[cifs-protocol] RE: Answer: SRX080609601575 : [MS-ADA3]: 2.43 2.44 string forms of AD attributes

Bill Wesse billwe at microsoft.com
Mon Jun 23 17:33:32 GMT 2008


Hello again Andrew; here is a more information on SID formats (there are two, composed as shown in the code sample function ' FormatSidIdentifierAuthority ');

// from winnt.h
// http://msdn.microsoft.com/en-us/library/aa379598.aspx
//
#ifndef SID_IDENTIFIER_AUTHORITY_DEFINED
#define SID_IDENTIFIER_AUTHORITY_DEFINED
typedef struct _SID_IDENTIFIER_AUTHORITY {
    BYTE  Value[6];
} SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY;
#endif


#ifndef SID_DEFINED
#define SID_DEFINED
typedef struct _SID {
   BYTE  Revision;
   BYTE  SubAuthorityCount;
   SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
#ifdef MIDL_PASS
   [size_is(SubAuthorityCount)] DWORD SubAuthority[*];
#else // MIDL_PASS
   DWORD SubAuthority[ANYSIZE_ARRAY];
#endif // MIDL_PASS
} SID, *PISID;
#endif

#define SID_REVISION                     (1)    // Current revision level
#define SID_MAX_SUB_AUTHORITIES          (15)
#define SID_RECOMMENDED_SUB_AUTHORITIES  (1)    // Will change to around 6

//
// Canonical form for SID.IdentifierAuthority
// see winnt.h for SID and SID_IDENTIFIER_AUTHORITY
//
int FormatSidIdentifierAuthority(PSID pSid, LPTSTR buffer)
{
        if ( (pSid->Value[0] != 0) || (pSid->Value[1] != 0) )
        {
                return _tprintf(buffer,
                        L"0x%02hx%02hx%02hx%02hx%02hx%02hx",
                        (USHORT)pSid->IdentifierAuthority.Value[0],
                        (USHORT)pSid->IdentifierAuthority.Value[1],
                        (USHORT)pSid->IdentifierAuthority.Value[2],
                        (USHORT)pSid->IdentifierAuthority.Value[3],
                        (USHORT)pSid->IdentifierAuthority.Value[4],
                        (USHORT)pSid->IdentifierAuthority.Value[5]);
        }
        else
        {
                return _tprintf(buffer,
                        L"%lu",
                        (ULONG)(pSid->IdentifierAuthority.Value[5]      ) +
                        (ULONG)(pSid->IdentifierAuthority.Value[4] <<  8) +
                        (ULONG)(pSid->IdentifierAuthority.Value[3] << 16) +
                        (ULONG)(pSid->IdentifierAuthority.Value[2] << 24) );
        }
}


Regards,
Bill Wesse
MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  980-776-8200
CELL: 704-661-5438
FAX:  704-665-9606


-----Original Message-----
From: Bill Wesse
Sent: Monday, June 23, 2008 12:59 PM
To: 'Andrew Bartlett'
Cc: 'cifs-protocol at samba.org'; 'pfif at tridgell.net'
Subject: RE: Answer: SRX080609601575 : [MS-ADA3]: 2.43 2.44 string forms of AD attributes

Good morning Andrew; I have found a reasonably good reference to objectCategory semantics on our technet site (link and applicable text shown below), and will continue my search for other items that allow for special semantics.

Search Filters
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbc_nar_ivve.mspx?mfr=true

Every classSchema object has an attribute called defaultObjectCategory , which is the object category of an instance of the class if none is specified by the user. For most classes, the defaultObjectCategory value is the class itself. In the search filter, you can specify objectCategory = X , where X is the ldapDisplayName of a class, and LDAP automatically expands the filter to objectCategory =< defaultObjectCategory of class X >. The objectCategory attribute has a syntax of distinguished name, and LDAP automatically converts the value for objectCategory to the distinguished name format. For example, if you use objectCategory =contact in the filter, the filter changes to objectCategory =cn=person,cn=schema,cn=configuration,dc=< ForestRootDomain > ("person" is the defaultObjectCategory for the class contact ).


Regards,
Bill Wesse
MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  980-776-8200
CELL: 704-661-5438
FAX:  704-665-9606


-----Original Message-----
From: Bill Wesse
Sent: Thursday, June 19, 2008 8:22 AM
To: 'Andrew Bartlett'
Cc: 'cifs-protocol at samba.org'; 'pfif at tridgell.net'
Subject: RE: Answer: SRX080609601575 : [MS-ADA3]: 2.43 2.44 string forms of AD attributes

I should be able to confirm the objectCategory semantics by sometime tomorrow; I have yet to find a consolidated list of attributes that allow for special semantics (it will take some time for me to derive this information; please note that I have queried product development concerning this topic).

Regards,
Bill Wesse
MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  980-776-8200
CELL: 704-661-5438
FAX:  704-665-9606

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Wednesday, June 18, 2008 9:50 PM
To: Bill Wesse
Cc: 'cifs-protocol at samba.org'; 'pfif at tridgell.net'
Subject: RE: Answer: SRX080609601575 : [MS-ADA3]: 2.43 2.44 string forms of AD attributes

On Tue, 2008-06-17 at 09:05 -0700, Bill Wesse wrote:
> Good day again! I have filed the below bug against the MS-ADA3 document. I apologize for my earlier incorrect answer (which stated that objectGUID and objectSID had no 'human-readable' string format available for use within ldap filters.
>
> It turns out that the AD specialist I consulted with was speaking with respect to LDAP generically, not the Microsoft implementation (which I was listening as pertaining to).
>
> Additionally, the list of special semantics for our implementation is specifically against objectSID and objectGUID; there is no schema attribute that specifies or allows for this.
>
> Using objectGUID to Bind to an Object
> http://msdn.microsoft.com/en-us/library/ms677985(VS.85).aspx
>
> ======================================================================
> ========
> Question:
> In MS-ADA3 - 2.43 and 2.44 we see a description of the objectGUID and objectSID attributes.  Helpful cross-references to MS-DTYP are included.
>
> However, no reference in either document is made to the ability of AD LDAP servers to accept string (rather than binary) forms of these attributes in searches.
>
> Is there a schema attribute that defines which attribute types allow these kinds of polymorphic searches, or is it a hard-coded list?
>
> ======================================================================
> ========
> Proposed Answer:
>
> There are special hard coded-semantics on the Active Directory attribute 'objectGUID' and 'objectSID' attributes (which are both typed internally as OctetStrings).
>
> The following shows the human-readable string forms (string) understood by the Active Directory Services LDAP server for these attributes:
>
> Type:   GUID
> string: 6d05e3c6-44db-406d-a43b-f4973724d20f
> rfc2254: \C6\E3\05\6D\DB\44\6D\40\A4\3B\F4\97\37\24\D2\0F
>
> Type:    SID
> string: S-1-5-21-2484111802-3076910921-728100999-1142
> rfc2254:
> \01\05\00\00\00\00\00\05\15\00\00\00\BA\89\10\94\49\EF\65\B7\87\F0\65\
> 2B\76\04\00\00

Good start!  Now, could you clarify how objectCategory fits into this.
It also has an alternate string representation, allowing short forms and DN forms.

Now you see why I asked for the full list - I know of these 3, but what other horrors lie beneath?  ;-)

Thanks,

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.


More information about the cifs-protocol mailing list