[cifs-protocol] RE: Answer: SRX080609601575 : [MS-ADA3]: 2.43 2.44 string forms of AD attributes

Bill Wesse billwe at microsoft.com
Tue Jun 17 16:05:00 GMT 2008

Good day again! I have filed the below bug against the MS-ADA3 document. I apologize for my earlier incorrect answer (which stated that objectGUID and objectSID had no 'human-readable' string format available for use within ldap filters.

It turns out that the AD specialist I consulted with was speaking with respect to LDAP generically, not the Microsoft implementation (which I was listening as pertaining to).

Additionally, the list of special semantics for our implementation is specifically against objectSID and objectGUID; there is no schema attribute that specifies or allows for this.

Using objectGUID to Bind to an Object

In MS-ADA3 - 2.43 and 2.44 we see a description of the objectGUID and objectSID attributes.  Helpful cross-references to MS-DTYP are included.

However, no reference in either document is made to the ability of AD LDAP servers to accept string (rather than binary) forms of these attributes in searches.

Is there a schema attribute that defines which attribute types allow these kinds of polymorphic searches, or is it a hard-coded list?

Proposed Answer:

There are special hard coded-semantics on the Active Directory attribute 'objectGUID' and 'objectSID' attributes (which are both typed internally as OctetStrings).

The following shows the human-readable string forms (string) understood by the Active Directory Services LDAP server for these attributes:

Type:   GUID
string: 6d05e3c6-44db-406d-a43b-f4973724d20f
rfc2254: \C6\E3\05\6D\DB\44\6D\40\A4\3B\F4\97\37\24\D2\0F

Type:    SID
string: S-1-5-21-2484111802-3076910921-728100999-1142
rfc2254: \01\05\00\00\00\00\00\05\15\00\00\00\BA\89\10\94\49\EF\65\B7\87\F0\65\2B\76\04\00\00


The String Representation of LDAP Search Filters

Bill Wesse
MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  980-776-8200
CELL: 704-661-5438
FAX:  704-665-9606

More information about the cifs-protocol mailing list