structuralObjectClass multi-valued in W2K8

Michael Ströder michael at
Sat Apr 18 15:36:26 GMT 2009


Looking at a user entry in MS AD on W2K8 there's a bug with attribute
'structuralObjectClass'. It lists all (structural) object classes
whereas other LDAPv3 compliant servers only list *the* structural object
class of an entry. Normally 'structuralObjectClass' is SINGLE-VALUE.

Example MS AD W2K8:

objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
structuralObjectClass: top
structuralObjectClass: person
structuralObjectClass: organizationalPerson
structuralObjectClass: user

Example OpenLDAP:

objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: msPerson
objectClass: posixAccount
objectClass: simpleSecurityObject
structuralObjectClass: inetOrgPerson

Why to care about this? A really schema-aware client (e.g. my web2ldap)
might look at the attribute structuralObjectClass while determining the
governing structural rule of an entry (in case DIT structure rules are
in effect).

Now the question is whether Samba4 wants to mimique this bug or whether
it would be worth trying to convince the MS developers to fix it.

There are other schema bugs like 'objectClass' being declared as
NO-USER-MODIFICATION while MS AD happily accepts modifications...

Ciao, Michael.

Michael Ströder
E-Mail: michael at

More information about the samba-technical mailing list