[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: [cifs-protocol] RE: Answer: SRX080609601575 : [MS-ADA3]: 2.43 2.44
From: Bill Wesse <billwe () microsoft ! com>
Date: 2008-06-23 17:33:32
Message-ID: 418D0227BD8E13478CBDB45B34804148575D172A32 () NA-EXMSG-C114 ! redmond ! corp ! microsoft ! com
[Download RAW message or body]
Hello again Andrew; here is a more information on SID formats (there are two, \
composed as shown in the code sample function ' FormatSidIdentifierAuthority ');
// from winnt.h
// http://msdn.microsoft.com/en-us/library/aa379598.aspx
//
#ifndef SID_IDENTIFIER_AUTHORITY_DEFINED
#define SID_IDENTIFIER_AUTHORITY_DEFINED
typedef struct _SID_IDENTIFIER_AUTHORITY {
BYTE Value[6];
} SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY;
#endif
#ifndef SID_DEFINED
#define SID_DEFINED
typedef struct _SID {
BYTE Revision;
BYTE SubAuthorityCount;
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
#ifdef MIDL_PASS
[size_is(SubAuthorityCount)] DWORD SubAuthority[*];
#else // MIDL_PASS
DWORD SubAuthority[ANYSIZE_ARRAY];
#endif // MIDL_PASS
} SID, *PISID;
#endif
#define SID_REVISION (1) // Current revision level
#define SID_MAX_SUB_AUTHORITIES (15)
#define SID_RECOMMENDED_SUB_AUTHORITIES (1) // Will change to around 6
//
// Canonical form for SID.IdentifierAuthority
// see winnt.h for SID and SID_IDENTIFIER_AUTHORITY
//
int FormatSidIdentifierAuthority(PSID pSid, LPTSTR buffer)
{
if ( (pSid->Value[0] != 0) || (pSid->Value[1] != 0) )
{
return _tprintf(buffer,
L"0x%02hx%02hx%02hx%02hx%02hx%02hx",
(USHORT)pSid->IdentifierAuthority.Value[0],
(USHORT)pSid->IdentifierAuthority.Value[1],
(USHORT)pSid->IdentifierAuthority.Value[2],
(USHORT)pSid->IdentifierAuthority.Value[3],
(USHORT)pSid->IdentifierAuthority.Value[4],
(USHORT)pSid->IdentifierAuthority.Value[5]);
}
else
{
return _tprintf(buffer,
L"%lu",
(ULONG)(pSid->IdentifierAuthority.Value[5] ) +
(ULONG)(pSid->IdentifierAuthority.Value[4] << 8) +
(ULONG)(pSid->IdentifierAuthority.Value[3] << 16) +
(ULONG)(pSid->IdentifierAuthority.Value[2] << 24) );
}
}
Regards,
Bill Wesse
MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL: 980-776-8200
CELL: 704-661-5438
FAX: 704-665-9606
-----Original Message-----
From: Bill Wesse
Sent: Monday, June 23, 2008 12:59 PM
To: 'Andrew Bartlett'
Cc: 'cifs-protocol@samba.org'; 'pfif@tridgell.net'
Subject: RE: Answer: SRX080609601575 : [MS-ADA3]: 2.43 2.44 string forms of AD \
attributes
Good morning Andrew; I have found a reasonably good reference to objectCategory \
semantics on our technet site (link and applicable text shown below), and will \
continue my search for other items that allow for special semantics.
Search Filters
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbc_nar_ivve.mspx?mfr=true
Every classSchema object has an attribute called defaultObjectCategory , which is the \
object category of an instance of the class if none is specified by the user. For \
most classes, the defaultObjectCategory value is the class itself. In the search \
filter, you can specify objectCategory = X , where X is the ldapDisplayName of a \
class, and LDAP automatically expands the filter to objectCategory =< \
defaultObjectCategory of class X >. The objectCategory attribute has a syntax of \
distinguished name, and LDAP automatically converts the value for objectCategory to \
the distinguished name format. For example, if you use objectCategory =contact in the \
filter, the filter changes to objectCategory \
=cn=person,cn=schema,cn=configuration,dc=< ForestRootDomain > ("person" is the \
defaultObjectCategory for the class contact ).
Regards,
Bill Wesse
MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL: 980-776-8200
CELL: 704-661-5438
FAX: 704-665-9606
-----Original Message-----
From: Bill Wesse
Sent: Thursday, June 19, 2008 8:22 AM
To: 'Andrew Bartlett'
Cc: 'cifs-protocol@samba.org'; 'pfif@tridgell.net'
Subject: RE: Answer: SRX080609601575 : [MS-ADA3]: 2.43 2.44 string forms of AD \
attributes
I should be able to confirm the objectCategory semantics by sometime tomorrow; I have \
yet to find a consolidated list of attributes that allow for special semantics (it \
will take some time for me to derive this information; please note that I have \
queried product development concerning this topic).
Regards,
Bill Wesse
MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL: 980-776-8200
CELL: 704-661-5438
FAX: 704-665-9606
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet@samba.org]
Sent: Wednesday, June 18, 2008 9:50 PM
To: Bill Wesse
Cc: 'cifs-protocol@samba.org'; 'pfif@tridgell.net'
Subject: RE: Answer: SRX080609601575 : [MS-ADA3]: 2.43 2.44 string forms of AD \
attributes
On Tue, 2008-06-17 at 09:05 -0700, Bill Wesse wrote:
> Good day again! I have filed the below bug against the MS-ADA3 document. I \
> apologize for my earlier incorrect answer (which stated that objectGUID and \
> objectSID had no 'human-readable' string format available for use within ldap \
> filters.
> It turns out that the AD specialist I consulted with was speaking with respect to \
> LDAP generically, not the Microsoft implementation (which I was listening as \
> pertaining to).
> Additionally, the list of special semantics for our implementation is specifically \
> against objectSID and objectGUID; there is no schema attribute that specifies or \
> allows for this.
> Using objectGUID to Bind to an Object
> http://msdn.microsoft.com/en-us/library/ms677985(VS.85).aspx
>
> ======================================================================
> ========
> Question:
> In MS-ADA3 - 2.43 and 2.44 we see a description of the objectGUID and objectSID \
> attributes. Helpful cross-references to MS-DTYP are included.
> However, no reference in either document is made to the ability of AD LDAP servers \
> to accept string (rather than binary) forms of these attributes in searches.
> Is there a schema attribute that defines which attribute types allow these kinds of \
> polymorphic searches, or is it a hard-coded list?
> ======================================================================
> ========
> Proposed Answer:
>
> There are special hard coded-semantics on the Active Directory attribute \
> 'objectGUID' and 'objectSID' attributes (which are both typed internally as \
> OctetStrings).
> The following shows the human-readable string forms (string) understood by the \
> Active Directory Services LDAP server for these attributes:
> Type: GUID
> string: 6d05e3c6-44db-406d-a43b-f4973724d20f
> rfc2254: \C6\E3\05\6D\DB\44\6D\40\A4\3B\F4\97\37\24\D2\0F
>
> Type: SID
> string: S-1-5-21-2484111802-3076910921-728100999-1142
> rfc2254:
> \01\05\00\00\00\00\00\05\15\00\00\00\BA\89\10\94\49\EF\65\B7\87\F0\65\
> 2B\76\04\00\00
Good start! Now, could you clarify how objectCategory fits into this.
It also has an alternate string representation, allowing short forms and DN forms.
Now you see why I asked for the full list - I know of these 3, but what other horrors \
lie beneath? ;-)
Thanks,
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic