[cifs-protocol] RE: Answer: SRX080609601575 : [MS-ADA3]: 2.43 2.44 string forms of AD attributes

Andrew Bartlett abartlet at samba.org
Thu Jun 19 01:50:10 GMT 2008

On Tue, 2008-06-17 at 09:05 -0700, Bill Wesse wrote:
> Good day again! I have filed the below bug against the MS-ADA3 document. I apologize for my earlier incorrect answer (which stated that objectGUID and objectSID had no 'human-readable' string format available for use within ldap filters.
> It turns out that the AD specialist I consulted with was speaking with respect to LDAP generically, not the Microsoft implementation (which I was listening as pertaining to).
> Additionally, the list of special semantics for our implementation is specifically against objectSID and objectGUID; there is no schema attribute that specifies or allows for this.
> Using objectGUID to Bind to an Object
> http://msdn.microsoft.com/en-us/library/ms677985(VS.85).aspx
> ==============================================================================
> Question:
> In MS-ADA3 - 2.43 and 2.44 we see a description of the objectGUID and objectSID attributes.  Helpful cross-references to MS-DTYP are included.
> However, no reference in either document is made to the ability of AD LDAP servers to accept string (rather than binary) forms of these attributes in searches.
> Is there a schema attribute that defines which attribute types allow these kinds of polymorphic searches, or is it a hard-coded list?
> ==============================================================================
> Proposed Answer:
> There are special hard coded-semantics on the Active Directory attribute 'objectGUID' and 'objectSID' attributes (which are both typed internally as OctetStrings).
> The following shows the human-readable string forms (string) understood by the Active Directory Services LDAP server for these attributes:
> Type:   GUID
> string: 6d05e3c6-44db-406d-a43b-f4973724d20f
> rfc2254: \C6\E3\05\6D\DB\44\6D\40\A4\3B\F4\97\37\24\D2\0F
> Type:    SID
> string: S-1-5-21-2484111802-3076910921-728100999-1142
> rfc2254: \01\05\00\00\00\00\00\05\15\00\00\00\BA\89\10\94\49\EF\65\B7\87\F0\65\2B\76\04\00\00

Good start!  Now, could you clarify how objectCategory fits into this.
It also has an alternate string representation, allowing short forms and
DN forms.

Now you see why I asked for the full list - I know of these 3, but what
other horrors lie beneath?  ;-)


Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080619/0451ae06/attachment.bin

More information about the cifs-protocol mailing list