[cifs-protocol] [REG:110102774074009] RE: "description" attribute in AD

Obaid Farooqi obaidf at microsoft.com
Fri Nov 12 17:33:11 MST 2010


Hi Matthias:
In case of a SAM object, description attribute is mapped to AdminComment field. This is documented in MS-SAMR. Type of AdminComment is RPC_UNICODE_STRING. One example is as follows:

typedef struct _SAMPR_DOMAIN_DISPLAY_USER {
  unsigned long Index;
  unsigned long Rid;
  unsigned long AccountControl;
  RPC_UNICODE_STRING AccountName;
  RPC_UNICODE_STRING AdminComment;
  RPC_UNICODE_STRING FullName;
} SAMPR_DOMAIN_DISPLAY_USER, 
 *PSAMPR_DOMAIN_DISPLAY_USER;

So on SAM objects, description attribute should be treated as single-valued to be consistent.

Allowing more than one value to be added into description attribute on a SAM object through add operation is an unintended behavior.  This behavior exists since the Windows 2000 Server release.  There is no plan to change this behavior, for backward compatibility reason.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

-----Original Message-----
From: Matthias Dieter Wallnöfer [mailto:mdw at samba.org] 
Sent: Friday, November 12, 2010 11:12 AM
To: Obaid Farooqi
Cc: cifs-protocol at samba.org; MSSolve Case Email
Subject: RE:[REG:110102774074009] "description" attribute in AD

Thanks Obaid,

that's fine.

The remaining question is only about the reason: *why* does it make sense to let it be set multi-valued on add operations and modifications afterwards are only allowed single-valued? It would be nice if you could enhance MS-ADTS in the sense "the description attribute behaves like ..., since ..." - I don't know - for example "a certain trigger/RPC server requires this".

I would be glad to understand why this is so. Since for sure it wasn't implemented just for fun.

Regards,
Matthias Wallnöfer

Obaid Farooqi wrote:
> Hi Matthias:
>
> Attribute Description is described as multivalued is MS-ADA1 and as such allows addition of multiple values. There is a constraint on the modify operation as I communicated earlier.
>
> Please let me know if this answers your question. If it does, I'll consider this issue resolved.
>
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
>
> -----Original Message-----
> From: Matthias Dieter Wallnöfer [mailto:mdw at samba.org]
> Sent: Thursday, November 11, 2010 2:00 AM
> To: Obaid Farooqi
> Cc: cifs-protocol at samba.org; MSSolve Case Email
> Subject: Re: [REG:110102774074009] "description" attribute in AD
>
> Hi Obaid,
>
> exactly, that's true.
> But why does the add operation allow it to be set multi-valued? Is there a reason? Or it's just a bug?
>
> Greets,
> Matthias
>
> Obaid Farooqi wrote:
>    
>> Hi Matthias:
>> We have finished our investigation on your question regarding attribute description. In a future release of MS-ADTS, the following bullet will be added at the end of section 3.1.1.5.3.2 Constraints:
>>
>> “If the modify operation adds or replaces values of the description attribute on a SAM-specific object (section 3.1.1.5.2.3), and results in more than one value in the attribute, then the modification fails with attributeOrValueExists / ERROR_DS_SINGLE_VALUE_CONSTRAINT”
>>
>> Please let me know if this answers your question. If it does, I’ll consider this issue resolved.
>>
>> Obaid Farooqi
>> Escalation Engineer | Microsoft
>>
>>
>> -----Original Message-----
>> From: Matthias Dieter Wallnöfer [mailto:mdw at samba.org]
>> Sent: Wednesday, October 27, 2010 3:11 PM
>> To: Interoperability Documentation Help
>> Cc: cifs-protocol at samba.org
>> Subject: "description" attribute in AD
>>
>> Hi dochelp team,
>>
>> the "description" attribute in AD seems very special. Altough defined as multi-valued in the schema it's defacto single-valued.
>>
>> That means:
>> - on LDAP entry add operations you are able to set it multi-valued
>> - on LDAP entry change operations you aren't - e.g. if you try to replace it multi-valued or perform a multi-valued add you get ERR_ATTRIBUTE_ALREADY_EXISTS.
>>
>> As far as I know I didn't find much in the docs about this strange behaviour and as far as I can tell it only applies to "description". It would be nice to enhance MS-ADTS regarding it and to start some investigation if it wouldn't be better to really define it as single-valued in the schema.
>>
>> Greets,
>> Matthias
>>
>> Microsoft is committed to protecting your privacy.  Please read the Microsoft Privacy Statement for more information.The above is an email for a support case from Microsoft Corp.REPLY ALL TO THIS MESSAGE or INCLUDE casemail at microsoft.com IN YOUR REPLY if you want your response added to the case automatically. For technical assistance, please include the Support Engineer on the TO: line. Thank you.
>>
>>
>>      
>
>    




More information about the cifs-protocol mailing list