Changing the Naming Attribute of the InetOrgPerson Class

Summary

Every object in Active Directory is an instance of an object class that is defined in the Active Directory schema. An object class represents a category of objects, such as users, printers, or application programs, that share a set of common characteristics. The definition for each object class contains a list of the attributes that can be used to describe instances of the class.

The InetOrgPerson object class is a general purpose object class that defines attributes about people in Lightweight Directory Access Protocol (LDAP) and X.500 directories.

Every object in Active Directory has a naming attribute from which its relative distinguished name (RDN) is formed. The naming attribute for most class-schema objects is common-name. The value that is assigned to a common-name attribute is determined by the value that the class-schema will have as its relative distinguished name.

In Active Directory, CN is used as the naming attribute for the InetOrgPerson class. Other LDAP directories, such as IPLANET, implement a different attribute, such as "Employee ID", to define the CN name of an InetOrgPerson object. This document shows as an example how administrators can use the "Employee ID" attribute to change the naming attribute for the InetOrgPerson class.

If you modify the relative distinguished name attribute of any class from its standard definition, this may make it incompatible with applications and cause problems in migration scenarios. Microsoft recommends that if you do change the RDN attribute for application compatibility, you do so in an application-specific forest to avoid compatibility problems with other applications.

Once the relative distinguished name attribute for a class is changed, all new instances of the class will use the new relative distinguished name attribute. The relative distinguished name attribute for previous instances will not change and cannot be changed. To change the relative distinguished name attribute for existing objects, you must perform the following tasks:
  1. Export the existing objects.
  2. Delete the existing objects from the directory.
  3. Redefine the class with the new relative distinguished name attribute.
  4. Modify the exported version to use the new relative distinguished name attribute.
  5. Import the data back into the directory.
This method may not be acceptable for user objects because the security identifiers (SIDs) and passwords cannot be preserved.

Microsoft recommends that administrators not modify the relative distinguished name attribute in the schema.

More Information

Windows Server 2003 domain controllers permit administrators to defunct an attribute or class schema definition and later redefine it with different properties.

The following steps provide an overview to defunct an object and change the definition of the RDN attribute for an object class.
  1. Use Active Directory Domains and Trusts tool to raise forest and domain functionality to Windows Server 2003 mode. To do so:
    1. Open Active Directory Domains and Trusts.
    2. In the left pane, right-click the domain that you want to raise, and then click Raise Domain Functional Level.
    3. In the Select an available domain functional level list, click Windows Server 2003, and then click
      Raise.
    4. Click OK, and then click
      OK.
    5. Right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level.
    6. In the Select an available forest functional level list, click Windows Server 2003, and then click
      Raise.
    7. Click OK, and then click
      OK.
  2. The RDN attribute for a class cannot be changed after the class has been defined unless system protection flags are removed and the class is made defunct.

    Confirm that bit 4 of the SystemFlags attribute for InetOrgPersonClass is set to 0 (default).
  3. Using LDP.exe or the equivalent, set the isDefunct attribute of the InetOrgPerson ClassSchema object to True. While a class or attribute is disabled, new instances of the class or attribute can no longer be created.
  4. After it becomes defunct, redefine the class with the same properties and a new naming attribute ID. The new naming attribute may be referenced by its OID or ldapDisplayName. For example, either of the following syntaxes is acceptable to refer to an attribute (UID in this case):
    • rdnAttID: UID
    • rdnAttID: 0.9.2342.19200300.100.1.1
  5. Import the new definition of InetOrgPerson with the desired naming attribute.

