[cifs-protocol] Status: limits on rDN size in AD (SRX091112600056 [MS-ADTS] limits on rDN size in AD)

Bill Wesse billwe at microsoft.com
Fri Nov 20 11:00:43 MST 2009


Hello Tridge - just checking in to see how things are going.

Regards,
Bill Wesse
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  +1(980) 776-8200
CELL: +1(704) 661-5438
FAX:  +1(704) 665-9606

From: Bill Wesse
Sent: Friday, November 13, 2009 1:11 PM
To: 'tridge at samba.org'
Cc: 'cifs-protocol at samba.org'; 'hyc at highlandsun.com'
Subject: Status: limits on rDN size in AD (SRX091112600056 [MS-ADTS] limits on rDN size in AD)

Hello Tridge. Here is what I have (pending the proposed changes for [MS-ADTS]:

The length of a delete-mangled RDN may indeed exceed rangeUpper, due to the additional delete-mangle decoration.

I should first note that the delete-mangled RDN format contains a '\0A' character - not a '\0'. Perhaps this is a typo in your email?

\0A is a character not allowed in Active Directory names, per [MS-ADTS] 3.1.1.5.1.2 - and is certainly a handy way to verify whether or not a name has been mangled (a.k.a. strchr(pszRDN, (int)0x0a) ).

The format is, of course, noted in [MS-ADTS] 3.1.1.5.5 , like "objectName\0ADEL:dashed_string_objectGUID". As noted in [MS-ADTS] 3.1.1.5.1.2. the maximum RDN length is 255; it is further constrained to 64 ([MS-ADA1] 2.110 Attribute cn, rangeUpper: 64).

That said, the length of a delete-mangled RDN can be up to 105 characters (not including the terminating NUL character): {rangeUpper:64} + {0x0A:1} + {'DEL:':4} + {dashed-string-Guid:36}.

[MS-ADTS] 3.1.1.5.1.2 also notes that "Naming constraints are not enforced for replicated updates.", so the additional length of a delete-mangled RDN will replicate properly.

I have filed a TDI against [MS-ADTS] section 3.1.1.5.5 Delete Operation to have this annotated.

References:

[MS-ADTS]: Active Directory Technical Specification

3.1.1.5.1.2 Naming Constraints

During an originating update of the Add, Modify, and Modify DN operations, the server validates the following naming constraints. Unless otherwise specified, the server returns LDAP error namingViolation if a naming constraint is not met.

o The RDN must not contain a character with value 0xA.

o The RDN must not contain a character with value 0x0; otherwise, the server SHOULD return LDAP error invalidDNSyntax. However, if the DC functional level is DS_BEHAVIOR_WIN2000, the server will not return an error.

o The DN must be compliant with [RFC2253].

o The RDN size must be less than 255 characters.

Naming constraints are not enforced for replicated updates.

3.1.1.5.5 Delete Operation
...
In most cases, upon deletion, a tombstone, deleted-object, or recycled-object is moved into the Deleted Objects container of its NC; for exceptions see section 3.1.1.5.5.6. The RDN of the object is changed to a "delete-mangled RDN"-an RDN that is guaranteed to be unique within the Deleted Objects container. If O is the object that is deleted, the delete-mangled RDN is the concatenation of O!name, the character with value 0x0A, the string "DEL:", and the dashed string representation ([RFC4122] section 3) of O!objectGUID. A "delete-mangled DN" is a DN such that the leaf RDN is a delete-mangled RDN.

==============================================================================
Question:

From: tridge at samba.org [mailto:tridge at samba.org]
Sent: Monday, November 09, 2009 6:58 PM
To: Hongwei Sun
Cc: cifs-protocol at samba.org; hyc at highlandsun.com
Subject: RE: limits on rDN size in AD ?

Hi Hongwei,

We're back to the old question of rDN size limits again!

I just got a DRS replication reply from w2k8-r2 with a CN that has a length larger than 64. So I suspect that things are a bit more complex than what we'd discussed before.

The object was:

  CN=89532b80-09fe-445e-afef-965c0d7f7d15\0ADEL:462902b4-1824-4f02-8956-9f934f64fa01,CN=Deleted Objects,CN=Configuration,DC=vsofs8,DC=com

which gives a length of 80.

Are we perhaps supposed to interpret the \0 as a termination character for the purposes of this length constraint? (note that this is a \ followed by a 0, not a nul byte).

Or perhaps deleted objects are special in their constraints in some way?

Cheers, Tridge

Regards,
Bill Wesse
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  +1(980) 776-8200
CELL: +1(704) 661-5438
FAX:  +1(704) 665-9606

From: Bill Wesse
Sent: Thursday, November 12, 2009 9:44 AM
To: 'tridge at samba.org'
Cc: 'cifs-protocol at samba.org'; 'hyc at highlandsun.com'
Subject: Re: limits on rDN size in AD (SRX091112600056 [MS-ADTS] limits on rDN size in AD)

Good morning Tridge! Since Hongwei is out of the office, I have created case SRX091112600056 to track our work against your question about rDN size / deleted object rDN.

I expect to be able to begin work on this tomorrow, and will keep you updated!

Regards,
Bill Wesse
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  +1(980) 776-8200
CELL: +1(704) 661-5438
FAX:  +1(704) 665-9606


-----Original Message-----

From: Hongwei Sun

Sent: Thursday, November 12, 2009 12:56 PM

To: 'tridge at samba.org'

Cc: cifs-protocol at samba.org; hyc at highlandsun.com; Edgar Olougouna; Sebastian Canevari

Subject: RE: limits on rDN size in AD ?



Tridge,



  The RDN of Deleted Objects container is a little different from the normal RDN.   The following information in MS-ADTS 3.1.1.5.5 describes the composition of RDN for objects in Deleted Object container:



  "The RDN of the object is changed to a "delete-mangled RDN"-an RDN that is guaranteed to be unique within the Deleted Objects container. If O is the object that is deleted, the delete-mangled RDN is the concatenation of O!name, the character with value 0x0A, the string "DEL:", and the dashed string representation ([RFC4122] section 3) of O!objectGUID."



   It looks like to me that for the Delete Objects container,  the size constraint should be dependent on the combination of the each sub component.   Since I am out of office,  I will ask one of my team member to investigate and confirm the behavior.



Thanks !



-----Original Message-----

From: tridge at samba.org [mailto:tridge at samba.org]

Sent: Monday, November 09, 2009 6:58 PM

To: Hongwei Sun

Cc: cifs-protocol at samba.org; hyc at highlandsun.com

Subject: RE: limits on rDN size in AD ?



Hi Hongwei,



We're back to the old question of rDN size limits again!



I just got a DRS replication reply from w2k8-r2 with a CN that has a length larger than 64. So I suspect that things are a bit more complex than what we'd discussed before.



The object was:



  CN=89532b80-09fe-445e-afef-965c0d7f7d15\0ADEL:462902b4-1824-4f02-8956-9f934f64fa01,CN=Deleted Objects,CN=Configuration,DC=vsofs8,DC=com



which gives a length of 80.



Are we perhaps supposed to interpret the \0 as a termination character for the purposes of this length constraint? (note that this is a \ followed by a 0, not a nul byte).



Or perhaps deleted objects are special in their constraints in some way?



Cheers, Tridge



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20091120/03a4f6ab/attachment-0001.html>


More information about the cifs-protocol mailing list