U-M Windows Forest
ITS Windows-Based Services
How-To Documents
Frequently Asked Questions
Help
Contact Us
U-M Windows Forest Main

Attribute Mapping Table

MCommunity Directory to U-M Active Directory (UMROOT Domain)

AD LDAP Display Name Single Valued Mapped-from U-M Dir attribute Comment
dn n/a uid and static string The uid (U-M Uniqname) is used as the RDN of the AD user object, i.e. the cn part of the dn. The rest of dn is the static, and represents the People OU in the UMICH W2k domain.

Example: cn=bjensen,ou=People,ou=UMICH, dc=ads,dc=itcs,dc=umich,dc=edu
cn TRUE uid The uid (U-M Uniqname) is used as the RDN of the AD user object, i.e. the cn part of the dn. The rest of dn is the static, and represents the People OU in the UMICH W2k domain.

Example: cn=bjensen,ou=People,ou=UMICH, dc=ads,dc=itcs,dc=umich,dc=edu
objectCategory TRUE static string static string cn=Person,cn=Schema,cn=Configuration, followed by dc name of forest root server.

Example: cn=Person,cn=Schema,cn=Configuration, dc=adsroot,dc=itcs,dc=umich,dc=edu
objectClass TRUE static string Example: top; person; organizationalPerson; user;
userPrincipalName TRUE uid and static string uid followed by "@umich.edu"

User Principal name (UPN) is unique in W2k forest. The "umich.edu" suffix is unique to the UMICH (ads.itcs.umich.edu ) domain, which contains users synced from the MCommunity Directory.

Example: bjensen@umich.edu
sAMAccountName TRUE uid uid is U-M uniqname; The uniqname is used as 1) the W2k user account name (sAMAccountName), 2) the W2k cn, and as the cn value of the user dn in the UMICH domain. See dn above.

Example: bjensen
displayName TRUE cn with changes Use cn value with trailing "uniqifier" number removed:

Example: "Robert T Smith 3" becomes "Robert T Smith"
Description FALSE use AD displayName, derived from cn The Description attribute is one of three attributes displayed when browsing the AD using the "Users and Computers" tool. Since the U-M uniqname will be used for the dn/cn, the user's full name will be used for the description, and the AD browser can then see both the user's uniqname and full name, unless the user is "private".

Example: "Robert T Smith"
userAccountControl TRUE static string An or'd binary value; Update daemon will set this to 66080, or 10220 hex. Value implies "user password never expires", which is necessary for Windows 2000 Kerberos interoperability.

Example: 66080
sn TRUE sn User surname. Example: Smith
middleName TRUE extracted from cn User middle name. Example: Tobin
givenName TRUE extracted from cn User first name. Example: Robert
name TRUE same as AD displayName User full name. Example: "Robert T Smith"
initials TRUE extracted from cn User middle initial. Example: T
company TRUE n/a not set. Could be "University of Michigan".
title TRUE 1st value of title Multi-to-Single valued mapping. One option would be to concatenate titles into one value, but length of AD title attribute is probably too short.

Example: "Teaching assistant, Physics department"
department TRUE n/a not set. No direct equivalent in MCommunity Directory.
streetAddress TRUE n/a not set. Current address attributes in MCommunity Directory will not map to AD address attributes.
postOfficeBox FALSE n/a not set. Current address attributes in MCommunity Directory will not map to AD address attributes.
l TRUE n/a not set. Current address attributes in MCommunity Directory will not map to AD address attributes.
st TRUE n/a not set. Current address attributes in MCommunity Directory will not map to AD address attributes.
postalCode TRUE n/a not set. Current address attributes in MCommunity Directory will not map to AD address attributes.
c TRUE n/a not set. Current address attributes in MCommunity Directory will not map to AD address attributes.
mail TRUE uid and static string The AD mail attribute is constructed from the uid (U-M uniqname) and the standard U-M address, "umich.edu".

Example: bjensen@umich.edu
otherMailbox FALSE all values of mail All U-M mail attribute values are placed in the AD "otherMail" attribute. These are usually secondary, real email address pointed to by the user@umich.edu virtual e-mail address. Order is indeterminate because LDAP protocol does not support ordered retrieval of multi-valued attributes.

Example: bjensen@j.imap.itd.umich.edu;bjensen@hotmail.com
telephoneNumber TRUE 1st value of telephonenumber Multi-to-SingleAndOther mapping. First value placed in telephoneNumberattribute. Remaining mail values are placed in the AD "otherTelephone" attribute. Order is indeterminate because LDAP protocol does not support ordered retrieval of multi-valued attributes.

Example: +1 234.567.8901
otherTelephone FALSE 2-n values of telephonenumber See telephoneNumber attribute.

Example: +1 345.678.9012;+1 456.789.0123
homePhone TRUE 1st value of homephone Multi-to-SingleAndOther mapping. First value placed in homePhone attribute. Remaining mail values are placed in the AD "otherHomePhone" attribute. Order is indeterminate because LDAP protocol does not support ordered retrieval of multi-valued attributes.

Example: +1 234.567.8901
otherHomePhone FALSE 2-n values of homephone See homePhone attribute.

Example: +1 345.678.9012;+1 456.789.0123
mobile TRUE n/a no MCommunity Directory equivalent
otherMobile FALSE n/a no MCommunity Directory equivalent
pager TRUE 1st value of pager Multi-to-SingleAndOther mapping. First value placed in pager attribute. Remaining mail values are placed in the AD "otherPager" attribute. Order is indeterminate because LDAP protocol does not support ordered retrieval of multi-valued attributes.

Example: +1 234.567.8901
otherPager FALSE 2-n values of pager See pager attribute.

Example: +1 345.678.9012;+1 456.789.0123
facsimileTelephoneNumber TRUE 1st value of facsimileTelephoneNumber Multi-to-SingleAndOther mapping. First value placed in facsimileTelephoneNumber attribute. Remaining mail values are placed in the AD "otherFacsimileTelephoneNumber" attribute. Order is indeterminate because LDAP protocol does not support ordered retrieval of multi-valued attributes.

Example: +1 234.567.8901
otherFacsimileTelephoneNumber FALSE 2-n values of facsimileTelephoneNumber See facsimileTelephoneNumber attribute.

Example: +1 345.678.9012;+1 456.789.0123
ipPhone TRUE n/a no MCommunity Directory equivalent
otherIpPhone FALSE n/a no MCommunity Directory equivalent
wWWHomePage TRUE labeledURL This field often contains text, multiple url's, etc. Parsing on best effort basis.

Example: http://www-personal.umich.edu/~bjensen/
url TRUE n/a not set. See wWWHomePage.
umichadOU FALSE ou Multi-valued attribute of organizations with which user is associated.

Example: "College of LSA; Department of Physics"
umichadRole FALSE extracted from dn An index "role" attribute; taken from last part of ou values in user's dn. Source will change when MCommunity Directory goes to flat namespace.

Example: "students; faculty and staff"
umichadNoBatchUpdates FALSE noBatchUpdates Flag in MCommunity Directory, set by user, which prohibits updates to user data from batch processes. Directory sync program assumes changes are made by user, rather than batch updates. For future use, perhaps same role for AD batch updates.

Example: TRUE
umichadUMDirToADSyncFlag FALSE set by directory "sync" program Used to flag update on Windows 2000 DC. Values are added as changes to AD user object take place. AD monitoring service looks for changes, recording a log, and resetting value of umichadUMDirToADSyncFlag to null.

2 = user added
4 = user changed
8 = delete user
16 = modrdn

Example: "2;4;4"