    The following sample LDIF file definition "defuncts" the InetOrgPerson class (step 3), renames the class to InetOrgpersonOld, redefines the class using "Employee ID" as the naming attribute (step 4), and imports the new definition of InetOrgPerson (step 5). To run this script, copy the following text between the words, "START CUT HERE", and "END CUT HERE" to Notepad.exe, and then save it as
    RDN.LDF. Execute the script with the sample syntax from an NT command prompt on the Windows Server 2003 Schema flexible single-master operations (FSMO) while logged on as a member of the schema Administrators group:
    ldifde /i /f ldif file /c "DC=X" "Fully qualified domain name"
    To run the script against a Windows Server 2003 forest MYDOMAIN.COM, the syntax would be:
    ldifde /i /f rdn.ldf /c "DC=X" "dc=mydomain,dc=com" (Where "DC=X" is a constant)
    START CUT HERE

    dn: CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=X
    changetype: modify
    replace: isDefunct
    isDefunct: TRUE
    -

    dn: CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=X
    changetype: modrdn
    newrdn: cn=inetOrgPersonOld
    deleteoldrdn: 1


    dn:
    changetype: modify
    add: schemaUpdateNow
    schemaUpdateNow: 1
    -

    dn: CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=X
    changetype: add
    objectClass: classSchema
    ldapDisplayName: inetOrgPerson
    adminDisplayName: inetOrgPerson
    adminDescription: Represents people who are associated with an organization in some way.
    governsId: 2.16.840.1.113730.3.2.2
    objectClassCategory: 1
    rdnAttId: 1.2.840.113556.1.4.35
    subClassOf: 1.2.840.113556.1.5.9
    mayContain: 2.5.4.45
    mayContain: 2.16.840.1.113730.3.140
    mayContain: 2.16.840.1.113730.3.1.216
    mayContain: 2.5.4.36
    mayContain: 0.9.2342.19200300.100.1.1
    mayContain: 0.9.2342.19200300.100.1.21
    mayContain: 0.9.2342.19200300.100.1.6
    mayContain: 2.16.840.1.113730.3.1.39
    mayContain: 0.9.2342.19200300.100.1.7
    mayContain: 0.9.2342.19200300.100.1.42
    mayContain: 2.5.4.10
    mayContain: 0.9.2342.19200300.100.1.41
    mayContain: 0.9.2342.19200300.100.1.10
    mayContain: 0.9.2342.19200300.100.1.3
    mayContain: 1.3.6.1.4.1.250.1.57
    mayContain: 0.9.2342.19200300.100.1.60
    mayContain: 2.5.4.43
    mayContain: 1.2.840.113556.1.2.617
    mayContain: 0.9.2342.19200300.100.1.20
    mayContain: 2.5.4.42
    mayContain: 1.2.840.113556.1.2.613
    mayContain: 1.2.840.113556.1.2.610
    mayContain: 1.2.840.113556.1.2.13
    mayContain: 2.16.840.1.113730.3.1.2
    mayContain: 2.16.840.1.113730.3.1.1
    mayContain: 2.5.4.15
    mayContain: 0.9.2342.19200300.100.1.55
    possSuperiors: 1.2.840.113556.1.5.67
    possSuperiors: 2.5.6.5
    possSuperiors: 1.2.840.113556.1.3.23
    schemaIdGuid:: FMwoSDcUvEWbB61vAV5fKA==
    defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RPWP;77B5B886-944A-11d1-AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B2-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B3-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;AU)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77B5B886-944A-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;E45795B3-9455-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)
    showInAdvancedViewOnly: FALSE
    defaultHidingValue: FALSE
    systemOnly: FALSE
    defaultObjectCategory: CN=Person,CN=Schema,CN=Configuration,DC=X
    systemFlags: 0

    dn:
    changetype: modify
    add: schemaUpdateNow
    schemaUpdateNow: 1
    -
    END CUT HERE
  6. Redefine the naming attribute for any existing InetOrgPerson objects:

    After the RDN attribute for a class is changed, all new instances of the class will use the new naming attribute. Ideally, the naming attribute should be defined prior to the creation of user accounts based on InetOrgperson because SIDS, password, and naming attribute for previous instances cannot be changed. To change the naming attribute for existing objects in Active Directory:
    1. Export the existing objects.
    2. Delete the existing objects from the directory.
    3. Import the data back into the directory of a domain controller for which the InetOrgPerson schema class has been modified.

References

For information about making defunct classes, refer to the following Microsoft Web site:
Proprietăți

ID articol: 307998 - Ultima examinare: 10 dec. 2008 - Revizie: 1

Feedback