[cifs-protocol] [REG:111020102754615] behavior of windows with/without the DS-Replication-Get-Changes-In-Filtered-Set right

Fri, 18 Feb 2011 13:37:45 -0800 

Sorry for the delay in this.  Re "what is exactly 'the filtered attribute 
set'"?  The term "filtered attribute set" is mentioned several times in 
[MS-ADTS] and are discussed at [MS-ADA3] 2.233 "Attribute serachFlags" as 
fRODCFilteredAttribute and [MS-ADTS] 2.2.9 "Search Flags" RO 
(fRODCFilteredAttribute, 0x00000200): Specifies that the attribute is a member 
of the filtered attribute set.

Bryan



-----Original Message-----
From: Matthieu Patou [mailto:[email protected]] 
Sent: Monday, January 31, 2011 2:35 PM
To: [email protected]; Interoperability Documentation Help; 
[email protected]
Subject: behavior of windows with/without the 
DS-Replication-Get-Changes-In-Filtered-Set right

Dear doc team,

This page,
http://msdn.microsoft.com/en-us/library/cc223347%28v=prot.10%29.aspx, says:

"If the flag is not specified, the server MUST do the following:
....
If the server is running Windows Server(r) 2008 operating system or Windows 
Server(r) 2008 R2 operating system and the client has requested any attributes 
in the filtered attribute set, the server checks that the client has the 
DS-Replication-Get-Changes-In-Filtered-Set control access right (section 
7.1.1.2.7.71
<http://msdn.microsoft.com/en-us/library/cc223657%28v=prot.10%29.aspx>)
or else returns the /insufficientAccessRights/ error to the client."

The flag that we are talking about is LDAP_SERVER_DIRSYNC_OID.
I either have some problems to understand the meaning of "requested any 
attributes in the filtered attribute set" or I have problems requesting them or 
something else as I'm unable to test this particular case.

In w2k8r2 I created a user and granted him DS-Replication-Get-Changes, but not 
DS-Replication-Get-Changes-In-Filtered-Set so I'm expecting that when I add the 
filter "(samaccountname=ad*)", in the ldap request, that the system will reject 
my request but it's not so I'm wondering what is exactly "the filtered 
attribute set" ? Can you clarify this point ?

Regards.

Matthieu Patou.

--
Matthieu Patou
Samba Team        http://samba.org
Private repo      http://git.samba.org/?p=mat/samba.git;a=summary



_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol

Reply via email to