About Attributes

Articles and Tips: article

Nancy McLain
Senior Editor
DeveloperNet University
nmclain@novell.com

15 Nov 2000

This month, columnist Nancy McLain turns her eye towards a discussion of how attributes fit in the NDS scheme of things.

In the past Directory Primer articles, I've occasionally mentioned object attributes or properties. Since I wrote about objects last month, I'll write about attributes this month. The terms attribute and property refer to the same thing. In this article, I'll use the term attribute.

What Is an Attribute?

An attribute of an object holds information that describes the object. Different objects have different types of attributes associated with them. The data in an object's attributes helps to completely describe each individual object. Some attributes can hold more than one value. These are called multi-valued attributes.

For example, User objects can have up to 75 attributes, such as Login Name, Given Name, Last Name, Title, Address, Telephone Number, Fax Number, and so on. Examples of multi-valued attributes are Title and Home Phone, each of which can hold more than one value. The Title attribute can hold more than one title and the Home Phone can hold more than one telephone number.

A Printer object, on the other hand, could have the Name, Network Address, and Print Server attributes. The attributes associated with a User object would never accurately describe a Printer object, and vice versa.

All attributes are defined by a syntax and constraints.

Attribute Syntax

All attribute definitions contain an attribute syntax. An attribute syntax is a predefined data type for the values to be stored in the directory. When you create a new attribute, you must assign it one of the following 28 currently predefined syntaxes:

· Back Link	· Numeric String
· Boolean	· Object ACL
· Case Exact String	· Octet List
· Case Ignore String	· Octet String
· Case Ignore List	· Path
· Class Name	· Postal Address
· Counter	· Printable String
· Distinguished Name	· Replica Pointer
· E-mail Address	· Stream
· Facsimile Telephone Number	· Telephone Number
· Hold	· Time
· Integer	· Timestamp
· Interval	· Typed Name
· Net Address	· Unknown

Attribute Constraints

All attribute definitions contain one or more attribute constraints. An attribute constraint affects the attribute's value in some manner. Constraints specify whether an attribute:

Has only a single value or has multiple values.
Has a range or a size limit to the value.
Is synchronized immediately, or at the next scheduled interval ,or never.
Is hidden or is viewable.
Is writeable or is read-only.

Constraints also manage access control to the attribute. For example, you can constrain an attribute so only users with sufficient rights to the object can add the attribute.

Constraints also define the matching rules that are used when comparing two values of the same syntax. A search usually uses the equality, substring or ordering matching rules.:

The equality matching rule works for attribute types are the same. It checks for equal values of the attribute.

The substring matching rule also compares two string property values; it can use wild cards.

The ordering matching rules compare attribute values that are based on "less than," "equal to," and "greater than."

Mandatory and Optional Attributes

In order to be adequately identified and described, objects have some attributes that are mandatory. For these attributes, you must enter a value when you create the object. Each different object class (or type of object) can have different mandatory attributes. For example, both a Printer object and a User object have the mandatory attribute CN (Common Name), which names the object. But the User object also has the mandatory attribute called Surname. It wouldn't make sense to give the Printer object a Surname attribute.

You can't circumvent or remove a mandatory attribute. Sometimes NDS requires mandatory attributes in order to operate properly, and sometimes the attributes are mandatory in order to comply with the X.500 standard. In the case of the User object, the X.500 standard makes the Surname attribute mandatory.

If an attribute is optional, you only have to enter a value for it if your particular installation is using it. For example, the User object's Phone Number attribute is optional. You only have to enter phone numbers if your installation is storing the users' phone numbers in NDS.

Naming Attributes

An object is named by its naming attribute. Usually, an object's naming attribute is the CN attribute. When you combine the value in the object's naming attribute with the values in its parent containers' naming attributes, you create the object's full NDS name. The object's full NDS name describes its location in the NDS tree.

For example, look at Brenda's User object in the sample NDS tree shown in Figure 1.

Figure 1: A sample NDS tree with a User object for Brenda

Brenda's full NDS name would be the name held by her User object's CN attribute combined with the names of its parent containers. So, her User object's full NDS name would be as follows: CN=Brenda.OU=Benefits.OU=HR.O=VerySmallCompany. In the same fashion, the full NDS name of the printer in Figure 1 would be CN=Printer.OU=HR.O=VerySmallCompany.

The table below shows the naming attributes for required and commonly used NDS objects.

Naming Attribute	NDS Container
C (Country Name)	Country
L (Locality) or S (State or Province Name)	Locality
O (Organization Name)	Organization
OU (Organizational Unit Name)	Organizational Unit
CN (Common Name) or UniqueID or OU (Organizational Unit)	User
CN (Common Name)	NCP Server
CN (Common Name)	Volume
CN (Common Name)	Application
Bindery Type or CN (Common Name)	Bindery
CN (Common Name)	Organizational Role
CN (Common Name)	Group
CN (Common Name)	Directory Map
CN (Common Name)	Print Server
CN (Common Name)	Printer
CN (Common Name)	Queue
CN (Common Name)	Profile

When an object has more than one naming attribute, that object can be named by any one of the naming attributes, or by a combination of the naming attributes. For example, the Locality object can be named by the L (Locality) or by the S (State or Province) attribute. So, for the Montreal, Quebec locality, the name could be:

L=Montreal
S=Quebec
L=Montreal + S=Quebec

The last example uses both attributes with a plus sign (+) to indicate where the second attribute's value begins. These names are shown in typeful form. The typeless form would look like: Montreal + Quebec.

Conclusion

To summarize, attributes hold data that describes and identifies a directory object. Some attributes are mandatory and some are optional. If an attribute is mandatory, you must enter a value for it when you create the object. You can enter values for optional attributes either when you create the object, or later.

All objects also have at least one naming attribute. This is the attribute that names the object and helps you locate it in the NDS tree.

* Originally published in Novell AppNotes

Disclaimer

The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.