3.1.1.1.4 objectClass, RDN, DN, Constructed Attributes, Secret Attributes

A directory object is constrained by the directory's schema, which is a set of predicates. A few schema concepts are mentioned here. A full understanding of these concepts is not required to understand this section; additional information is available in the Glossary or in section 3.1.1.2.

When an object is created, it is assigned a most specific structural object class or an 88 object class, plus the sequence of object classes that this class inherits from. The set of inherited classes always includes the class top. The value of an object's objectClass attribute is the full set of object classes (each identified by lDAPDisplayName) assigned to the object. The example in the previous section is elaborated in the following list.

 (
   ( (objectGUID 5) (parent 0) (dc "microsoft")
     (objectClass top ... domainDNS) )
   ( (objectGUID 2) (parent 5) (ou "NTDEV")
     (objectClass top ... organizationalUnit) )
   ( (objectGUID 9) (parent 2) (cn "Peter Houston")
     (objectClass top ... user) )
 )

This list represents three objects, including their first and last objectClass values. The intermediate objectClass values are elided. Unlike all other multivalued attributes, the ordering of objectClass values is significant—top is always listed first; the most specific structural object class (or the 88 object class used in place of the structural class) is always listed last. So, for instance, the most specific structural object class of the root is domainDNS.

Representing a class as its lDAPDisplayName makes examples readable. In the actual state model, a class is identified by an ATTRTYP. An ATTRTYP is a 32-bit unsigned integer that can be mapped to and from the schema object representing a class. This mapping is specified in section 3.1.1.2.6.

In Active Directory, each object has an RDN attribute, which is determined by the most specific structural object class of the object when the object is created. The RDN attribute is the attribute that defines an object's name relative to its parent. In Active Directory, the RDN attribute of an object class has String(Unicode) syntax; that is, its value is a Unicode string, and the RDN attribute of an object always has exactly one value. (See section 3.1.1.2 for more on the topic of attribute syntax.)

Confusingly, the Active Directory schema includes an attribute whose attributeSchema object's cn is "RDN"; this is the name attribute, described later in this section. The term "RDN attribute" never refers to the name attribute in this document.

The relative distinguished name (RDN) of an object is a string of the form "att=val" where att is the lDAPDisplayName of the RDN attribute of the object and val is the value of the RDN attribute on this object. In the preceding example, the object class user has RDN attribute cn, as can be confirmed by consulting [MS-ADSC]. Therefore the RDN of the object with objectGUID = 9 is "cn=Peter Houston". An RDN can also be written using the attributeID of the RDN attribute in place of its lDAPDisplayName; the example just given becomes "2.5.4.3=Peter Houston". The RDN form based on lDAPDisplayName is used throughout this document.

Active Directory requires that the value parts of the RDNs of all children of an object be distinct. This guarantees that the RDNs of all children of an object are distinct.

The DN of an object is defined recursively as follows. The DN of the root has an assigned value; the way Active Directory assigns this value is described later in section 3.1.1.1.5. The DN of a child object is the RDN of the child, followed by "," and the DN of the parent. In the preceding example, suppose the assigned DN of the root object is "dc=microsoft,dc=com". Then the DN of the object with objectGUID = 9 is "cn=Peter Houston,ou=NTDEV,dc=microsoft,dc=com".

The correspondence between this model and the LDAP data model is as follows. An object with its attributes and values corresponds to an LDAP entry with its attributes and values. This model and LDAP agree on the definition of the objectClass attribute. The definition of RDN in this model is a subset of LDAP's definition; all RDNs in this model are valid LDAP RDNs, but not vice versa. For example, the following multivalued RDN is a valid LDAP RDN, but it is not valid in this model: "cn=Peter Houston+employeeID=ABC123". Given the RDN definition, the definition of DN in this model is the same as LDAP's definition. In the LDAP data model, the child-parent relationship is represented in the DNs of the child and parent, whereas in the Active Directory data model, the child-parent relationship is represented in the parent attribute and the DN is derived. Active Directory does not expose the model's parent attribute through LDAP.

