Modifying the Attributes Included with ANR






Modifying the Attributes Included with ANR

Problem

You want to modify the attributes that are included as part of ANR.

Solution

For Windows 2000 Active Directory, you need to enable schema modifications before proceeding. See Recipe 11.2 for more information.


Using a graphical user interface
  1. To proceed, you must have first indexed the attribute.

  2. Open the Active Directory Schema snap-in.

  3. In the left pane, click on the Attributes folder.

  4. In the right pane, double-click the attribute you want to edit.

  5. Check the box beside ANR.

  6. Click OK.

Using a command-line interface

You can include an attribute as part of ANR by using the ldifde utility and an LDIF file that contains the following:

	dn: cn=rallencorp-LanguagesSpoken,cn=schema,cn=configuration,<ForestRootDN>
	changetype: modify
	replace: searchFlags
	searchFlags: 5
	-

If the LDIF file were named add_anr_attr.ldf, you'd run the following command:

	> ldifde -v -i -f add_anr_attr.ldf

You can also modify the searchFlags attribute using AdMod, as follows:

	> admod b <AttributeDN> searchFlags::5

Using VBScript
	' This code will make an attribute part of the ANR set.
	' ------ SCRIPT CONFIGURATION ------
	' Set to the common name (not LDAP display dame) of the attribute
	strAttrName = "<AttrCommonName>" ' e.g. rallencorp-LanguagesSpoken
	' ------ END CONFIGURATION --------

	set objRootDSE = GetObject("LDAP://RootDSE")
	set objAttr = GetObject("LDAP://cn=" & strAttrName & "," & _
	                        objRootDSE.Get(" 
schemaNamingContext"))
	objAttr.Put "searchFlags", 5
	objAttr.SetInfo
	WScript.Echo "New ANR attribute: " & strAttrName

The CLI and VBScript solutions assume that searchFlags wasn't previously set; if a value is present, they just blindly overwrite it. Check out Recipe 4.15 for a better solution that will enable the bit you want without overwriting any previous settings.


Discussion

ANR is an efficient search algorithm that allows for a complex search filter to be written using a single comparison. For example, a search for (anr=Jim Smith) would translate into the following query:

  • An OR filter with every attribute in the ANR set against Jim Smith*

  • A filter for givenName = Jim* and sn = Smith*

  • A filter for givenName = Smith* and sn = Jim*

These filters are ORed together and then processed by Active Directory. Since all default ANR attributes are also indexed, the query return should come back quickly.

Here is a list of the default attributes that are included as part of ANR searches. The LDAP display name of the attribute is shown first, with the common name in parenthesis:

  • displayName (Display-Name)

  • givenName (Given-Name)

  • legacyExchangeDN (Legacy-Exchange-DN)

  • msDS-AdditionalSamAccountName (ms-DS-Additional-Sam-Account-Name)

  • physicalDeliveryOfficeName (Physical-Delivery-Office-Name)

  • name (RDN)

  • sAMAccountName (SAM-Account-Name)

  • sn (Surname)

msDS-AdditionalSamAccountName was added as an ANR attribute in Windows Server 2003.


One requirement of any new ANR attribute is that the attribute must be also indexed. ANR searches are intended to be very fast, so if a nonindexed attribute were added to the set, it could dramatically impact the performance of the searches. Therefore, Active Directory requires that each added attribute be indexed.

You can use adfind with the stats+only switch to verify what the ANR expansion actually looks like. You can find out which attributes are included in the ANR set by using the following search criteria:


Base

cn=Schema,cn=Configuration,<ForestRootDN>


Filter

(&(objectcategory= attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=4))


Scope

onelevel

Alternatively, to find attributes that aren't included in ANR, change the previous search filter to the following:

	(&(objectcategory=attributeSchema)(!(searchFlags:1.2.840.113556.1.4.803:=4)))

See Also

Recipe 4.15 for modifying a bit flag attribute, Recipe 11.8 for adding a new attribute, MS KB 243299 (Ambiguous Name Resolution for LDAP in Windows 2000), and MS KB 243311 (Setting an Attribute's searchFlags Property to Be Indexed for ANR)



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows