What is a linked attribute?
Linked attributes come in pairs and have a forward link and a backward link. Probably the most obvious example is group membership. The member attribute of the group is the forward link and the corresponding memberOf attribute of the member object (usually a user, inetOrgPerson, computer or group) is the back link.
How do they work?
The forward link behaves in much the same way as any other attribute. The values can be single-valued or multi-valued and are stored together with the parent object in the directory. Back links on the other hand are maintained by the system to ensure referential integrity.
When you query for the value of a back link attribute the results will be calculated from all the matching forward link values. Back links are always multi-valued. The forward link value contains the Distinguished Names (DNs) of the back links. The back link value consists of the DNs of the forward links.
Here’s the (truncated) example output from LDP.EXE:
Group object Dn: CN=HumanResources,OU=Groups,DC=north,DC=com objectClass: top; group; cn: HumanResources;
member: CN=Arthur Miller,OU=Users,OU=Americas,DC=north,DC=com; CN=Franz Kafka,OU=Users,OU=Americas,DC=north,DC=com;
User object Dn: CN=Franz Kafka,OU=Users,OU=Americas,DC=north,DC=com
objectClass: top; person; organizationalPerson; user;
cn: Franz Kafka;
memberOf: CN=HumanResources,OU=Groups,DC=north,DC=com; CN=Domain Admins,CN=Users,DC=north,DC=com;
Why have linked attributes?
I haven’t seen an official explanation, but I can think of two reasons why they would be useful. The first is consistency. By storing one half of the link only in the directory database, it ensures that queries for the back link attribute values are always consistent with the information stored in the forward link.
The second reason is that it is an efficient means of storage in the directory database and keeps the space used to a minimum. Consider a group with 4000 members. If the directory had to store both the forward and back link attribute values in the directory, it would use twice the space.
Are there other examples?
Here’s the full set of linked attributes from the base Windows 2003 schema. Note that schema extensions (such as those for Microsof Exchange Server 2003) introduce additional linked attributes.
|
ldapdisplayname
|
linkid
|
|
Member
|
2
|
|
memberOf
|
3
|
|
Manager
|
42
|
|
directReports
|
43
|
|
Owner
|
44
|
|
ownerBL
|
45
|
|
siteObject
|
46
|
|
siteObjectBL
|
47
|
|
nonSecurityMember
|
50
|
|
nonSecurityMemberBL
|
51
|
|
queryPolicyObject
|
68
|
|
queryPolicyBL
|
69
|
|
privilegeHolder
|
70
|
|
isPrivilegeHolder
|
71
|
|
managedBy
|
72
|
|
managedObjects
|
73
|
|
hasPartialReplicaNCs
|
74
|
|
hasMasterNCs
|
76
|
|
masteredBy
|
77
|
|
syncMembership
|
78
|
|
serverReference
|
94
|
|
serverReferenceBL
|
95
|
|
bridgeheadTransportList
|
98
|
|
bridgeheadServerListBL
|
99
|
|
netbootServer
|
100
|
|
netbootSCPBL
|
101
|
|
frsComputerReference
|
102
|
|
frsComputerReferenceBL
|
103
|
|
fRSMemberReference
|
104
|
|
fRSMemberReferenceBL
|
105
|
|
fRSPrimaryMember
|
106
|
|
siteLinkList
|
142
|
|
siteList
|
144
|
|
msCOM-PartitionLink
|
1040
|
|
msCOM-PartitionSetLink
|
1041
|
|
msDS-NC-Replica-Locations
|
1044
|
|
msFRS-Hub-Member
|
1046
|
|
msCOM-UserPartitionSetLink
|
1048
|
|
msCOM-UserLink
|
1049
|
|
msDS-SDReferenceDomain
|
2000
|
|
msDS-HasInstantiatedNCs
|
2002
|
|
msDS-NonMembers
|
2014
|
|
msDS-NonMembersBL
|
2015
|
|
msDS-MembersForAzRole
|
2016
|
|
msDS-MembersForAzRoleBL
|
2017
|
|
msDS-OperationsForAzTask
|
2018
|
|
msDS-OperationsForAzTaskBL
|
2019
|
|
msDS-TasksForAzTask
|
2020
|
|
msDS-TasksForAzTaskBL
|
2021
|
|
msDS-OperationsForAzRole
|
2022
|
|
msDS-OperationsForAzRoleBL
|
2023
|
|
msDS-TasksForAzRole
|
2024
|
|
msDS-TasksForAzRoleBL
|
2025
|
|
msDS-HasDomainNCs
|
2026
|
|
msDS-hasMasterNCs
|
2036
|
|
msDs-masteredBy
|
2037
|
|
msDS-ObjectReference
|
2038
|
|
msDS-ObjectReferenceBL
|
2039
|
How do I know if an attribute is linked?
All attributes that form part of the schema have corresponding objects in AD and are known as attributeSchema objects. The attributeSchema objects that represent linked attributes will have an attribute known as linkID. Forward link attributes have an even number, while back links have an odd value. The table above shows a good example with member (linkID=2) and memberOf (linkid=3).
You can find all the linked attributes in your schema by performing a simple LDAP query, with the following characteristics: BaseDN: CN=Schema,CN=Configuration,<ForestRootDN)> Scope: onelevel Filter: (&(objectclass=attributeSchema)(linkid=*)) You can use any LDAP client to perform the search. A good way to do this from the command line is to use ADFIND from www.joeware.net, as shown in the following example. Another option is to use LDP.EXE from the support tools.
adfind.exe N=Schema,CN=Configuration,DC=north,DC=com -s OneLevel -f (&(objectClass=attributeSchema)(linkid=*)) ldapdisplayname linkid