structuralObjectClass multi-valued in W2K8

Andrew Bartlett abartlet at
Mon Apr 20 15:30:40 GMT 2009

On Sat, 2009-04-18 at 17:36 +0200, Michael Ströder wrote:
> HI!
> Looking at a user entry in MS AD on W2K8 there's a bug with attribute
> 'structuralObjectClass'. It lists all (structural) object classes
> whereas other LDAPv3 compliant servers only list *the* structural object
> class of an entry. Normally 'structuralObjectClass' is SINGLE-VALUE.
> Example MS AD W2K8:
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> structuralObjectClass: top
> structuralObjectClass: person
> structuralObjectClass: organizationalPerson
> structuralObjectClass: user
> Example OpenLDAP:
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: msPerson
> objectClass: posixAccount
> objectClass: simpleSecurityObject
> structuralObjectClass: inetOrgPerson
> Why to care about this? A really schema-aware client (e.g. my web2ldap)
> might look at the attribute structuralObjectClass while determining the
> governing structural rule of an entry (in case DIT structure rules are
> in effect).
> Now the question is whether Samba4 wants to mimique this bug or whether
> it would be worth trying to convince the MS developers to fix it.
> There are other schema bugs like 'objectClass' being declared as
> NO-USER-MODIFICATION while MS AD happily accepts modifications...

Samba4 will implement the same 'bugs' as AD in all these cases.  

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.        

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list