[cifs-protocol] RE: how are unique attributes determined?
Edgar Olougouna
edgaro at microsoft.com
Fri Jun 12 21:12:51 GMT 2009
Hi Tridge,
I have researched your inquiry and engaged the product group on this topic. Please find the answer as follows. I first introduce some AD specifics, and then clarify with some examples and references.
The answer in a nutshell
Active Directory does not provide any means for identifying unique attributes. Some attributes are unique as a result of their specific processing rules defined by the protocols. In a broader AD view, this translates into associated constraints and triggers applied to objects during replica updates operations. These rules depend on objects and may apply to a container, a DN, or an entire NC, etc.
Attribute indexing and attribute value uniqueness are not interrelated concepts in AD. A single-valued or multi-valued attribute can be indexed. And the values may require uniqueness or not, depending on their rules as we previously introduced.
Explanation, examples and references
Updates operations and their constraints are generally defined in [MS-ADTS] 3.1.1.5. The Add Operation constraints (3.1.1.5.2) refer to [MS-SAMR] Section 3.1.1.6 for additional constraints when SAM-specific objects are created.
[MS-SAMR] "3.1.1 Abstract Data Model" explains SAM-related constraints relationships between attributes and triggers defined respectively in Sections 3.1.1.6 and 3.1.1.8.
As you called out in your message, some attributes are unique and also indexed. For example, section 3.1.1.8.4 of [MS-SAMR] describes the uniqueness requirements for sAMAccountName ([MS-ADA3] 2.221).
This is an extract from MS-SAMR specification:
[MS-SAMR] 3.1.1.8.4 sAMAccountName
1. If the objectSid attribute has a RID of DOMAIN_USER_RID_KRBTGT and there is already a value present in the sAMAccountName attribute, the server MUST return an error status.
2. If the sAMAccountName attribute value is NOT unique with respect to the union of all sAMAccountName and msDS-AdditionalSamAccountName attribute values for all other objects within the scope of the account and built-in domain, the server MUST return an error status, according to the following conditions.
Condition
Error status
The object whose sAMAccountName matches the sAMAccountName attribute of the current object is a group object as defined in section 3.1.1.
STATUS_GROUP_EXISTS
The object whose sAMAccountName matches the sAMAccountName attribute of the current object is an alias object as defined in section 3.1.1.
STATUS_ALIAS_EXISTS
Otherwise:
STATUS_USER_EXISTS
End of extract.
In addition to the specifications, you may find useful resources on MSDN, especially the description on user naming attributes relates to your inquiry (userPrincipalName, objectGUID, objectSID, sAMAccountName).
User Naming Attributes: http://msdn.microsoft.com/en-us/library/ms677605.aspx
Indexed attributes: http://msdn.microsoft.com/en-us/library/ms675095(VS.85).aspx
I hope this answers your question in a satisfactory manner. As always, let us know if you have any open specification specific documentation issue, and we will be happy to assist.
Best regards,
Edgar A. Olougouna
Sr. SEE, Microsoft DSC Protocol Team
-----Original Message-----
From: Edgar Olougouna
Sent: Monday, June 01, 2009 10:17 AM
To: 'tridge at samba.org'
Cc: cifs-protocol at samba.org; pfif at tridgell.net
Subject: RE: how are unique attributes determined?
Hi Tridge,
I have taken ownership of this case regarding AD attributes (case SRX090601600044). I will be communicating with you as soon as I have updates or clarification questions.
Best regards,
Edgar A. Olougouna
Sr. SEE, Microsoft DSC Protocol Team
-----Original Message-----
From: tridge at samba.org [mailto:tridge at samba.org]
Sent: Monday, June 01, 2009 12:28 AM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org; pfif at tridgell.net
Subject: CAR: how are unique attributes determined?
We would like to know how to work out which attributes in AD are
uniquely indexed.
We know that attributes like samAccountName, objectGUID and objectSID
are all unique. So if you try to create the following two records
using LDAP:
dn: CN=test1,OU=User2,DC=vsofs8,DC=com
sAMAccountName: test1
objectClass: user
dn: CN=test1,OU=User3,DC=vsofs8,DC=com
sAMAccountName: test1
objectClass: user
then windows AD implementation will return LDAP_ERR_ALREADY_EXISTS for
the second one, presumably because samAccountName is a unique
attribute. This makes sense, as you don't want two users with the same
account name.
What we can't work out is how to find the list of unique
attributes. We can't find anything in the schema that tells us an
attribute is unique. What part in the schema gives us that? Or is it
somewhere outside the schema?
Cheers, Tridge
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the cifs-protocol
mailing list