[cifs-protocol] CAR: limits on rDN size in AD ?

tridge at samba.org tridge at samba.org
Thu Oct 15 18:55:50 MDT 2009


When we were running the AD LDAP test suite at the DRS plugfest, we
ran across a test that checked that the ldap server didn't accept a
rDN with a length longer than 255 bytes.

I've since looked into this a bit, and the testing I've done seems to
show that the limit is actually 64 bytes (at least for OU, CN and DC).

Can you please confirm if this is right? Is this a deliberate limit,
and if so, why is it so low? This seems to go against the LDAP spec
(from discussions with Howard Chu, CCd).

To give you a concrete example, this add succeeds against w2k8-r2:

  dn: CN=a012345678901234567890123456789012345678901234567890123456789012,DC=VSOFS8,DC=COM
  objectClass: container

but this one fails:

  dn: CN=a0123456789012345678901234567890123456789012345678901234567890120,DC=VSOFS8,DC=COM
  objectClass: container

The error from the 2nd one is:

  "LDAP error 19 LDAP_CONSTRAINT_VIOLATION -  <00002082: AtrErr: DSID-03050C66, #1:
        0: 00002082: DSID-03050C66, problem 1005
        (CONSTRAINT_ATT_TYPE), data 0, Att 3 (cn):len 130

which seems to indicate a limit of 64 characters (128 UTF16 bytes).

I don't see this limit in the docs, but perhaps I missed it?

Cheers, Tridge

More information about the cifs-protocol mailing list