should, in theory, handle the remaining cases. 3) As a convenience (and as a way to compensate for things like the issue you mentioned), the programmer may supply one of several predefined attribute modifiers to assist with or override attribute typing. For example, a script using my script binding might look like: $attrs = array(single-value(description), guid(someGUIDAttribute)); $acct = account_get(NULL, [EMAIL PROTECTED], $attrs); echo description: . $acct['description'] . \n; $someGUIDAttribute = guid_from_binary($acct['someGUIDAttribute']); echo someGUIDAttribute: . guid_tostr($someGUIDAttribute) . \n; Thanks for the pointers. I'll check them out. Mike On Sat, 21 Oct 2006 12:59:56 -0400 joe [EMAIL PROTECTED] wrote: Are you maybe looking for the extendedAttributeInfo of the Aggregate object from the schema? That is the closest thing to that format in AD that I am aware of. AD's schema is entirely within the LDAP directory and is readable directly with LDAP, there is no need to go to extra files etc. The downside is that the schema doesn't tell the whole story unfortunately. For instance, the description attribute is multivalued, but on certain SAM type objects the SAM enforces that attribute to be single valued. Try it, add values to description on say an OU and then on a user. One allows it, one throws an error. Another issue is there there is no easy way to determine what attributes are say GUIDS. I have come up with a mechanism in AdFind to do that programmatically but that is far from 100%, I sometimes treat things as GUIDs that aren't. But it is far better than having to maintain a list in my eyes which I initially did, then I started getting quite a few emails from folks who wanted me to add their custom GUID attributes to the decoding. There are other items such as rangeupper saying one thing in the schema and being something else due to SAM, etc. The attributeSyntaxes combined with the oMSyntax is what you want to mostly look at for handling attributes. See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad schema/syntaxes.asp http
[ActiveDir] List Attribute Syntaxes?
How can I get a list of attribute syntaxes? For each attribute used by a system I would like to know if it is a multivalue attribute and if it is binary or text. Can I get such a list using an LDAP query? If not can I use ldifde? Thanks, Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] List Attribute Syntaxes?
First off... anything you do with LDIF will be an LDAP query... It speaks pure LDAP. Next off, if I understand what you are asking, yes, you query the schema and you can find all attribute syntaxes assigned, it won't tell you what they are, but you will know all in use. Multivalue status has nothing to do with attribute syntax, that is separate. Whether something is binary or text depends on what you ask for and how you ask for it. You can ask for anything to come back in a binary format with the standard LDAP binary modifier. What that exactly means though depends on the attribute, asking, for instance for a unicode text field in binary really isn't going to look all that different to you either way. But asking for say one of the replication attributes will result in dramatically different results being returned. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B Allen Sent: Friday, October 20, 2006 8:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] List Attribute Syntaxes? How can I get a list of attribute syntaxes? For each attribute used by a system I would like to know if it is a multivalue attribute and if it is binary or text. Can I get such a list using an LDAP query? If not can I use ldifde? Thanks, Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/