[cifs-protocol] Object(OR-Name) syntax implementation
johndun at microsoft.com
Thu Nov 19 15:41:07 MST 2009
My name is John Dunning and I am a member of the Microsoft Protocols Documentation team. I will be working on your question Object(OR-Name) syntax implementation. I will keep you up to date as things progress on my end. In the meantime if you have any additional questions please let me know.
Senior Escalation Engineer Microsoft Corporation US-CSS DSC PROTOCOL TEAM
Email: johndun at microsoft.com
From: Kamen Mazdrashki [mailto:kamen.mazdrashki at postpath.com]
Sent: Thursday, November 19, 2009 3:00 PM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: Object(OR-Name) syntax implementation
While I was trying to implement "Object(OR-Name)" syntax handling in Samba, I've got some unexpected results.
There are several places to describe this syntax:
http://msdn.microsoft.com/en-us/library/cc223181%28PROT.13%29.aspx - from ADTS
http://msdn.microsoft.com/en-us/library/cc228440%28PROT.13%29.aspx - from DRSR
Documentation says (ADTS and DRSR) that values with "Object(OR-Name)" syntax are in 'object_DN' format which is in "Object(DS-DN)" format.
At first I got the impression, that "Object(OR-Name)" and "Object(DS-DN)" are the same.
But then, LDAP queries against AD always returns plain-dn DNs - even when 'extended dn' control is passed.
So I come to a conclusion, 'object_DN' means "DN part from Object(DS-DN) syntax".
After some tests with DRSUAPI interface though, it turns that values with 'OR-Name' syntax are transmitted in
"<GUID=..>;<SID=...>;dn" format which is "Object(DS-DN)" format!
At this point, I decided, that "Object(OR-Name)" is represented in two ways:
1. plain_dn - when working through LDAP
2. Object(DS-DN) - when transmitted using DRS interface
But then, after few hours of debugging/testing I was surprised to find out that through DRS interface, values with "Object(OR-Name)" syntax are transmitted as "Object(DN-Binary)"!
Here is some test data:
I am playing with "authOring" attribute (from MS Exchange 2003 provisioning)
Through DRS I am getting blob with value:
When I assume this value is in Object(DS-DN) format, it is correctly converted to following extended-DN:
However, the above mentioned extended-DN does not match exactly the blob value when it is converted back to blob using "Object(DS-DN)" syntax handling.
On the other hand, when using "Object(DN-Binary)" syntax implementation, forward/backward conversions match perfectly. I.e. the abovementioned blob value should be decoded to DN-Binary value:
I think there is a bug in documentation?
kamen.mazdrashki at postpath.com
CISCO SYSTEMS BULGARIA EOOD
More information about the cifs-protocol