The following table describes the attributes that the appliance uses in the supported directories.
Attribute Name |
LDAP Name |
Description |
Type |
Supported in Active Directory |
Supported in LDS |
Supported in eDirectory |
---|---|---|---|---|---|---|
CN (Common Name) |
CN |
An identifier of an object |
String |
✓ |
✓ |
✓ |
Mobile |
Mobile |
A phone number of an object's cellular or mobile phone |
Phone number |
✓ |
✓ |
✓ |
Email Address |
|
An email address of a user |
Email address |
✓ |
✓ |
✓ |
User-Principal-Name (UPN) |
userPrincipalName |
An Internet based format login name for a user |
String |
✓ |
✓ |
✓ |
SAM-Account-Name |
sAMAccountName |
The login name used to support clients and servers running earlier versions of operating systems such as Windows NT 4.0 |
String |
✓ |
× |
× |
GUID |
GUID |
An assured unique value for any object |
× |
× |
✓ |
|
Object Class |
Object Class |
An unordered list of object classes |
String |
✓ |
✓ |
✓ |
Member |
Member |
A list that indicates the objects associated with a group or list |
String |
✓ |
✓ |
✓ |
User-Account-Control |
userAccountControl |
Flags that control the behavior of a user account |
✓ |
× |
× |
|
ms-DS-User-Account-Control-Computed |
msDS-User-Account-Control-Computed |
Flags that are similar to userAccountControl, but the attribute's value can contain additional bits that are not persisted |
✓ |
✓ |
× |
|
Primary-Group-ID |
primaryGroupID |
A relative identifier (RID) for the primary group of a user |
✓ |
× |
× |
|
Object-Guid |
objectGUID |
A unique identifier for an object |
✓ |
✓ |
× |
|
object-Sid |
objectSid |
A Binary value that specifies the security identifier (SID) of the user |
✓ |
✓ |
× |
|
Logon-Hours |
logonHours |
Hours that the user is allowed to logon to the domain |
✓ |
× |
× |
|
USN-Changed |
uSNChanged |
An update sequence number (USN) assigned by the local directory for the latest change including creation |
✓ |
✓ |
× |
NOTE:The sAMAccountName and userPrincipalName attributes are supported only for AD DS repository. The Active Directory LDS and eDirectory repositories do not support the attributes.
Active Directory DS and AD LDS Queries
1. Search users
(&(usnChanged>=217368)(&(objectClass=user)(|(cn=*)(sAMAccountName=*)(userPrincipalName=*))))
Requested attributes:
['objectSID', 'sAMAccountName', 'objectClass', 'logonHours', 'primaryGroupId', 'otherMobile', 'mobile', 'userAccountControl', 'cn', 'usnChanged', 'userPrincipalName', 'msDS-User-Account-Control-Computed', 'objectGUID', 'mail', 'otherMailbox', 'GUID']
2. Search groups
(&(usnChanged>=217368)(&(objectClass=group)(|(cn=*)(sAMAccountName=*))))
Requested attributes:
['objectSID', 'sAMAccountName', 'objectClass', 'logonHours', 'primaryGroupId', 'userAccountControl', 'cn', 'usnChanged', 'msDS-User-Account-Control-Computed', 'objectGUID', 'GUID']
eDirectory Queries
The queries are the same as for Active Directory DS and Active Directory LDS, except for 'usnChanged' (this filter is not used).
1. Search users
(&(objectClass=user)(|(cn=*)(sAMAccountName=*)(userPrincipalName=*)))
Requested attributes:
['objectSID', 'sAMAccountName', 'objectClass', 'logonHours', 'primaryGroupId', 'otherMobile', 'mobile', 'userAccountControl', 'cn', 'userPrincipalName', 'msDS-User-Account-Control-Computed', 'objectGUID', 'mail', 'otherMailbox', 'GUID']
2. Search groups
(&(objectClass=group)(|(cn=*)(sAMAccountName=*)))
Requested attributes:
['objectSID', 'sAMAccountName', 'objectClass', 'logonHours', 'primaryGroupId', 'userAccountControl', 'cn', 'msDS-User-Account-Control-Computed', 'objectGUID', 'GUID']
For Active Directory LDS queries, the attributes are same as Active Directory DS except for the objectSid (the filter is not used in queries on membership in groups).
In the examples below, the username is pjones, base_dn is DC=company,DC=com
Active Directory DS and Active Directory LDS queries
1. Basic user information
(&(objectClass=user)(|(cn=pjones)(sAMAccountName=pjones)(userPrincipalName=pjones)))
Requested attributes:
(&(objectClass=user)(objectGUID=\0f\d1\14\49\bc\cc\04\44\b7\bf\19\06\15\c6\82\55))
Requested attributes:
['otherMobile', 'GUID', 'userAccountControl', 'msDS-User-Account-Control-Computed', 'mobile', 'primaryGroupId', 'cn', 'objectGUID', 'userPrincipalName', 'objectSID', 'mail', 'sAMAccountName', 'objectClass', 'logonHours', 'otherMailbox']
2. Group membership information for user
Active Directory specific query using objectSid filter:
(|(member=CN=pjones,CN=Users,DC=company,DC=com)(objectSid=S-1-5-21-3303523795-413055529-2892985274-513))
Requested attributes:
['GUID', 'userAccountControl', 'msDS-User-Account-Control-Computed', 'primaryGroupId', 'objectGUID', 'cn', 'objectSID', 'objectClass', 'sAMAccountName', 'logonHours']
3. Iteratively query about each group received from above query
(member=CN=Performance Monitor Users,CN=Builtin,DC=company,DC=com)
Requested attributes:
['GUID', 'userAccountControl', 'msDS-User-Account-Control-Computed', 'primaryGroupId', 'objectGUID', 'cn', 'objectSID', 'objectClass', 'sAMAccountName', 'logonHours']
eDirectory Queries
Basic user information
(&(objectClass=user)(|(cn=pjones)(sAMAccountName=pjones)(userPrincipalName=pjones)))
Requested attributes:
['otherMobile', 'GUID', 'userAccountControl', 'msDS-User-Account-Control-Computed', 'mobile', 'primaryGroupId', 'cn', 'objectGUID', 'userPrincipalName', 'objectSID', 'mail', 'sAMAccountName', 'objectClass', 'logonHours', 'otherMailbox']
(&(objectClass=user)(GUID=\57\b6\c2\c1\b9\7f\4b\40\b9\70\5f\9a\1d\76\6c\d2))
Requested attributes:
['otherMobile', 'GUID', 'userAccountControl', 'msDS-User-Account-Control-Computed', 'mobile', 'primaryGroupId', 'cn', 'objectGUID', 'userPrincipalName', 'objectSID', 'mail', 'sAMAccountName', 'objectClass', 'logonHours', 'otherMailbox']
Group membership information for user
(member=cn=pjones,o=AAF)
Requested attributes:
['GUID', 'userAccountControl', 'msDS-User-Account-Control-Computed', 'primaryGroupId', 'objectGUID', 'cn', 'objectSID', 'objectClass', 'sAMAccountName', 'logonHours']
Search groups
(&(objectClass=group)(GUID=<group_GUID>))
Requested attributes:
['cn', 'objectClass', 'GUID', 'loginDisabled', 'loginExpirationTime', 'lockedByIntruder', 'radiusFramedIPAddress']