[cifs-protocol] RE: Answer: SRX080609601575 : [MS-ADA3]: 2.43 2.44 string forms of AD attributes

Andrew Bartlett abartlet at samba.org
Mon Jul 14 22:52:26 GMT 2008

On Mon, 2008-07-14 at 13:43 -0700, Bill Wesse wrote:
> Good afternoon Andrew. I have included a modified response, containing
> the sections in [MS-ADA3] and [MS-ADTS] covering the objectCategory
> and objectSID attributes (I omitted the objectGUID notes, since there
> are no special semantics for this).

We already determined that there are - the string form.  Please review
this discussion. 

> The decision has been made to not change the document by adding
> additional cross references, in order to keep the inter-document
> maintenance complexity in check. Please let me know if you this
> answers your question satisfactorily; if so, I will consider your
> question resolved.

Unless you can fix whatever problems you have created that prevent
decent cross-referencing, then this behaviour needs to be described in
the schema document, not in the massive MS-ADTS.   Indeed it might be
the preferable location, with a table at the front to call out the
unusual behaviours. 

The schema is the logical place to describe per-attribute behaviours. 

> ==============================================================================================================
> objectCategory
> Searches Using the objectCategory Attribute
> When an LDAP search filter F contains a clause C of the form
> "(objectCategory=V)", if V is not a DN but there exists an object O
> such that O!objectClass = classSchema and O!lDAPDisplayName = V, then
> the server treats the search filter as if clause C was replaced in F
> with the clause "(objectCategory=V')", where V' is O!
> defaultObjectCategory.
> [MS-ADA3]
> 2.38 Attribute objectCategory
>                 This attribute specifies an object class name that is
> used to group objects of this or derived classes. Every object in
> Active Directory has this attribute. See [MS-ADTS] for more
> information about how Active Directory uses this attribute.

This cross-reference is useless to the implementor.  It should at least
indicate that the cross-reference target is more than some note on read
values, but includes a highly unusual matching rule. 

This attribute specifies an object class name that is used to group
objects of this or derived classes. Every object in Active Directory has
this attribute. See [MS-ADTS] section x.x.x.x for information on the
extended matching rules (DN and short values permitted) in searches for
this attribute.

> ==============================================================================================================
> objectSID
> The alternative form for attributes of syntax type String(SID),
> including objectSID, is documented in [MS-ADTS] as shown below:
> Alternative Form of SIDs
> Attributes of String(SID) syntax contain a SID in binary form.
> However, a client may instead specify a value for such an attribute as
> a UTF-8 string that is a valid SDDL SID string beginning with
> "S-" (see [MS-DTYP] sections 2.4.2 and 2.5.1). The server will convert
> such a string to the binary form of the SID  and use that binary form
> as the value of the attribute.
> [MS-ADA3]
> 2.44 Attribute objectSid
> This attribute specifies a binary value that specifies the security
> identifier (SID) of the user. The SID is a unique value used to
> identify the user as a security principal. For more information on the
> SID data type, refer to [MS-DTYP] section 2.4.2. SID usage is also
> discussed in [MS-ADTS], in particular in section

Again, you need to indicate that more than the ordinary is included in
the cross-reference.  

Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080715/899915c4/attachment.bin

More information about the cifs-protocol mailing list