[cifs-protocol] [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 - LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
Obaid Farooqi
obaidf at microsoft.com
Mon Dec 1 10:11:27 MST 2014
Hi Samuel:
The attribute wellKnownObjects is not a linked attribute since there is no linkID attribute defined on it in MS-ADA3 section "2.369 Attribute wellKnownObjects". The LDAP_MATCHING_RULE_TRANSITIVE_EVAL is only good for link attributes, as mentioned in MS-ADTS.
Please let me know if it answers your question.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com
-----Original Message-----
From: Obaid Farooqi
Sent: Tuesday, November 25, 2014 3:08 PM
To: <scabrero at zentyal.com>
Cc: cifs-protocol at samba.org; MSSolve Case Email
Subject: Re: [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 - LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
Hi Samuel
I'll look into this and get back to as soon aa I have an answer.
> On Nov 25, 2014, at 10:29 AM, Samuel Cabrero <scabrero at zentyal.com> wrote:
>
> Hi Obaid,
>
> you are right but my interpretation of the documentation is that the
> attribute values in the entry being visited also have to be stripped
> before comparison, not only the value specified in the filter.
>
>
> In the EvalTransitiveFilterHelper pseudo code:
>
> "If A is of Object(DN-String), Object(DN-Binary), Object(OR-Name), or
> Object(Access-Point) syntax, let C be the set of the object_DN
> components of the values of ToVisit.A. Otherwise, let
> C be the set of the values of ToVisit.A. Note that C is a set of DNs."
>
> "If V' is in C, return true."
>
> Doesn't it mean the attribute values in the entry being visited also
> have to be stripped before checking if V' is in the C set?
>
> Regards,
>
>> On dom, 2014-11-23 at 18:51 +0000, Obaid Farooqi wrote:
>> Hi Samuel:
>> My previous email have some inadvertent mistake. Please disregard
>> that. Here is the corrected response.
>>
>> In the filter
>> wellKnownObjects:1.2.840.113556.1.4.1941:=B:32:aa312825768811d1aded00c04fd8d5cd:CN=computers,
>> DN>
>>
>> As per documentation, the following rule applies:
>> If A is of Object(DN-String), Object(DN-Binary), Object(OR-Name), or
>> Object(Access-Point) syntax, let V' equal the object_DN portion of V
>>
>> So V' becomes CN=computers,<base DN> and the filter becomes:
>> wellKnownObjects:1.2.840.113556.1.4.1941:=CN=computers,<base DN>
>>
>> Since there is no object that has the value of wellKnownObjects
>> attribute as CN=computers,, therefore no object is returned.
>>
>> Please let me know it does not answer your question.
>>
>> Regards,
>> Obaid Farooqi
>> Escalation Engineer | Microsoft
>>
>> Exceeding your expectations is my highest priority. If you would
>> like to provide feedback on your case you may contact my manager at
>> nkang at Microsoft dot com
>>
>> -----Original Message-----
>> From: Obaid Farooqi
>> Sent: Sunday, November 23, 2014 12:45 PM
>> To: 'scabrero at zentyal.com'
>> Cc: 'cifs-protocol at samba.org'; MSSolve Case Email
>> Subject: RE: [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 -
>> LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
>>
>> Hi Samuel:
>> In the filter
>> wellKnownObjects:1.2.840.113556.1.4.1941:=B:32:aa312825768811d1aded00c04fd8d5cd:CN=computers,
>> DN>
>>
>> As per documentation, the following rule applies:
>> If A is of Object(DN-String), Object(DN-Binary), Object(OR-Name), or
>> Object(Access-Point) syntax, let V' equal the object_DN portion of V
>>
>> So V' becomes CN=computers,<base DN> and the filter becomes:
>> wellKnownObjects:1.2.840.113556.1.4.1941:=CN=computers,<base DN>
>>
>> Since the object CN=computers, does not have any attribute
>> wellKnownObjects, therefore no object is returned.
>>
>> Please let me know it does not answer your question.
