[cifs-protocol] [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 - LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification

Samuel Cabrero scabrero at zentyal.com
Tue Nov 25 09:29:06 MST 2014


Hi Obaid,

you are right but my interpretation of the documentation is that the 
attribute values in the entry being visited also have to be stripped 
before comparison, not only the value specified in the filter.


In the EvalTransitiveFilterHelper pseudo code:

"If A is of Object(DN-String), Object(DN-Binary), Object(OR-Name), or 
Object(Access-Point) syntax, let C be the set of the object_DN 
components of the values of ToVisit.A. Otherwise, let
C be the set of the values of ToVisit.A. Note that C is a set of DNs."

"If V' is in C, return true."

Doesn't it mean the attribute values in the entry being visited also 
have to be stripped before checking if V' is in the C set?

Regards,

On dom, 2014-11-23 at 18:51 +0000, Obaid Farooqi wrote:
> Hi Samuel:
> My previous email have some inadvertent mistake. Please disregard 
> that. Here is the corrected response.
> 
> In the filter
> wellKnownObjects:1.2.840.113556.1.4.1941:=B:32:aa312825768811d1aded00c04fd8d5cd:CN=computers,
> DN>
> 
> As per documentation, the following rule applies:
> If A is of Object(DN-String), Object(DN-Binary), Object(OR-Name), or 
> Object(Access-Point) syntax, let V' equal the object_DN portion of V
> 
> So V' becomes CN=computers,<base DN> and the filter becomes:
> wellKnownObjects:1.2.840.113556.1.4.1941:=CN=computers,<base DN>
> 
> Since there is no  object that has the value of wellKnownObjects  
> attribute as CN=computers,, therefore no object is returned.
> 
> Please let me know it does not answer your question.
> 
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
> 
> Exceeding your expectations is my highest priority.  If you would 
> like to provide feedback on your case you may contact my manager at 
> nkang at Microsoft dot com
> 
> -----Original Message-----
> From: Obaid Farooqi
> Sent: Sunday, November 23, 2014 12:45 PM
> To: 'scabrero at zentyal.com'
> Cc: 'cifs-protocol at samba.org'; MSSolve Case Email
> Subject: RE: [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 - 
> LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
> 
> Hi Samuel:
> In the filter
> wellKnownObjects:1.2.840.113556.1.4.1941:=B:32:aa312825768811d1aded00c04fd8d5cd:CN=computers,
> DN>
> 
> As per documentation, the following rule applies:
> If A is of Object(DN-String), Object(DN-Binary), Object(OR-Name), or 
> Object(Access-Point) syntax, let V' equal the object_DN portion of V
> 
> So V' becomes CN=computers,<base DN> and the filter becomes:
> wellKnownObjects:1.2.840.113556.1.4.1941:=CN=computers,<base DN>
> 
> Since the object CN=computers, does not have any attribute 
> wellKnownObjects, therefore no object is returned.
> 
> Please let me know it does not answer your question.
> 
> 
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
> 
> Exceeding your expectations is my highest priority.  If you would 
> like to provide feedback on your case you may contact my manager at 
> nkang at Microsoft dot com
> 
> -----Original Message-----
> From: "Obaid Farooqi" <obaidf at microsoft.com>
> Sent: Thursday, November 20, 2014 9:53 AM
> To: "scabrero at zentyal.com" <scabrero at zentyal.com>
> Cc: "cifs-protocol at samba.org" <cifs-protocol at samba.org>; "MSSolve 
> Case Email" <casemail at microsoft.com>
> Subject: [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 - 
> LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
> 
> Hi Samuel:
> I am still looking into it and I'll be in touch as soon as I have an 
> answer.
> 
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
> 
> Exceeding your expectations is my highest priority.  If you would 
> like to provide feedback on your case you may contact my manager at 
> nkang at Microsoft dot com
> 
> -----Original Message-----
> From: "Tarun Chopra" Chopra at microsoft.com>
> Sent: Thursday, November 13, 2014 11:48 AM
> To: "scabrero at zentyal.com" <scabrero at zentyal.com>
> Cc: "cifs-protocol at samba.org" <cifs-protocol at samba.org>; "MSSolve 
> Case Email" <casemail at microsoft.com>; "Obaid Farooqi" <
> obaidf at microsoft.com>
> 
> Subject: [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 - 
> LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
> 
> Hello Samuel - I've transferred the ownership of this case to Obaid, 
> in Cc. He will research and get back.
> 
> -----Original Message-----
> From: Tarun Chopra
> Sent: Wednesday, November 12, 2014 1:57 PM
> To: scabrero at zentyal.com
> Cc: cifs-protocol at samba.org; MSSolve Case Email
> Subject: RE: [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 - 
> LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
> 
> Hello Samuel -
> 
> I'm researching this for you and update you as I make progress.
> 
> Thanks
> Tarun Chopra.
> 
> -----Original Message-----
> From: Bryan Burgin
> Sent: Wednesday, November 12, 2014 9:33 AM
> To: scabrero at zentyal.com
> Cc: cifs-protocol at samba.org; MSSolve Case Email
> Subject: [REG:114111212024814] [samba4][MS-ADTS] 3.1.1.3.4.4.3 - 
> LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
> 
> [dochelp to bcc]
> [+casemail]
> 
> Samuel,
> 
> Thank you for your question.  We created SR 114111212024814 to track 
> this issue.  An engineer from the Protocols team will contact you 
> soon.
> 
> Bryan
> 
> 
> 
> -----Original Message-----
> From: Samuel Cabrero [mailto:scabrero at zentyal.com]
> Sent: Wednesday, November 12, 2014 3:45 AM
> To: Interoperability Documentation Help
> Cc: cifs-protocol at samba.org
> Subject: [samba4][MS-ADTS] 3.1.1.3.4.4.3 - 
> LDAP_MATCHING_RULE_TRANSITIVE_EVAL clarification
> 
> Dear dochelp team,
> 
> I am working on LDAP_MATCHING_RULE_TRANSITIVE_EVAL match rule 
> implementation on samba and I have found that my tests fail against 
> Windows Server 2008 R2 when the attribute value to match specified 
> in the search filter has Object(DN-Binary) syntax, for example:
> 
> Search scope: Base
> Search base DN: Domain base DN
> 
> This filter returns one entry:
> wellKnownObjects=B:32:aa312825768811d1aded00c04fd8d5cd:CN=computers,
> se
> DN>
> 
> This filter does not return any entry:
> wellKnownObjects:1.2.840.113556.1.4.1941:=B:32:aa312825768811d1aded00c0
> 4fd8d5cd:CN=computers,<base
> DN>
> 
> According to [MS-ADTS] Section 3.1.1.3.4.4.3 I understand that the
> Object(DN-Binary) syntax should be handled in the match rule 
> implementation. Should this search return the same entry that the 
> one returned without the extended match?
> 
> Best Regards,
> 
> --
> Samuel Cabrero - Developer
> scabrero at zentyal.com
> 
> Zentyal - Active Exchange
> www.zentyal.com
> 
> 
> 
> 
-- 
Samuel Cabrero - Developer
scabrero at zentyal.com

Zentyal - Active Exchange
www.zentyal.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20141125/02be591f/attachment-0001.pgp>


More information about the cifs-protocol mailing list