Printout Header
LEX RSS Feed

LEX Online Manual Content

Application Options - Attribute Syntaxes

In this dialog, you can configure which attributes are handled by LEX as special syntax attributes.

Application options: Attribute Syntaxes

Whenever you click on a button on this dialog to configure a certain attribute syntax list, the Choose Attributes dialog is shown:

The Choose Attributes dialog

You have the following choices:

Add: This adds a single attribute name to the list. You can enter the name in the text box right beside the button. LEX can even show the existing attributes in the pull down menu of the text box. You can use the Add button only if the text box is not empty.

Select from list: This opens a dialog, where you can select one or more attribute from the complete list of all classes in the directory schema. The selected class names will be added to the regarding list.

Delete: This deletes all the class names from the regarding list which are currently selected.

Reset defaults: This resets the list to the default attributes for the regarding list which comes with LEX.



Microsoft Interval Attributes


When Microsoft introduced it's own Active Directory LDAP servers, they specified a proprietary attribute syntax named 'Large Integer'. The unique object identifier (OID) is 2.5.5.16. The values of such Large Integer attributes consists of 64 bits, normally representing a numeric value. But there are two special meanings for Large Integer where the value represents a time interval, given in steps of 100 nanoseconds:

Datetime Attributes: Large Integer attributes can represent a date and time value in some cases. Unfortunately, Microsoft didn't use the generalized time string syntax for an UTC (described in RFC 4517 'LDAP Syntaxes and Matching Rules', section 3.3.13 and 3.3.34) for all it's directory attributes. Some of the date and time values are described by the number of 100 nanosecond steps since 12:00 AM, January 1, 1601. This is historically derived by the Filetime structure used in Microsoft operating systems.

So some of the most interesting date/time attributes in AD environments (for example lastLogon, lastLogonTimestamp, pwdLastSet, accountExpires) are Large Integers which have to be interpreted as date and time. LEX can do this, but a list is needed for what attributes this interpretation is to be done. You can configure this list with the Datetime Attributes button. Normally you will not have to work hard on this list because all the standard Large Integer attributes which are date and time values are predefined as default values.

Interval Attributes: Large Integer attributes can represent a time interval value in some cases. Whenever Microsoft wants to store an value, which represents a time interval, a large integer attribute is used, the time interval is expressed by number of 100 nanosecond steps, given as a negative number.

So some interesting time interval attributes in AD environments (for example parameters for the password policies in an AD domain) are Large Integers which have to be interpreted as an interval. LEX can do this, but a list is needed for what attributes this interpretation is to be done. You can configure this list with the Interval Attributes button. Normally you will not have to work hard on this list because all the standard Large Integer attributes which are time interval values are predefined as default values.



Password Attributes


LEX can create hash values for password attributes which are not allowed to be stored in cleartext in the many directory environments. For this purpose a special password attribute editor is available which is always used for the following attributes:

  • userPassword
  • sambaLMPassword
  • lmPassword
  • sambaNTPassword
  • ntPassword

Some of the hash algorithms can be made even safer by adding a additional random value (the 'salt') which is added to the password string before the hash value is calculated.

In the parameter Salt length for cryptographic hash algorithms like SMD5 or SSHA, you can specify how long the salt data should be (in bytes). This salt length is used for the following algorithms:

  • SMD5
  • SSHA
  • SSHA-256
  • SSHA-348
  • SSHA-512

You may have noticed that the leading 'S' in the algorithm names means 'salted'. The standard salt length use by LEX for the regarding algorithms is 8 bytes or 64 bits, which fits to the most LDAP servers. In some cases an LDAP server could demand another salt length, so you can adjust the value here.



Bitmap Image / Photo Attributes


There are some generic LDAP attribute syntaxes which represents bitmap or image data by default. In RFC 4517, there are to different syntaxes described:

  • JPEG (Object Identifier 1.3.6.1.4.1.1466.115.121.1.28) in RFC Section 3.3.17
  • FAX (Object Identifier 1.3.6.1.4.1.1466.115.121.1.23) in RFC Section 3.3.12

If there should be some attributes with these syntaxes in your current directory, LEX shows automatically the according bitmap attribute editor:

Bitmap attribute editor

But there may also be other attributes which contains bitmaps but are marked as generic binary attributes in the directory schema - or with some other attribute syntax. An example is the attribute 'photo' for Active Directory user objects. If you want LEX to handle such attributes as bitmap attributes, then you have to add them to this list.



GUID Attributes


There are some generic binary LDAP attribute syntaxes which represents GUID data by default. Instead of displaying just the binary data, LEX can display the GUID representation in object or attribute lists. An example of the GUID notation:

59b758d7-7ce7-44e5-81cd-81db9e527087

For GUIDs, LEX uses a specific editor, which can toggle between the GUID and the basic binary output.

Guid attribute editor

This option provides a list with the information for what attributes this interpretation is to be done. Normally you will not have to work hard on this list because all the standard GUID attributes are predefined as default values.



Binary Option Attributes


Some directory systems enforce a special treatment for certain attributes, so that the LDAP attribute option 'binary' must be used. The reason for this: The regarding attribute values or assertion values must be BER (Basic Encoding Rules) encoded - otherwise the values are encoded according to the LDAP-specific encoding RFC 4517 for the attribute's syntax. To signalize this special handling, the LDAP server returns such attributes only with the 'binary' option.

LDAP options like the 'binary' option are generally described in in LDAP v3 specification in RFC 4511. They are added to the attribute names as a suffix whenever the LDAP server and client communicate with each other, for example like this:

userCertificate;binary

The 'binary' option in particular is described in RFC 4522. Sometimes it is not marked clearly in the directory schema when an attribute requires a handling with the 'binary' option. In this cases you have the possibility to put such an attribute into the Binary Option Attributes list, so that this attribute can be read and written without issues.

You will realize when an attribute needs to be added to this list when you see it in the attribute list panel with the ';binary' string at the end of the attribute's name:

Attribute which needs the LDAP binary option

Another symptom which alerts you to add such an attribute name to the Binary Option Attributes list: An protocol error occurs if you want to write such an attribute without the 'binary' option:

Write error for attribute which needs the LDAP binary option