编写AD/ADAM扩展脚本有编写ldf文件或Vbscript脚本,本文主要对编写ldf文件的写法进行一些说明,文中出现的脚本,只需要保存为后缀名为ldf的文件,通过以下命令行执行
ldifde -v -i -f <yourfilename>.ldf
在我们对AD的应用开发中,我们可能会遇到下面几种情况:
² AD现有的class不足够或不符合使用;
² AD现有的attribute不足够或不符合使用;
² 需要将两个class的指定的attribute关联;
Etc…
在遇到这些情况时,我们就需要对AD的Schema进行扩展,下面我们用几个实例,来对AD/ADAM的扩展脚本的编写进行一些简单的描述。
1) 当我们要对AD/ADAM的增加一个名为QQ的Attribute,保存用户的QQ号码时,我们可以建立以下脚本,保存为后缀名为ldf的文件,例如:AddQQAttribute.ldf
dn: cn=QQ,cn=schema,cn=configuration,dc=x
changetype: add
objectclass: attributeSchema
lDAPDisplayName: QQ
attributeId: 1.3.6.1.4.1.999.1.1.28.11
oMSyntax: 2
attributeSyntax: 2.5.5.9
isSingleValued: True
searchFlags: 1
description: "QQ Number"
说明:
要增加一个attribute,我们需要向schema的容器增加一个attributeSchema对象。
dn: cn=QQ,cn=schema,cn=configuration,dc=x
changetype: add
objectclass: attributeSchema
lDAPDisplayName: QQ
attributeId: 1.3.6.1.4.1.999.1.1.28.11
这四行脚本说明增加一个名称为QQ的属性,其中属性的唯一标识attributeId的值1.3.6.1.4.1.999.1.1.28.11,可以到以下网址中申请:
http://www.iso.ch/iso/en/aboutiso/isomembers/index.html
.
oMSyntax: 2
attributeSyntax: 2.5.5.9
isSingleValued: True
searchFlags: 1
这四行说明了新增加attribute的一些基本属性,基中oMSyntax和attributeSyntax说明了该attribute值的数据类型为integer类型,我们可以通过以下表的查找到相应的数据类型值。
attributeSyntax
与 oMSyntax
对应表
| |||
Name
|
attributeSyntax
|
oMSyntax
|
Description
|
AccessPointDN
|
2.5.5.14
|
127
|
Type of distinguished name taken from X.500.
|
Boolean
|
2.5.5.8
|
1
|
TRUE or FALSE value.
|
CaseExactString
|
2.5.5.3
|
27
|
Case-sensitive string.
|
CaseIgnoreString
|
2.5.5.4
|
20
|
Case-insensitive string.
|
DirectoryString
|
2.5.5.12
|
64
|
Case-insensitive Unicode string.
|
DN
|
2.5.5.1
|
127
|
String representing a distinguished name.
|
DNWithBinary
|
2.5.5.7
|
127
|
Octet string that has the following format:
B:CharCount:BinaryValue:ObjectDN
where CharCount is the number of hexadecimal digits in BinaryValue, BinaryValue is the hexadecimal representation of the binary value, and ObjectDN is a distinguished name.
|
DNWithString
|
2.5.5.14
|
127
|
Octet string that contains a string value and a DN. A value with this syntax has the following format:
S:CharCount:StringValue:ObjectDN
where CharCount is the number of characters in the StringValue string and ObjectDN is a distinguished name of an object in Active Directory.
|
Enumeration
|
2.5.5.9
|
10
|
Defined in X.500 and treated as an integer.
|
GeneralizedTime
|
2.5.5.11
|
24
|
Time-string format defined by ASN.1 standards. See ISO 8601 and X.680.
|
IA5String
|
2.5.5.5
|
22
|
Case-sensitive string containing characters from the IA5 character set.
|
Integer
|
2.5.5.9
|
2
|
32-bit integer.
|
Integer8
|
2.5.5.16
|
65
|
64-bit integer, also known as a large integer.
|
NTSecurityDescriptor
|
2.5.5.15
|
66
|
Octet string that contains a security descriptor.
|
NumericString
|
2.5.5.6
|
18
|
String that contains digits.
|
OctetString
|
2.5.5.10
|
4
|
Array of bytes used to store binary data.
|
OID
|
2.5.5.2
|
6
|
String that contains digits (09) and decimal points (.).
|
ORName
|
2.5.5.7
|
127
|
Taken from X.400; used for X.400 to RFC 822 map ping.
|
PresentationAddress
|
2.5.5.13
|
127
|
String that contains OSI presentation addresses.
|
PrintableString
|
2.5.5.5
|
19
|
Case-sensitive string that contains characters from the printable character set.
|
ReplicaLink
|
2.5.5.10
|
127
|
Used by Active Directory internally.
|
Sid
|
2.5.5.17
|
4
|
Octet string that contains a security identifier (SID).
|
UTCTime
|
2.5.5.11
|
23
|
Time-string format defined by ASN.1 standards.
|
其它的attribute schema的属性说明:
LinkID: 在AD原有的attribute中,有两个互相配对的属性,member与memberOf,这两个attribute的数据类型都是distinguishedName类型,假设组Group1的member属性中有用户User1的distinguishedName时,User1的memberOf属性自然就会包含Group1的distinguishedName,当我们要实现这种类型的attribute时,我们就需要指定该attribute的LinkID,并且该attribute的类型必须为distinguishedName的类型,即attributeSyntax: 2.5.5.1及oMSyntax: 127。
2) 假设我们需要往AD里增加一个自定义的class,我们可以通过编写以下的脚本来完成。
dn: cn=rallencorp-SalesUser,CN=schema,CN=configuration,CN=x
changetype: add
objectclass: classSchema
lDAPDisplayName: rallencorp-SalesUser
governsId: 1.3.6.1.4.1.999.1.1.28.21
objectClassCategory: 1
subClassOf: top
description: Auxiliary class for Sales user attributes
mayContain: 1.3.6.1.4.1.999.1.1.28.11
说明:
governsId:定义该class的OID,可以到
http://www.iso.ch/iso/en/aboutiso/isomembers/index.html
.去申请;
objectClassCategory:定义该class的classType,各值的对应表如下:
Object class category values
| ||
Name
|
Value
|
Description
|
88
|
0
|
Legacy class type defined by the original X.500 standards. It should not be used for new classes.
|
Structural
|
1
|
Used for instantiating objects. Can be comprised of abstract, auxiliary, and other structural classes.
|
Abstract
|
2
|
Used to define a high-level grouping of attributes that can be used as part of other abstract or structural class definitions. Objects cannot be instantiated using an abstract class.
|
Auxiliary
|
3
|
Used as a collection of attributes that can be applied to other abstract, auxiliary, or structural classes.
|
subClassOf:定义上级类型,这里用Top指该类被定义在根节点下;
mayContain:可能包含的属性
mustContain:必须要包含的属性
possSuperiors:可以被构建在那些class下
以上代码,在ADAM中测试通过