On Mon, 2008-07-14 at 13:43 -0700, Bill Wesse wrote: > Good afternoon Andrew. I have included a modified response, containing > the sections in [MS-ADA3] and [MS-ADTS] covering the objectCategory > and objectSID attributes (I omitted the objectGUID notes, since there > are no special semantics for this).
We already determined that there are - the string form. Please review this discussion. > The decision has been made to not change the document by adding > additional cross references, in order to keep the inter-document > maintenance complexity in check. Please let me know if you this > answers your question satisfactorily; if so, I will consider your > question resolved. Unless you can fix whatever problems you have created that prevent decent cross-referencing, then this behaviour needs to be described in the schema document, not in the massive MS-ADTS. Indeed it might be the preferable location, with a table at the front to call out the unusual behaviours. The schema is the logical place to describe per-attribute behaviours. > ============================================================================================================== > objectCategory > > [MS-ADTS] > 3.1.1.3.1.3.4 Searches Using the objectCategory Attribute > When an LDAP search filter F contains a clause C of the form > "(objectCategory=V)", if V is not a DN but there exists an object O > such that O!objectClass = classSchema and O!lDAPDisplayName = V, then > the server treats the search filter as if clause C was replaced in F > with the clause "(objectCategory=V')", where V' is O! > defaultObjectCategory. > > [MS-ADA3] > 2.38 Attribute objectCategory > This attribute specifies an object class name that is > used to group objects of this or derived classes. Every object in > Active Directory has this attribute. See [MS-ADTS] for more > information about how Active Directory uses this attribute. This cross-reference is useless to the implementor. It should at least indicate that the cross-reference target is more than some note on read values, but includes a highly unusual matching rule. This attribute specifies an object class name that is used to group objects of this or derived classes. Every object in Active Directory has this attribute. See [MS-ADTS] section x.x.x.x for information on the extended matching rules (DN and short values permitted) in searches for this attribute. > ============================================================================================================== > objectSID > > The alternative form for attributes of syntax type String(SID), > including objectSID, is documented in [MS-ADTS] as shown below: > > [MS-ADTS] > 3.1.1.3.1.2.5 Alternative Form of SIDs > Attributes of String(SID) syntax contain a SID in binary form. > However, a client may instead specify a value for such an attribute as > a UTF-8 string that is a valid SDDL SID string beginning with > "S-" (see [MS-DTYP] sections 2.4.2 and 2.5.1). The server will convert > such a string to the binary form of the SID and use that binary form > as the value of the attribute. > > [MS-ADA3] > 2.44 Attribute objectSid > This attribute specifies a binary value that specifies the security > identifier (SID) of the user. The SID is a unique value used to > identify the user as a security principal. For more information on the > SID data type, refer to [MS-DTYP] section 2.4.2. SID usage is also > discussed in [MS-ADTS], in particular in section 3.1.1.1.3. Again, you need to indicate that more than the ordinary is included in the cross-reference. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
