Hello again Andrew; here is a more information on SID formats (there are two, composed as shown in the code sample function ' FormatSidIdentifierAuthority ');
// from winnt.h // http://msdn.microsoft.com/en-us/library/aa379598.aspx // #ifndef SID_IDENTIFIER_AUTHORITY_DEFINED #define SID_IDENTIFIER_AUTHORITY_DEFINED typedef struct _SID_IDENTIFIER_AUTHORITY { BYTE Value[6]; } SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY; #endif #ifndef SID_DEFINED #define SID_DEFINED typedef struct _SID { BYTE Revision; BYTE SubAuthorityCount; SID_IDENTIFIER_AUTHORITY IdentifierAuthority; #ifdef MIDL_PASS [size_is(SubAuthorityCount)] DWORD SubAuthority[*]; #else // MIDL_PASS DWORD SubAuthority[ANYSIZE_ARRAY]; #endif // MIDL_PASS } SID, *PISID; #endif #define SID_REVISION (1) // Current revision level #define SID_MAX_SUB_AUTHORITIES (15) #define SID_RECOMMENDED_SUB_AUTHORITIES (1) // Will change to around 6 // // Canonical form for SID.IdentifierAuthority // see winnt.h for SID and SID_IDENTIFIER_AUTHORITY // int FormatSidIdentifierAuthority(PSID pSid, LPTSTR buffer) { if ( (pSid->Value[0] != 0) || (pSid->Value[1] != 0) ) { return _tprintf(buffer, L"0x%02hx%02hx%02hx%02hx%02hx%02hx", (USHORT)pSid->IdentifierAuthority.Value[0], (USHORT)pSid->IdentifierAuthority.Value[1], (USHORT)pSid->IdentifierAuthority.Value[2], (USHORT)pSid->IdentifierAuthority.Value[3], (USHORT)pSid->IdentifierAuthority.Value[4], (USHORT)pSid->IdentifierAuthority.Value[5]); } else { return _tprintf(buffer, L"%lu", (ULONG)(pSid->IdentifierAuthority.Value[5] ) + (ULONG)(pSid->IdentifierAuthority.Value[4] << 8) + (ULONG)(pSid->IdentifierAuthority.Value[3] << 16) + (ULONG)(pSid->IdentifierAuthority.Value[2] << 24) ); } } Regards, Bill Wesse MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: 980-776-8200 CELL: 704-661-5438 FAX: 704-665-9606 -----Original Message----- From: Bill Wesse Sent: Monday, June 23, 2008 12:59 PM To: 'Andrew Bartlett' Cc: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Subject: RE: Answer: SRX080609601575 : [MS-ADA3]: 2.43 2.44 string forms of AD attributes Good morning Andrew; I have found a reasonably good reference to objectCategory semantics on our technet site (link and applicable text shown below), and will continue my search for other items that allow for special semantics. Search Filters http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbc_nar_ivve.mspx?mfr=true Every classSchema object has an attribute called defaultObjectCategory , which is the object category of an instance of the class if none is specified by the user. For most classes, the defaultObjectCategory value is the class itself. In the search filter, you can specify objectCategory = X , where X is the ldapDisplayName of a class, and LDAP automatically expands the filter to objectCategory =< defaultObjectCategory of class X >. The objectCategory attribute has a syntax of distinguished name, and LDAP automatically converts the value for objectCategory to the distinguished name format. For example, if you use objectCategory =contact in the filter, the filter changes to objectCategory =cn=person,cn=schema,cn=configuration,dc=< ForestRootDomain > ("person" is the defaultObjectCategory for the class contact ). Regards, Bill Wesse MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: 980-776-8200 CELL: 704-661-5438 FAX: 704-665-9606 -----Original Message----- From: Bill Wesse Sent: Thursday, June 19, 2008 8:22 AM To: 'Andrew Bartlett' Cc: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Subject: RE: Answer: SRX080609601575 : [MS-ADA3]: 2.43 2.44 string forms of AD attributes I should be able to confirm the objectCategory semantics by sometime tomorrow; I have yet to find a consolidated list of attributes that allow for special semantics (it will take some time for me to derive this information; please note that I have queried product development concerning this topic). Regards, Bill Wesse MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: 980-776-8200 CELL: 704-661-5438 FAX: 704-665-9606 -----Original Message----- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2008 9:50 PM To: Bill Wesse Cc: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Subject: RE: Answer: SRX080609601575 : [MS-ADA3]: 2.43 2.44 string forms of AD attributes On Tue, 2008-06-17 at 09:05 -0700, Bill Wesse wrote: > Good day again! I have filed the below bug against the MS-ADA3 document. I > apologize for my earlier incorrect answer (which stated that objectGUID and > objectSID had no 'human-readable' string format available for use within ldap > filters. > > It turns out that the AD specialist I consulted with was speaking with > respect to LDAP generically, not the Microsoft implementation (which I was > listening as pertaining to). > > Additionally, the list of special semantics for our implementation is > specifically against objectSID and objectGUID; there is no schema attribute > that specifies or allows for this. > > Using objectGUID to Bind to an Object > http://msdn.microsoft.com/en-us/library/ms677985(VS.85).aspx > > ====================================================================== > ======== > Question: > In MS-ADA3 - 2.43 and 2.44 we see a description of the objectGUID and > objectSID attributes. Helpful cross-references to MS-DTYP are included. > > However, no reference in either document is made to the ability of AD LDAP > servers to accept string (rather than binary) forms of these attributes in > searches. > > Is there a schema attribute that defines which attribute types allow these > kinds of polymorphic searches, or is it a hard-coded list? > > ====================================================================== > ======== > Proposed Answer: > > There are special hard coded-semantics on the Active Directory attribute > 'objectGUID' and 'objectSID' attributes (which are both typed internally as > OctetStrings). > > The following shows the human-readable string forms (string) understood by > the Active Directory Services LDAP server for these attributes: > > Type: GUID > string: 6d05e3c6-44db-406d-a43b-f4973724d20f > rfc2254: \C6\E3\05\6D\DB\44\6D\40\A4\3B\F4\97\37\24\D2\0F > > Type: SID > string: S-1-5-21-2484111802-3076910921-728100999-1142 > rfc2254: > \01\05\00\00\00\00\00\05\15\00\00\00\BA\89\10\94\49\EF\65\B7\87\F0\65\ > 2B\76\04\00\00 Good start! Now, could you clarify how objectCategory fits into this. It also has an alternate string representation, allowing short forms and DN forms. Now you see why I asked for the full list - I know of these 3, but what other horrors lie beneath? ;-) Thanks, -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. _______________________________________________ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
