[cifs-protocol] limits on rDN size in AD ?

Hongwei Sun hongweis at microsoft.com
Fri Oct 16 16:31:01 MDT 2009


   After reviewing the documentation and verifying with code,  I confirmed that your observation is right and I have an explanation for the behavior. 

   The size-related naming constraints for RDN of an object (described in MS-ADTS) should be the combination of the limitations below:

  (1)   The RDN size must be less than 255 characters. This is a limitation of the allocated maximum RDN buffer.   It is one of the conditions that will be checked during constraint checking.  This is already in the document.

  (2)  The RDN of an object is a string of the form "att=val" where att is the lDAPDisplayName of the RDN attribute (specified by attribute rDNAttID) of the object and val is the value of the RDN attribute on this object, as described in MS-ADTS.  The schema constraint of the value of RDN attribute(right side of 'att=val'), namely its size must be bounded between attribute rangeLower and rangeUpper, is also enforced.  This is implicitly indicated when an AD attribute value is used.  We could add it explicitly in section to make it clearer to the readers of the document.  I will file a request for this clarification.    

  For your example,  the attribute rdnAttId of objectClass container is cn (2.25 MS-ADSC).  So RDN attribute is cn that in turn has the 1 as rangeLower and 64 as rangeUpper(2.110 MS-ADA1). That is reason why any value for cn attribute with a size more than 64 triggers a namingViolation LDAP error.

  The same rule can be applied to OU and DC objectClass.  The size of ou value  will be limited between 1 and 64 (2.72 MS-ADA3) and the size of dc value should be limited between 1 and 255 (2.142 MS-ADA1).   
  Please let me know if this answers your question.



-----Original Message-----
From: tridge at samba.org [mailto:tridge at samba.org] 
Sent: Thursday, October 15, 2009 7:56 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org; hyc at highlandsun.com
Subject: CAR: limits on rDN size in AD ?


When we were running the AD LDAP test suite at the DRS plugfest, we
ran across a test that checked that the ldap server didn't accept a
rDN with a length longer than 255 bytes.

I've since looked into this a bit, and the testing I've done seems to
show that the limit is actually 64 bytes (at least for OU, CN and DC).

Can you please confirm if this is right? Is this a deliberate limit,
and if so, why is it so low? This seems to go against the LDAP spec
(from discussions with Howard Chu, CCd).

To give you a concrete example, this add succeeds against w2k8-r2:

  dn: CN=a012345678901234567890123456789012345678901234567890123456789012,DC=VSOFS8,DC=COM
  objectClass: container

but this one fails:

  dn: CN=a0123456789012345678901234567890123456789012345678901234567890120,DC=VSOFS8,DC=COM
  objectClass: container

The error from the 2nd one is:

  "LDAP error 19 LDAP_CONSTRAINT_VIOLATION -  <00002082: AtrErr: DSID-03050C66, #1:
        0: 00002082: DSID-03050C66, problem 1005
        (CONSTRAINT_ATT_TYPE), data 0, Att 3 (cn):len 130

which seems to indicate a limit of 64 characters (128 UTF16 bytes).

I don't see this limit in the docs, but perhaps I missed it?

Cheers, Tridge

More information about the cifs-protocol mailing list