Hi Matthias:
In case of a SAM object, description attribute is mapped to AdminComment field.
This is documented in MS-SAMR. Type of AdminComment is RPC_UNICODE_STRING. One
example is as follows:
typedef struct _SAMPR_DOMAIN_DISPLAY_USER {
unsigned long Index;
unsigned long Rid;
unsigned long AccountControl;
RPC_UNICODE_STRING AccountName;
RPC_UNICODE_STRING AdminComment;
RPC_UNICODE_STRING FullName;
} SAMPR_DOMAIN_DISPLAY_USER,
*PSAMPR_DOMAIN_DISPLAY_USER;
So on SAM objects, description attribute should be treated as single-valued to
be consistent.
Allowing more than one value to be added into description attribute on a SAM
object through add operation is an unintended behavior. This behavior exists
since the Windows 2000 Server release. There is no plan to change this
behavior, for backward compatibility reason.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
-----Original Message-----
From: Matthias Dieter Wallnöfer [mailto:[email protected]]
Sent: Friday, November 12, 2010 11:12 AM
To: Obaid Farooqi
Cc: [email protected]; MSSolve Case Email
Subject: RE:[REG:110102774074009] "description" attribute in AD
Thanks Obaid,
that's fine.
The remaining question is only about the reason: *why* does it make sense to
let it be set multi-valued on add operations and modifications afterwards are
only allowed single-valued? It would be nice if you could enhance MS-ADTS in
the sense "the description attribute behaves like ..., since ..." - I don't
know - for example "a certain trigger/RPC server requires this".
I would be glad to understand why this is so. Since for sure it wasn't
implemented just for fun.
Regards,
Matthias Wallnöfer
Obaid Farooqi wrote:
> Hi Matthias:
>
> Attribute Description is described as multivalued is MS-ADA1 and as such
> allows addition of multiple values. There is a constraint on the modify
> operation as I communicated earlier.
>
> Please let me know if this answers your question. If it does, I'll consider
> this issue resolved.
>
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
>
> -----Original Message-----
> From: Matthias Dieter Wallnöfer [mailto:[email protected]]
> Sent: Thursday, November 11, 2010 2:00 AM
> To: Obaid Farooqi
> Cc: [email protected]; MSSolve Case Email
> Subject: Re: [REG:110102774074009] "description" attribute in AD
>
> Hi Obaid,
>
> exactly, that's true.
> But why does the add operation allow it to be set multi-valued? Is there a
> reason? Or it's just a bug?
>
> Greets,
> Matthias
>
> Obaid Farooqi wrote:
>
>> Hi Matthias:
>> We have finished our investigation on your question regarding attribute
>> description. In a future release of MS-ADTS, the following bullet will be
>> added at the end of section 3.1.1.5.3.2 Constraints:
>>
>> “If the modify operation adds or replaces values of the description
>> attribute on a SAM-specific object (section 3.1.1.5.2.3), and results in
>> more than one value in the attribute, then the modification fails with
>> attributeOrValueExists / ERROR_DS_SINGLE_VALUE_CONSTRAINT”
>>
>> Please let me know if this answers your question. If it does, I’ll consider
>> this issue resolved.
>>
>> Obaid Farooqi
>> Escalation Engineer | Microsoft
>>
>>
>> -----Original Message-----
>> From: Matthias Dieter Wallnöfer [mailto:[email protected]]
>> Sent: Wednesday, October 27, 2010 3:11 PM
>> To: Interoperability Documentation Help
>> Cc: [email protected]
>> Subject: "description" attribute in AD
>>
>> Hi dochelp team,
>>
>> the "description" attribute in AD seems very special. Altough defined as
>> multi-valued in the schema it's defacto single-valued.
>>
>> That means:
>> - on LDAP entry add operations you are able to set it multi-valued
>> - on LDAP entry change operations you aren't - e.g. if you try to replace it
>> multi-valued or perform a multi-valued add you get
>> ERR_ATTRIBUTE_ALREADY_EXISTS.
>>
>> As far as I know I didn't find much in the docs about this strange behaviour
>> and as far as I can tell it only applies to "description". It would be nice
>> to enhance MS-ADTS regarding it and to start some investigation if it
>> wouldn't be better to really define it as single-valued in the schema.
>>
>> Greets,
>> Matthias
>>
>> Microsoft is committed to protecting your privacy. Please read the
>> Microsoft Privacy Statement for more information.The above is an email for a
>> support case from Microsoft Corp.REPLY ALL TO THIS MESSAGE or INCLUDE
>> [email protected] IN YOUR REPLY if you want your response added to the
>> case automatically. For technical assistance, please include the Support
>> Engineer on the TO: line. Thank you.
>>
>>
>>
>
>
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
