[cifs-protocol] RE: Answer: SRX080609601575 : [MS-ADA3]: 2.43 2.44 string forms of AD attributes

Bill Wesse billwe at microsoft.com
Thu Jun 19 12:21:33 GMT 2008


I should be able to confirm the objectCategory semantics by sometime tomorrow; I have yet to find a consolidated list of attributes that allow for special semantics (it will take some time for me to derive this information; please note that I have queried product development concerning this topic).

Regards,
Bill Wesse
MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  980-776-8200
CELL: 704-661-5438
FAX:  704-665-9606

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Wednesday, June 18, 2008 9:50 PM
To: Bill Wesse
Cc: 'cifs-protocol at samba.org'; 'pfif at tridgell.net'
Subject: RE: Answer: SRX080609601575 : [MS-ADA3]: 2.43 2.44 string forms of AD attributes

On Tue, 2008-06-17 at 09:05 -0700, Bill Wesse wrote:
> Good day again! I have filed the below bug against the MS-ADA3 document. I apologize for my earlier incorrect answer (which stated that objectGUID and objectSID had no 'human-readable' string format available for use within ldap filters.
>
> It turns out that the AD specialist I consulted with was speaking with respect to LDAP generically, not the Microsoft implementation (which I was listening as pertaining to).
>
> Additionally, the list of special semantics for our implementation is specifically against objectSID and objectGUID; there is no schema attribute that specifies or allows for this.
>
> Using objectGUID to Bind to an Object
> http://msdn.microsoft.com/en-us/library/ms677985(VS.85).aspx
>
> ======================================================================
> ========
> Question:
> In MS-ADA3 - 2.43 and 2.44 we see a description of the objectGUID and objectSID attributes.  Helpful cross-references to MS-DTYP are included.
>
> However, no reference in either document is made to the ability of AD LDAP servers to accept string (rather than binary) forms of these attributes in searches.
>
> Is there a schema attribute that defines which attribute types allow these kinds of polymorphic searches, or is it a hard-coded list?
>
> ======================================================================
> ========
> Proposed Answer:
>
> There are special hard coded-semantics on the Active Directory attribute 'objectGUID' and 'objectSID' attributes (which are both typed internally as OctetStrings).
>
> The following shows the human-readable string forms (string) understood by the Active Directory Services LDAP server for these attributes:
>
> Type:   GUID
> string: 6d05e3c6-44db-406d-a43b-f4973724d20f
> rfc2254: \C6\E3\05\6D\DB\44\6D\40\A4\3B\F4\97\37\24\D2\0F
>
> Type:    SID
> string: S-1-5-21-2484111802-3076910921-728100999-1142
> rfc2254:
> \01\05\00\00\00\00\00\05\15\00\00\00\BA\89\10\94\49\EF\65\B7\87\F0\65\
> 2B\76\04\00\00

Good start!  Now, could you clarify how objectCategory fits into this.
It also has an alternate string representation, allowing short forms and DN forms.

Now you see why I asked for the full list - I know of these 3, but what other horrors lie beneath?  ;-)

Thanks,

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.


More information about the cifs-protocol mailing list