[cifs-protocol] [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 - LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification

Samuel Cabrero scabrero at zentyal.com
Fri Dec 5 04:19:22 MST 2014 

Hi Obaid,

thanks, that definitely answers my question.

Regards,

On lun, 2014-12-01 at 17:11 +0000, Obaid Farooqi wrote:
> Hi Samuel:
> The attribute wellKnownObjects is not a linked attribute since there 
> is no linkID attribute defined on it in MS-ADA3 section "2.369 
> Attribute wellKnownObjects". The LDAP_MATCHING_RULE_TRANSITIVE_EVAL 
> is only good for link attributes, as mentioned in MS-ADTS.
> 
> Please let me know if it answers your question.
> 
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
> 
> Exceeding your expectations is my highest priority.  If you would 
> like to provide feedback on your case you may contact my manager at 
> nkang at Microsoft dot com
> 
> -----Original Message-----
> From: Obaid Farooqi
> Sent: Tuesday, November 25, 2014 3:08 PM
> To: <scabrero at zentyal.com>
> Cc: cifs-protocol at samba.org; MSSolve Case Email
> Subject: Re: [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 - 
> LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
> 
> Hi Samuel
> I'll look into this and get back to as soon aa I have an answer.
> 
> 
> 
> > On Nov 25, 2014, at 10:29 AM, Samuel Cabrero <scabrero at zentyal.com
> > > wrote:
> > 
> > Hi Obaid,
> > 
> > you are right but my interpretation of the documentation is that 
> > the
> > attribute values in the entry being visited also have to be 
> > stripped
> > before comparison, not only the value specified in the filter.
> > 
> > 
> > In the EvalTransitiveFilterHelper pseudo code:
> > 
> > "If A is of Object(DN-String), Object(DN-Binary), Object(OR-Name), 
> > or
> > Object(Access-Point) syntax, let C be the set of the object_DN
> > components of the values of ToVisit.A. Otherwise, let
> > C be the set of the values of ToVisit.A. Note that C is a set of 
> > DNs."
> > 
> > "If V' is in C, return true."
> > 
> > Doesn't it mean the attribute values in the entry being visited 
> > also
> > have to be stripped before checking if V' is in the C set?
> > 
> > Regards,
> > 
> > > On dom, 2014-11-23 at 18:51 +0000, Obaid Farooqi wrote:
> > > Hi Samuel:
> > > My previous email have some inadvertent mistake. Please disregard
> > > that. Here is the corrected response.
> > > 
> > > In the filter
> > > wellKnownObjects:1.2.840.113556.1.4.1941:=B:32:aa312825768811d1aded00c04fd8d5cd:CN=computers,
> > > DN>
> > > 
> > > As per documentation, the following rule applies:
> > > If A is of Object(DN-String), Object(DN-Binary), Object(OR-
> > > Name), or
> > > Object(Access-Point) syntax, let V' equal the object_DN portion 
> > > of V
> > > 
> > > So V' becomes CN=computers,<base DN> and the filter becomes:
> > > wellKnownObjects:1.2.840.113556.1.4.1941:=CN=computers,<base DN>
> > > 
> > > Since there is no  object that has the value of wellKnownObjects
> > > attribute as CN=computers,, therefore no object is returned.
> > > 
> > > Please let me know it does not answer your question.
> > > 
> > > Regards,
> > > Obaid Farooqi
> > > Escalation Engineer | Microsoft
> > > 
> > > Exceeding your expectations is my highest priority.  If you would
> > > like to provide feedback on your case you may contact my manager 
> > > at
> > > nkang at Microsoft dot com
> > > 
> > > -----Original Message-----
> > > From: Obaid Farooqi
> > > Sent: Sunday, November 23, 2014 12:45 PM
> > > To: 'scabrero at zentyal.com'
> > > Cc: 'cifs-protocol at samba.org'; MSSolve Case Email
> > > Subject: RE: [REG:114111212024814] [samba4][MS-ADTS] 
> > > 3.1.1.3.4.4.3 -
> > > LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
> > > 
> > > Hi Samuel:
> > > In the filter
> > > wellKnownObjects:1.2.840.113556.1.4.1941:=B:32:aa312825768811d1aded00c04fd8d5cd:CN=computers,
> > > DN>
> > > 
> > > As per documentation, the following rule applies:
> > > If A is of Object(DN-String), Object(DN-Binary), Object(OR-
> > > Name), or
> > > Object(Access-Point) syntax, let V' equal the object_DN portion 
> > > of V
> > > 
> > > So V' becomes CN=computers,<base DN> and the filter becomes:
> > > wellKnownObjects:1.2.840.113556.1.4.1941:=CN=computers,<base DN>
> > > 
> > > Since the object CN=computers, does not have any attribute
> > > wellKnownObjects, therefore no object is returned.
> > > 
> > > Please let me know it does not answer your question.
> > > 
> > > 
> > > Regards,
> > > Obaid Farooqi
> > > Escalation Engineer | Microsoft
