[cifs-protocol] [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 - LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification

Obaid Farooqi obaidf at microsoft.com
Mon Dec 1 10:11:27 MST 2014 

Hi Samuel:
The attribute wellKnownObjects is not a linked attribute since there is no linkID attribute defined on it in MS-ADA3 section "2.369 Attribute wellKnownObjects". The LDAP_MATCHING_RULE_TRANSITIVE_EVAL is only good for link attributes, as mentioned in MS-ADTS.

Please let me know if it answers your question.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

-----Original Message-----
From: Obaid Farooqi 
Sent: Tuesday, November 25, 2014 3:08 PM
To: <scabrero at zentyal.com>
Cc: cifs-protocol at samba.org; MSSolve Case Email
Subject: Re: [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 - LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification

Hi Samuel 
I'll look into this and get back to as soon aa I have an answer. 



> On Nov 25, 2014, at 10:29 AM, Samuel Cabrero <scabrero at zentyal.com> wrote:
> 
> Hi Obaid,
> 
> you are right but my interpretation of the documentation is that the 
> attribute values in the entry being visited also have to be stripped 
> before comparison, not only the value specified in the filter.
> 
> 
> In the EvalTransitiveFilterHelper pseudo code:
> 
> "If A is of Object(DN-String), Object(DN-Binary), Object(OR-Name), or 
> Object(Access-Point) syntax, let C be the set of the object_DN 
> components of the values of ToVisit.A. Otherwise, let
> C be the set of the values of ToVisit.A. Note that C is a set of DNs."
> 
> "If V' is in C, return true."
> 
> Doesn't it mean the attribute values in the entry being visited also 
> have to be stripped before checking if V' is in the C set?
> 
> Regards,
> 
>> On dom, 2014-11-23 at 18:51 +0000, Obaid Farooqi wrote:
>> Hi Samuel:
>> My previous email have some inadvertent mistake. Please disregard 
>> that. Here is the corrected response.
>> 
>> In the filter
>> wellKnownObjects:1.2.840.113556.1.4.1941:=B:32:aa312825768811d1aded00c04fd8d5cd:CN=computers,
>> DN>
>> 
>> As per documentation, the following rule applies:
>> If A is of Object(DN-String), Object(DN-Binary), Object(OR-Name), or 
>> Object(Access-Point) syntax, let V' equal the object_DN portion of V
>> 
>> So V' becomes CN=computers,<base DN> and the filter becomes:
>> wellKnownObjects:1.2.840.113556.1.4.1941:=CN=computers,<base DN>
>> 
>> Since there is no  object that has the value of wellKnownObjects  
>> attribute as CN=computers,, therefore no object is returned.
>> 
>> Please let me know it does not answer your question.
>> 
>> Regards,
>> Obaid Farooqi
>> Escalation Engineer | Microsoft
>> 
>> Exceeding your expectations is my highest priority.  If you would 
>> like to provide feedback on your case you may contact my manager at 
>> nkang at Microsoft dot com
>> 
>> -----Original Message-----
>> From: Obaid Farooqi
>> Sent: Sunday, November 23, 2014 12:45 PM
>> To: 'scabrero at zentyal.com'
>> Cc: 'cifs-protocol at samba.org'; MSSolve Case Email
>> Subject: RE: [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 - 
>> LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
>> 
>> Hi Samuel:
>> In the filter
>> wellKnownObjects:1.2.840.113556.1.4.1941:=B:32:aa312825768811d1aded00c04fd8d5cd:CN=computers,
>> DN>
>> 
>> As per documentation, the following rule applies:
>> If A is of Object(DN-String), Object(DN-Binary), Object(OR-Name), or 
>> Object(Access-Point) syntax, let V' equal the object_DN portion of V
>> 
>> So V' becomes CN=computers,<base DN> and the filter becomes:
>> wellKnownObjects:1.2.840.113556.1.4.1941:=CN=computers,<base DN>
>> 
>> Since the object CN=computers, does not have any attribute 
>> wellKnownObjects, therefore no object is returned.
>> 
>> Please let me know it does not answer your question.
>> 
>> 
>> Regards,
>> Obaid Farooqi
>> Escalation Engineer | Microsoft
>> 
>> Exceeding your expectations is my highest priority.  If you would 
