Hi Tridge, I have researched your inquiry and engaged the product group on this topic. Please find the answer as follows. I first introduce some AD specifics, and then clarify with some examples and references.
The answer in a nutshell Active Directory does not provide any means for identifying unique attributes. Some attributes are unique as a result of their specific processing rules defined by the protocols. In a broader AD view, this translates into associated constraints and triggers applied to objects during replica updates operations. These rules depend on objects and may apply to a container, a DN, or an entire NC, etc. Attribute indexing and attribute value uniqueness are not interrelated concepts in AD. A single-valued or multi-valued attribute can be indexed. And the values may require uniqueness or not, depending on their rules as we previously introduced. Explanation, examples and references Updates operations and their constraints are generally defined in [MS-ADTS] 3.1.1.5. The Add Operation constraints (3.1.1.5.2) refer to [MS-SAMR] Section 3.1.1.6 for additional constraints when SAM-specific objects are created. [MS-SAMR] "3.1.1 Abstract Data Model" explains SAM-related constraints relationships between attributes and triggers defined respectively in Sections 3.1.1.6 and 3.1.1.8. As you called out in your message, some attributes are unique and also indexed. For example, section 3.1.1.8.4 of [MS-SAMR] describes the uniqueness requirements for sAMAccountName ([MS-ADA3] 2.221). This is an extract from MS-SAMR specification: [MS-SAMR] 3.1.1.8.4 sAMAccountName 1. If the objectSid attribute has a RID of DOMAIN_USER_RID_KRBTGT and there is already a value present in the sAMAccountName attribute, the server MUST return an error status. 2. If the sAMAccountName attribute value is NOT unique with respect to the union of all sAMAccountName and msDS-AdditionalSamAccountName attribute values for all other objects within the scope of the account and built-in domain, the server MUST return an error status, according to the following conditions. Condition Error status The object whose sAMAccountName matches the sAMAccountName attribute of the current object is a group object as defined in section 3.1.1. STATUS_GROUP_EXISTS The object whose sAMAccountName matches the sAMAccountName attribute of the current object is an alias object as defined in section 3.1.1. STATUS_ALIAS_EXISTS Otherwise: STATUS_USER_EXISTS End of extract. In addition to the specifications, you may find useful resources on MSDN, especially the description on user naming attributes relates to your inquiry (userPrincipalName, objectGUID, objectSID, sAMAccountName). User Naming Attributes: http://msdn.microsoft.com/en-us/library/ms677605.aspx Indexed attributes: http://msdn.microsoft.com/en-us/library/ms675095(VS.85).aspx I hope this answers your question in a satisfactory manner. As always, let us know if you have any open specification specific documentation issue, and we will be happy to assist. Best regards, Edgar A. Olougouna Sr. SEE, Microsoft DSC Protocol Team -----Original Message----- From: Edgar Olougouna Sent: Monday, June 01, 2009 10:17 AM To: 'tri...@samba.org' Cc: cifs-proto...@samba.org; p...@tridgell.net Subject: RE: how are unique attributes determined? Hi Tridge, I have taken ownership of this case regarding AD attributes (case SRX090601600044). I will be communicating with you as soon as I have updates or clarification questions. Best regards, Edgar A. Olougouna Sr. SEE, Microsoft DSC Protocol Team -----Original Message----- From: tri...@samba.org [mailto:tri...@samba.org] Sent: Monday, June 01, 2009 12:28 AM To: Interoperability Documentation Help Cc: cifs-proto...@samba.org; p...@tridgell.net Subject: CAR: how are unique attributes determined? We would like to know how to work out which attributes in AD are uniquely indexed. We know that attributes like samAccountName, objectGUID and objectSID are all unique. So if you try to create the following two records using LDAP: dn: CN=test1,OU=User2,DC=vsofs8,DC=com sAMAccountName: test1 objectClass: user dn: CN=test1,OU=User3,DC=vsofs8,DC=com sAMAccountName: test1 objectClass: user then windows AD implementation will return LDAP_ERR_ALREADY_EXISTS for the second one, presumably because samAccountName is a unique attribute. This makes sense, as you don't want two users with the same account name. What we can't work out is how to find the list of unique attributes. We can't find anything in the schema that tells us an attribute is unique. What part in the schema gives us that? Or is it somewhere outside the schema? Cheers, Tridge
_______________________________________________ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol