[cifs-protocol] limits on rDN size in AD ?

Edgar Olougouna edgaro at microsoft.com
Thu Oct 15 19:15:47 MDT 2009


Thanks for your question regarding RDN size in AD. I have created the case number SRX091015600407 for this inquiry.
One of my colleagues will take ownership of the case and contact you soon.

Best regards,


-----Original Message-----
From: tridge at samba.org [mailto:tridge at samba.org] 
Sent: Thursday, October 15, 2009 7:56 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org; hyc at highlandsun.com
Subject: CAR: limits on rDN size in AD ?


When we were running the AD LDAP test suite at the DRS plugfest, we
ran across a test that checked that the ldap server didn't accept a
rDN with a length longer than 255 bytes.

I've since looked into this a bit, and the testing I've done seems to
show that the limit is actually 64 bytes (at least for OU, CN and DC).

Can you please confirm if this is right? Is this a deliberate limit,
and if so, why is it so low? This seems to go against the LDAP spec
(from discussions with Howard Chu, CCd).

To give you a concrete example, this add succeeds against w2k8-r2:

  dn: CN=a012345678901234567890123456789012345678901234567890123456789012,DC=VSOFS8,DC=COM
  objectClass: container

but this one fails:

  dn: CN=a0123456789012345678901234567890123456789012345678901234567890120,DC=VSOFS8,DC=COM
  objectClass: container

The error from the 2nd one is:

  "LDAP error 19 LDAP_CONSTRAINT_VIOLATION -  <00002082: AtrErr: DSID-03050C66, #1:
        0: 00002082: DSID-03050C66, problem 1005
        (CONSTRAINT_ATT_TYPE), data 0, Att 3 (cn):len 130

which seems to indicate a limit of 64 characters (128 UTF16 bytes).

I don't see this limit in the docs, but perhaps I missed it?

Cheers, Tridge

More information about the cifs-protocol mailing list