I should be able to confirm the objectCategory semantics by sometime tomorrow; I have yet to find a consolidated list of attributes that allow for special semantics (it will take some time for me to derive this information; please note that I have queried product development concerning this topic).
Regards, Bill Wesse MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: 980-776-8200 CELL: 704-661-5438 FAX: 704-665-9606 -----Original Message----- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2008 9:50 PM To: Bill Wesse Cc: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Subject: RE: Answer: SRX080609601575 : [MS-ADA3]: 2.43 2.44 string forms of AD attributes On Tue, 2008-06-17 at 09:05 -0700, Bill Wesse wrote: > Good day again! I have filed the below bug against the MS-ADA3 document. I > apologize for my earlier incorrect answer (which stated that objectGUID and > objectSID had no 'human-readable' string format available for use within ldap > filters. > > It turns out that the AD specialist I consulted with was speaking with > respect to LDAP generically, not the Microsoft implementation (which I was > listening as pertaining to). > > Additionally, the list of special semantics for our implementation is > specifically against objectSID and objectGUID; there is no schema attribute > that specifies or allows for this. > > Using objectGUID to Bind to an Object > http://msdn.microsoft.com/en-us/library/ms677985(VS.85).aspx > > ====================================================================== > ======== > Question: > In MS-ADA3 - 2.43 and 2.44 we see a description of the objectGUID and > objectSID attributes. Helpful cross-references to MS-DTYP are included. > > However, no reference in either document is made to the ability of AD LDAP > servers to accept string (rather than binary) forms of these attributes in > searches. > > Is there a schema attribute that defines which attribute types allow these > kinds of polymorphic searches, or is it a hard-coded list? > > ====================================================================== > ======== > Proposed Answer: > > There are special hard coded-semantics on the Active Directory attribute > 'objectGUID' and 'objectSID' attributes (which are both typed internally as > OctetStrings). > > The following shows the human-readable string forms (string) understood by > the Active Directory Services LDAP server for these attributes: > > Type: GUID > string: 6d05e3c6-44db-406d-a43b-f4973724d20f > rfc2254: \C6\E3\05\6D\DB\44\6D\40\A4\3B\F4\97\37\24\D2\0F > > Type: SID > string: S-1-5-21-2484111802-3076910921-728100999-1142 > rfc2254: > \01\05\00\00\00\00\00\05\15\00\00\00\BA\89\10\94\49\EF\65\B7\87\F0\65\ > 2B\76\04\00\00 Good start! Now, could you clarify how objectCategory fits into this. It also has an alternate string representation, allowing short forms and DN forms. Now you see why I asked for the full list - I know of these 3, but what other horrors lie beneath? ;-) Thanks, -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