>> like to provide feedback on your case you may contact my manager at 
>> nkang at Microsoft dot com
>> 
>> -----Original Message-----
>> From: "Obaid Farooqi" <obaidf at microsoft.com>
>> Sent: Thursday, November 20, 2014 9:53 AM
>> To: "scabrero at zentyal.com" <scabrero at zentyal.com>
>> Cc: "cifs-protocol at samba.org" <cifs-protocol at samba.org>; "MSSolve 
>> Case Email" <casemail at microsoft.com>
>> Subject: [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 - 
>> LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
>> 
>> Hi Samuel:
>> I am still looking into it and I'll be in touch as soon as I have an 
>> answer.
>> 
>> Regards,
>> Obaid Farooqi
>> Escalation Engineer | Microsoft
>> 
>> Exceeding your expectations is my highest priority.  If you would 
>> like to provide feedback on your case you may contact my manager at 
>> nkang at Microsoft dot com
>> 
>> -----Original Message-----
>> From: "Tarun Chopra" Chopra at microsoft.com>
>> Sent: Thursday, November 13, 2014 11:48 AM
>> To: "scabrero at zentyal.com" <scabrero at zentyal.com>
>> Cc: "cifs-protocol at samba.org" <cifs-protocol at samba.org>; "MSSolve 
>> Case Email" <casemail at microsoft.com>; "Obaid Farooqi" <
>> obaidf at microsoft.com>
>> 
>> Subject: [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 - 
>> LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
>> 
>> Hello Samuel - I've transferred the ownership of this case to Obaid, 
>> in Cc. He will research and get back.
>> 
>> -----Original Message-----
>> From: Tarun Chopra
>> Sent: Wednesday, November 12, 2014 1:57 PM
>> To: scabrero at zentyal.com
>> Cc: cifs-protocol at samba.org; MSSolve Case Email
>> Subject: RE: [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 - 
>> LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
>> 
>> Hello Samuel -
>> 
>> I'm researching this for you and update you as I make progress.
>> 
>> Thanks
>> Tarun Chopra.
>> 
>> -----Original Message-----
>> From: Bryan Burgin
>> Sent: Wednesday, November 12, 2014 9:33 AM
>> To: scabrero at zentyal.com
>> Cc: cifs-protocol at samba.org; MSSolve Case Email
>> Subject: [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 - 
>> LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
>> 
>> [dochelp to bcc]
>> [+casemail]
>> 
>> Samuel,
>> 
>> Thank you for your question.  We created SR 114111212024814 to track 
>> this issue.  An engineer from the Protocols team will contact you 
>> soon.
>> 
>> Bryan
>> 
>> 
>> 
>> -----Original Message-----
>> From: Samuel Cabrero [mailto:scabrero at zentyal.com]
>> Sent: Wednesday, November 12, 2014 3:45 AM
>> To: Interoperability Documentation Help
>> Cc: cifs-protocol at samba.org
>> Subject: [samba4][MS-ADTS] 3.1.1.3.4.4.3 - 
>> LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
>> 
>> Dear dochelp team,
>> 
>> I am working on LDAP_MATCHING_RULE_TRANSITIVE_EVAL match rule 
>> implementation on samba and I have found that my tests fail against 
>> Windows Server 2008 R2 when the attribute value to match specified 
>> in the search filter has Object(DN-Binary) syntax, for example:
>> 
>> Search scope: Base
>> Search base DN: Domain base DN
>> 
>> This filter returns one entry:
>> wellKnownObjects=B:32:aa312825768811d1aded00c04fd8d5cd:CN=computers,
>> se
>> DN>
>> 
>> This filter does not return any entry:
>> wellKnownObjects:1.2.840.113556.1.4.1941:=B:32:aa312825768811d1aded00c0
>> 4fd8d5cd:CN=computers,<base
>> DN>
>> 
>> According to [MS-ADTS] Section 3.1.1.3.4.4.3 I understand that the
>> Object(DN-Binary) syntax should be handled in the match rule 
>> implementation. Should this search return the same entry that the 
>> one returned without the extended match?
>> 
>> Best Regards,
>> 
>> --
>> Samuel Cabrero - Developer
>> scabrero at zentyal.com
>> 
>> Zentyal - Active Exchange
>> www.zentyal.com
> -- 
> Samuel Cabrero - Developer
> scabrero at zentyal.com
> 
> Zentyal - Active Exchange
> www.zentyal.com

More information about the cifs-protocol mailing list