3.1.1.2.2.2 LDAP Representations

msdn link

The LDAP syntaxes supported by DCs are as shown in the following table. The set of syntaxes supported is not extensible by schema modifications. Each syntax is identified by the combination of the attributeSyntax, oMSyntax and, in select cases, oMObjectClass attributes of an attributeSchema object. The cases for which oMObjectClass is not used are indicated by the presence of a hyphen in the oMObjectClass column in the table. The combinations shown in the following table are exhaustive; this table is consistent and identical for Windows 2000 Server operating system and later.

While oMObjectClass conceptually contains an object identifier (OID), it is declared in the schema as String(Octet) syntax, requiring that values read from and written to it be expressed as the Basic Encoding Rules (BER) encoding of the OID (BER encoding is defined in [ITUX690]). In the table, both the BER-encoded form and the dotted string form of the OID are given.

LDAP syntax name

attributeSyntax

oMSyntax

oMObjectClass

Boolean

2.5.5.8

1

-

Enumeration

2.5.5.9

10

-

Integer

2.5.5.9

2

-

LargeInteger

2.5.5.16

65

-

Object(Access-Point)

2.5.5.14

127

0x2B 0x0C 0x02 0x87 0x73 0x1C 0x00 0x85 0x3E (1.3.12.2.1011.28.0.702)

Object(DN-String)

2.5.5.14

127

0x2A 0x86 0x48 0x86 0xF7 0x14 0x01 0x01 0x01 0x0C (1.2.840.113556.1.1.1.12)

Object(OR-Name)

2.5.5.7

127

0x56 0x06 0x01 0x02 0x05 0x0B 0x1D (2.6.6.1.2.5.11.29)

Object(DN-Binary)

2.5.5.7

127

0x2A 0x86 0x48 0x86 0xF7 0x14 0x01 0x01 0x01 0x0B (1.2.840.113556.1.1.1.11)

Object(DS-DN)

2.5.5.1

127

0x2B 0x0C 0x02 0x87 0x73 0x1C 0x00 0x85 0x4A (1.3.12.2.1011.28.0.714)

Object(Presentation-Address)

2.5.5.13

127

0x2B 0x0C 0x02 0x87 0x73 0x1C 0x00 0x85 0x5C (1.3.12.2.1011.28.0.732)

Object(Replica-Link)

2.5.5.10

127

0x2A 0x86 0x48 0x86 0xF7 0x14 0x01 0x01 0x01 0x06 (1.2.840.113556.1.1.1.6)

String(Case)

2.5.5.3

27

-

String(IA5)

2.5.5.5

22

-

String(NT-Sec-Desc)

2.5.5.15

66

-

String(Numeric)

2.5.5.6

18

-

String(Object-Identifier)

2.5.5.2

6

-

String(Octet)

2.5.5.10

4

-

String(Printable)

2.5.5.5

19

-

String(Sid)

2.5.5.17

4

-

String(Teletex)

2.5.5.4

20

-

String(Unicode)

2.5.5.12

64

-

String(UTC-Time)

2.5.5.11

23

-

String(Generalized-Time)

2.5.5.11

24

-

The representation for many of the preceding syntaxes is adopted from [RFC2252]. The following table lists the syntaxes whose representation is adopted from that RFC, the [RFC2252] name of that syntax, and the associated section of [RFC2252] that specifies the representation.

LDAP syntax name

RFC 2252 name

Section of RFC 2252

Boolean

Boolean

6.4

Enumeration

INTEGER

6.16

Integer

INTEGER

6.16*

LargeInteger

INTEGER

6.16*

Object(DS-DN)

DN

6.9 (see also [RFC2253])**

Object(Presentation-Address)

Presentation Address

6.28***

Object(Replica-Link)

Binary

6.2

String(IA5)

IA5 String

6.15

String(Numeric)

Numeric String

6.23††

String(Object-Identifier)

OID

6.25†††

String(Octet)

Binary

6.2

String(Printable)

Printable String

6.29††††

String(Unicode)

Directory String

6.10

String(UTC-Time)

UTC Time

6.31†††††

String(Generalized-Time)

Generalized Time

6.14†††††

* The Integer syntax in Active Directory is restricted to 32-bit integers. The LargeInteger syntax is restricted to 64-bit integers.

** While Active Directory uses the [RFC2252] and [RFC2253] representation of DNs, it can also use alternative forms of the DN representation when it accepts requests and sends responses, if requested by the client. This is documented in LDAP_SERVER_EXTENDED_DN_OID (section 3.1.1.3.4.1.5).

*** No validation is done by the DC to confirm that the value conforms to the representation specified in [RFC1278].

Values restricted to ASN.1 IA5 strings (as specified in [ITUX680]).

†† Values restricted to ASN.1 Numeric strings (as specified in [ITUX680]).

††† Values of attributes of syntax String(OID) are accepted in either the numericoid (numeric OID) or descr (the LDAP display name of the attribute or class identified by that OID) format, as defined in [RFC2252] section 4.1. The server determines the format of returning OID values using the first matching rule in the following set of processing rules:

  1. If a "Binary Option" is present on the AttributeDescription (as described in [RFC2251] section 4.1.5.1) of the request, the server MUST return the OID converted to binary format as described in [RFC2252] section 4.3.1. The result is a binary encoded value using Basic Encoding Rules defined in [ITUX690].

  2. If a value of either attributeID of an AttributeSchema object or governsID of a ClassSchema object is requested, the server MUST return the OID in numericoid (Numeric OID) format.

  3. If the attribute requested is not attributeID or governsID, but the value of the attribute identifies an attribute or class, the server MUST return the value in Descr format.

  4. If none of the above applies, the server MUST return the OID in numericoid (Numeric OID) format.

†††† Active Directory has two differences from the character set specified in [RFC2252]:

  1. The quote character ("), or ASCII 0x22, is part of the character set in the RFC but not in Active Directory.

  2. The "@" symbol, or ASCII 0x40, is not part of the character set in the RFC, but it is part of the character set in Active Directory.

††††† Times are measured in granularity of 1 second.

The remaining syntaxes are represented as shown in the following sections.