Hi Bryan,
On 24/02/2011 01:21, Bryan Burgin wrote:
Regarding this issue "what is exactly 'the filtered attribute set'?", I'm going
to go ahead and close this incident since I didn't hear back. However, if there are
lingering questions please let me know.
As for your question re DIRSYNC DirSyncControlValue size byte count v attribute
count and upper/lower limits (the second of your three DIRSYNC questions), I
found some information (and provided you that information separately). Ifiled
a request with the product group with my observations to get their
clarification. I'll send you more information when I get it.
Ok thanks.
Regarding your third issue "server behavior with dirsync control when the search
base is not a root of a nc"/receive LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHT
when LDAP_DIRSYNC_OBJECT_SECURITY not set and LDAP error 53 LDAP_UNWILLING_TO_PERFORM
when set: I'll send you separate mail.
Ok.
So I should expect news on this soon.
Thanks for your help.
Matthieu.
Bryan
-----Original Message-----
From: Bryan Burgin
Sent: Friday, February 18, 2011 1:40 PM
To: '[email protected]'; '[email protected]'; '[email protected]'
Cc: MSSolve Case Email
Subject: RE: [REG:111020102754615] behavior of windows with/without the
DS-Replication-Get-Changes-In-Filtered-Set right
Sorry for the delay in this. Re "what is exactly 'the filtered attribute set'"? The term "filtered
attribute set" is mentioned several times in [MS-ADTS] and are discussed at [MS-ADA3] 2.233 "Attribute
serachFlags" as fRODCFilteredAttribute and [MS-ADTS] 2.2.9 "Search Flags" RO (fRODCFilteredAttribute,
0x00000200): Specifies that the attribute is a member of the filtered attribute set.
Bryan
-----Original Message-----
From: Matthieu Patou [mailto:[email protected]]
Sent: Monday, January 31, 2011 2:35 PM
To: [email protected]; Interoperability Documentation Help;
[email protected]
Subject: behavior of windows with/without the
DS-Replication-Get-Changes-In-Filtered-Set right
Dear doc team,
This page,
http://msdn.microsoft.com/en-us/library/cc223347%28v=prot.10%29.aspx, says:
"If the flag is not specified, the server MUST do the following:
....
If the server is running Windows Server(r) 2008 operating system or Windows
Server(r) 2008 R2 operating system and the client has requested any attributes
in the filtered attribute set, the server checks that the client has the
DS-Replication-Get-Changes-In-Filtered-Set control access right (section
7.1.1.2.7.71
<http://msdn.microsoft.com/en-us/library/cc223657%28v=prot.10%29.aspx>)
or else returns the /insufficientAccessRights/ error to the client."
The flag that we are talking about is LDAP_SERVER_DIRSYNC_OID.
I either have some problems to understand the meaning of "requested any attributes
in the filtered attribute set" or I have problems requesting them or something else
as I'm unable to test this particular case.
In w2k8r2 I created a user and granted him DS-Replication-Get-Changes, but not
DS-Replication-Get-Changes-In-Filtered-Set so I'm expecting that when I add the filter
"(samaccountname=ad*)", in the ldap request, that the system will reject my request but
it's not so I'm wondering what is exactly "the filtered attribute set" ? Can you clarify
this point ?
Regards.
Matthieu Patou.
--
Matthieu Patou
Samba Team http://samba.org
Private repo http://git.samba.org/?p=mat/samba.git;a=summary
--
Matthieu Patou
Samba Team http://samba.org
Private repo http://git.samba.org/?p=mat/samba.git;a=summary
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
