[python-ldap] LDAP Schema: MUST/MAY Attributes

Michael Ströder michael at stroeder.com
Wed Jan 16 19:24:28 CET 2013

Nyasha Chigwamba wrote:
> I have created a client application that has minimal "schema-awareness". I
> would like to validate my data before I send to Active Directory. When
> creating a new instance for a user (objectClass: 'top',
> 'organizationalPerson', 'person', 'user'), I find that there are some
> attributes that are marked as MUST, yet they are not required by AD for the
> instance to be created. An example of one such attribute is
> 'nTSecurityDescriptor'.
> I have looked at the web2lap interface and the addition of instances only has
> shows cn, objectClass, and sn as the required attributes. How can I do
> something similar? Should look at the USAGE property (0 = userApplications 1 =
> directoryOperation, 2 = distributedOperation, 3 = dSAOperation), in addition
> to the MUST or MAY property?

MS AD does not have a single attribute type description with USAGE in its
subschema (checked today on W2K8R2 because of OpenLDAP ITS#7493).

web2ldap does look at AttributeType.no_user_mod and AttributeType.collective.
If any of them is not None the attribute is considered not to be editable by
the user.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3883 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20130116/185e2461/attachment.bin>

More information about the python-ldap mailing list