Active Directory includes the distinguishedName attribute on every object; the value is the object's DN. The following example elaborates the previous example to include a value of distinguishedName on each object.

 (
   ( (objectGUID 5) (parent 0) (dc "microsoft")
     (objectClass top ... domainDNS)
     (distinguishedName "dc=microsoft,dc=com") )
   ( (objectGUID 2) (parent 5) (ou "NTDEV")
     (objectClass top ... organizationalUnit) 
     (distinguishedName "ou=NTDEV,dc=microsoft,dc=com" ) )
   ( (objectGUID 9) (parent 2) (cn "Peter Houston")
     (objectClass top ... user)
     (distinguishedName
       "cn=Peter Houston,ou=NTDEV,dc=microsoft,dc=com") )
 )

But including distinguishedName on each object this way is misleading, because the distinguishedName attribute is not stored as a string on each object. If it were stored as a string on each object, renaming an object would require updating every object in the subtree rooted at the renamed object. For a large subtree, this would take a long time and would either interfere with other directory activity (if performed as a single transaction) or would expose observable inconsistency to clients (if performed as multiple transactions). Active Directory does neither of these, so its state model can't imply that it does.

The distinguishedName attribute is not declared in the schema as a constructed attribute, but it behaves like one. Normal attributes, including attributes with special behavior such as objectGUID, have their values stored as part of an object's representation. Constructed attributes have the property that they have values computed from normal attributes (for read) and/or have effects on the values of normal attributes (for write). Constructed attributes are not included in the state model. Because the distinguishedName attribute behaves like a constructed attribute in that it also contributes no state to an instance of an object, it is not considered to be part of the state model.

Active Directory includes the name attribute on every object. An object's value of name equals the value of the object's RDN attribute. The following example removes the incorrect modeling of distinguishedName from the previous example, then elaborates that example to include name.

 (
   ( (objectGUID 5) (parent 0) (dc "microsoft")
     (objectClass top ... domainDNS)
     (name "microsoft") )
   ( (objectGUID 2) (parent 5) (ou "NTDEV")
     (objectClass top ... organizationalUnit)
     (name "NTDEV") )
   ( (objectGUID 9) (parent 2) (cn "Peter Houston")
     (objectClass top ... user) 
     (name "Peter Houston") )
 )

The name attribute has special behavior. Even if an object is renamed (LDAP Modify DN), the object's name attribute remains equal to the object's RDN attribute. As with the distinguishedName attribute, the name attribute is not declared in the schema as a constructed attribute, but it behaves like one.

Because Active Directory requires that the value parts of the RDNs of all children of an object be distinct, it follows that the name attribute of all children of an object are distinct.

Active Directory includes the rdnType attribute on every object. An object's value of rdnType is the object's RDN attribute at object creation time—the identifier, not its associated value. The following example elaborates the previous example to include rdnType.

 (
   ( (objectGUID 5) (parent 0) (dc "microsoft")
     (objectClass top ... domainDNS)
     (name "microsoft") (rdnType dc))
   ( (objectGUID 2) (parent 5) (ou "NTDEV")
     (objectClass top ... organizationalUnit)
     (name "NTDEV") (rdnType ou))
   ( (objectGUID 9) (parent 2) (cn "Peter Houston")
     (objectClass top ... user) 
     (name "Peter Houston") (rdnType cn))
 )

The rdnType attribute, like the parent attribute, is not declared in the Active Directory schema. [MS-DRSR] section 5.159 specifies the special behavior of the rdnType attribute.

A secret attribute is any attribute from the following set: currentValue, dBCSPwd, initialAuthIncoming, initialAuthOutgoing, lmPwdHistory, ntPwdHistory, priorValue, supplementalCredentials, trustAuthIncoming, trustAuthOutgoing, and unicodePwd.