[cifs-protocol] RE: how are unique attributes determined?

Edgar Olougouna edgaro at microsoft.com
Fri Jun 12 21:12:51 GMT 2009 

Hi Tridge,

I have researched your inquiry and engaged the product group on this topic. Please find the answer as follows.  I first introduce some AD specifics, and then clarify with some examples and references.

The answer in a nutshell

Active Directory does not provide any means for identifying unique attributes. Some attributes are unique as a result of their specific processing rules defined by the protocols. In a broader AD view, this translates into associated constraints and triggers applied to objects during replica updates operations. These rules depend on objects and may apply to a container, a DN, or an entire NC, etc.
Attribute indexing and attribute value uniqueness are not interrelated concepts in AD. A single-valued or multi-valued attribute can be indexed. And the values may require uniqueness or not, depending on their rules as we previously introduced.

Explanation, examples and references

Updates operations and their constraints are generally defined in [MS-ADTS] 3.1.1.5. The Add Operation constraints (3.1.1.5.2) refer to [MS-SAMR] Section 3.1.1.6 for additional constraints when SAM-specific objects are created.
[MS-SAMR] "3.1.1   Abstract Data Model" explains SAM-related constraints relationships between attributes and triggers defined respectively in Sections 3.1.1.6 and 3.1.1.8.
As you called out in your message, some attributes are unique and also indexed. For example, section 3.1.1.8.4 of [MS-SAMR] describes the uniqueness requirements for sAMAccountName ([MS-ADA3] 2.221).

This is an extract from MS-SAMR specification:
[MS-SAMR] 3.1.1.8.4   sAMAccountName

1.  If the objectSid attribute has a RID of DOMAIN_USER_RID_KRBTGT and there is already a value present in the sAMAccountName attribute, the server MUST return an error status.

2.  If the sAMAccountName attribute value is NOT unique with respect to the union of all sAMAccountName and msDS-AdditionalSamAccountName attribute values for all other objects within the scope of the account and built-in domain, the server MUST return an error status, according to the following conditions.

Condition


Error status


The object whose sAMAccountName matches the sAMAccountName attribute of the current object is a group object as defined in section 3.1.1.


STATUS_GROUP_EXISTS


The object whose sAMAccountName matches the sAMAccountName attribute of the current object is an alias object as defined in section 3.1.1.


STATUS_ALIAS_EXISTS


Otherwise:


STATUS_USER_EXISTS


 End of extract.

In addition to the specifications, you may find useful resources on MSDN, especially the description on user naming attributes relates to your inquiry (userPrincipalName, objectGUID, objectSID, sAMAccountName).
User Naming Attributes: http://msdn.microsoft.com/en-us/library/ms677605.aspx
Indexed attributes: http://msdn.microsoft.com/en-us/library/ms675095(VS.85).aspx

I hope this answers your question in a satisfactory manner.  As always, let us know if you have any open specification specific documentation issue, and we will be happy to assist.

Best regards,

Edgar A. Olougouna
Sr. SEE, Microsoft DSC Protocol Team







-----Original Message-----
From: Edgar Olougouna
Sent: Monday, June 01, 2009 10:17 AM
To: 'tridge at samba.org'
Cc: cifs-protocol at samba.org; pfif at tridgell.net
Subject: RE: how are unique attributes determined?



Hi Tridge,





I have taken ownership of this case regarding AD attributes (case SRX090601600044). I will be communicating with you as soon as I have updates or clarification questions.



Best regards,



Edgar A. Olougouna

Sr. SEE, Microsoft DSC Protocol Team



-----Original Message-----

From: tridge at samba.org [mailto:tridge at samba.org]

Sent: Monday, June 01, 2009 12:28 AM

To: Interoperability Documentation Help

Cc: cifs-protocol at samba.org; pfif at tridgell.net

Subject: CAR: how are unique attributes determined?



We would like to know how to work out which attributes in AD are

uniquely indexed.



We know that attributes like samAccountName, objectGUID and objectSID

are all unique. So if you try to create the following two records

using LDAP:



 dn: CN=test1,OU=User2,DC=vsofs8,DC=com

 sAMAccountName: test1

 objectClass: user



 dn: CN=test1,OU=User3,DC=vsofs8,DC=com

 sAMAccountName: test1

 objectClass: user



then windows AD implementation will return LDAP_ERR_ALREADY_EXISTS for

the second one, presumably because samAccountName is a unique

attribute. This makes sense, as you don't want two users with the same

account name.



What we can't work out is how to find the list of unique

attributes. We can't find anything in the schema that tells us an

attribute is unique. What part in the schema gives us that? Or is it

somewhere outside the schema?



Cheers, Tridge


-------------- next part --------------
HTML attachment scrubbed and removed

More information about the cifs-protocol mailing list