> > > 
> > > Exceeding your expectations is my highest priority.  If you would
> > > like to provide feedback on your case you may contact my manager 
> > > at
> > > nkang at Microsoft dot com
> > > 
> > > -----Original Message-----
> > > From: "Obaid Farooqi" <obaidf at microsoft.com>
> > > Sent: Thursday, November 20, 2014 9:53 AM
> > > To: "scabrero at zentyal.com" <scabrero at zentyal.com>
> > > Cc: "cifs-protocol at samba.org" <cifs-protocol at samba.org>; "MSSolve
> > > Case Email" <casemail at microsoft.com>
> > > Subject: [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 -
> > > LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
> > > 
> > > Hi Samuel:
> > > I am still looking into it and I'll be in touch as soon as I 
> > > have an
> > > answer.
> > > 
> > > Regards,
> > > Obaid Farooqi
> > > Escalation Engineer | Microsoft
> > > 
> > > Exceeding your expectations is my highest priority.  If you would
> > > like to provide feedback on your case you may contact my manager 
> > > at
> > > nkang at Microsoft dot com
> > > 
> > > -----Original Message-----
> > > From: "Tarun Chopra" Chopra at microsoft.com>
> > > Sent: Thursday, November 13, 2014 11:48 AM
> > > To: "scabrero at zentyal.com" <scabrero at zentyal.com>
> > > Cc: "cifs-protocol at samba.org" <cifs-protocol at samba.org>; "MSSolve
> > > Case Email" <casemail at microsoft.com>; "Obaid Farooqi" <
> > > obaidf at microsoft.com>
> > > 
> > > Subject: [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 -
> > > LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
> > > 
> > > Hello Samuel - I've transferred the ownership of this case to 
> > > Obaid,
> > > in Cc. He will research and get back.
> > > 
> > > -----Original Message-----
> > > From: Tarun Chopra
> > > Sent: Wednesday, November 12, 2014 1:57 PM
> > > To: scabrero at zentyal.com
> > > Cc: cifs-protocol at samba.org; MSSolve Case Email
> > > Subject: RE: [REG:114111212024814] [samba4][MS-ADTS] 
> > > 3.1.1.3.4.4.3 -
> > > LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
> > > 
> > > Hello Samuel -
> > > 
> > > I'm researching this for you and update you as I make progress.
> > > 
> > > Thanks
> > > Tarun Chopra.
> > > 
> > > -----Original Message-----
> > > From: Bryan Burgin
> > > Sent: Wednesday, November 12, 2014 9:33 AM
> > > To: scabrero at zentyal.com
> > > Cc: cifs-protocol at samba.org; MSSolve Case Email
> > > Subject: [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 -
> > > LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
> > > 
> > > [dochelp to bcc]
> > > [+casemail]
> > > 
> > > Samuel,
> > > 
> > > Thank you for your question.  We created SR 114111212024814 to 
> > > track
> > > this issue.  An engineer from the Protocols team will contact you
> > > soon.
> > > 
> > > Bryan
> > > 
> > > 
> > > 
> > > -----Original Message-----
> > > From: Samuel Cabrero [mailto:scabrero at zentyal.com]
> > > Sent: Wednesday, November 12, 2014 3:45 AM
> > > To: Interoperability Documentation Help
> > > Cc: cifs-protocol at samba.org
> > > Subject: [samba4][MS-ADTS] 3.1.1.3.4.4.3 -
> > > LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
> > > 
> > > Dear dochelp team,
> > > 
> > > I am working on LDAP_MATCHING_RULE_TRANSITIVE_EVAL match rule
> > > implementation on samba and I have found that my tests fail 
> > > against
> > > Windows Server 2008 R2 when the attribute value to match 
> > > specified
> > > in the search filter has Object(DN-Binary) syntax, for example:
> > > 
> > > Search scope: Base
> > > Search base DN: Domain base DN
> > > 
> > > This filter returns one entry:
> > > wellKnownObjects=B:32:aa312825768811d1aded00c04fd8d5cd:CN=computers,
> > > se
> > > DN>
> > > 
> > > This filter does not return any entry:
> > > wellKnownObjects:1.2.840.113556.1.4.1941:=B:32:aa312825768811d1aded00c0
> > > 4fd8d5cd:CN=computers,<base
> > > DN>
> > > 
> > > According to [MS-ADTS] Section 3.1.1.3.4.4.3 I understand that 
> > > the
> > > Object(DN-Binary) syntax should be handled in the match rule
> > > implementation. Should this search return the same entry that the
> > > one returned without the extended match?
> > > 
> > > Best Regards,
> > > 
> > > --
> > > Samuel Cabrero - Developer
> > > scabrero at zentyal.com
> > > 
> > > Zentyal - Active Exchange
> > > www.zentyal.com


-- 
Samuel Cabrero - Developer
scabrero at zentyal.com

Zentyal - Active Exchange
www.zentyal.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20141205/2607a97e/attachment.pgp>

More information about the cifs-protocol mailing list