>>
>>
>> Regards,
>> Obaid Farooqi
>> Escalation Engineer | Microsoft
>>
>> Exceeding your expectations is my highest priority. If you would
>> like to provide feedback on your case you may contact my manager at
>> nkang at Microsoft dot com
>>
>> -----Original Message-----
>> From: "Obaid Farooqi" <obaidf at microsoft.com>
>> Sent: Thursday, November 20, 2014 9:53 AM
>> To: "scabrero at zentyal.com" <scabrero at zentyal.com>
>> Cc: "cifs-protocol at samba.org" <cifs-protocol at samba.org>; "MSSolve
>> Case Email" <casemail at microsoft.com>
>> Subject: [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 -
>> LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
>>
>> Hi Samuel:
>> I am still looking into it and I'll be in touch as soon as I have an
>> answer.
>>
>> Regards,
>> Obaid Farooqi
>> Escalation Engineer | Microsoft
>>
>> Exceeding your expectations is my highest priority. If you would
>> like to provide feedback on your case you may contact my manager at
>> nkang at Microsoft dot com
>>
>> -----Original Message-----
>> From: "Tarun Chopra" Chopra at microsoft.com>
>> Sent: Thursday, November 13, 2014 11:48 AM
>> To: "scabrero at zentyal.com" <scabrero at zentyal.com>
>> Cc: "cifs-protocol at samba.org" <cifs-protocol at samba.org>; "MSSolve
>> Case Email" <casemail at microsoft.com>; "Obaid Farooqi" <
>> obaidf at microsoft.com>
>>
>> Subject: [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 -
>> LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
>>
>> Hello Samuel - I've transferred the ownership of this case to Obaid,
>> in Cc. He will research and get back.
>>
>> -----Original Message-----
>> From: Tarun Chopra
>> Sent: Wednesday, November 12, 2014 1:57 PM
>> To: scabrero at zentyal.com
>> Cc: cifs-protocol at samba.org; MSSolve Case Email
>> Subject: RE: [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 -
>> LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
>>
>> Hello Samuel -
>>
>> I'm researching this for you and update you as I make progress.
>>
>> Thanks
>> Tarun Chopra.
>>
>> -----Original Message-----
>> From: Bryan Burgin
>> Sent: Wednesday, November 12, 2014 9:33 AM
>> To: scabrero at zentyal.com
>> Cc: cifs-protocol at samba.org; MSSolve Case Email
>> Subject: [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 -
>> LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
>>
>> [dochelp to bcc]
>> [+casemail]
>>
>> Samuel,
>>
>> Thank you for your question. We created SR 114111212024814 to track
>> this issue. An engineer from the Protocols team will contact you
>> soon.
>>
>> Bryan
>>
>>
>>
>> -----Original Message-----
>> From: Samuel Cabrero [mailto:scabrero at zentyal.com]
>> Sent: Wednesday, November 12, 2014 3:45 AM
>> To: Interoperability Documentation Help
>> Cc: cifs-protocol at samba.org
>> Subject: [samba4][MS-ADTS] 3.1.1.3.4.4.3 -
>> LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
>>
>> Dear dochelp team,
>>
>> I am working on LDAP_MATCHING_RULE_TRANSITIVE_EVAL match rule
>> implementation on samba and I have found that my tests fail against
>> Windows Server 2008 R2 when the attribute value to match specified
>> in the search filter has Object(DN-Binary) syntax, for example:
>>
>> Search scope: Base
>> Search base DN: Domain base DN
>>
>> This filter returns one entry:
>> wellKnownObjects=B:32:aa312825768811d1aded00c04fd8d5cd:CN=computers,
>> se
>> DN>
>>
>> This filter does not return any entry:
>> wellKnownObjects:1.2.840.113556.1.4.1941:=B:32:aa312825768811d1aded00c0
>> 4fd8d5cd:CN=computers,<base
>> DN>
>>
>> According to [MS-ADTS] Section 3.1.1.3.4.4.3 I understand that the
>> Object(DN-Binary) syntax should be handled in the match rule
>> implementation. Should this search return the same entry that the
>> one returned without the extended match?
>>
>> Best Regards,
>>
>> --
>> Samuel Cabrero - Developer
>> scabrero at zentyal.com
>>
>> Zentyal - Active Exchange
>> www.zentyal.com
> --
> Samuel Cabrero - Developer
> scabrero at zentyal.com
>
> Zentyal - Active Exchange
> www.zentyal.com
More information about the cifs-protocol
mailing list