[cifs-protocol] Answer: SRX080609601575 : [MS-ADA3]: 2.43 2.44 string forms of AD attributes

Wed, 02 Jul 2008 13:35:50 -0700 

Good afternoon Pascal. We have completed our research concerning your questions 
about AD attribute string forms. The below information is the complete list of 
special syntaxes. Please let me know if you this answers your question 
satisfactorily; if so, I will consider your question resolved.

==============================================================================================================

1] objectGUID

There is no special syntax for using this attribute in a search filter. You 
search as for any other binary-valued attribute.

       Example of Hexadecimal string representation of the binary format of the 
GUID is  "FD221F0A-5B5D-484A-99FE-DEB4B3F90C32"

       LDAP filter form:   
(objectGUID=\0A\1F\22\FD\5D\5B\4A\48\99\FE\DE\B4\B3\F9\0C\32)

However, there is a special DN syntax which allows you to specify the 
objectGUID (or objectSID) in the DN instead of a 'conventional' LDAP DN.  This 
is documented in Section 3.1.1.3.1.2.4 of the [MS-ADTS] document.

If your question about the use of this attribute in search filters has not been 
addressed by the above, please provide us with a specific example of the search 
so that we may investigate further.

2] objectSID

The alternative form for attributes of syntax type String(SID), including 
objectSID, is documented in [MS-ADTS] as shown below:

[MS-ADTS]
3.1.1.3.1.2.5        Alternative Form of SIDs
                Attributes of String(SID) syntax contain a SID in binary form. 
However, a client may instead specify a value for such an attribute as a UTF-8 
string that is a valid SDDL SID string beginning with "S-" (see [MS-DTYP] 
sections 2.4.2 and 2.5.1). The server will convert such a string to the binary 
form of the SID  and use that binary form as the value of the attribute.

3] objectCategory

[MS-ADTS]
3.1.1.3.1.3.4        Searches Using the objectCategory Attribute
                When an LDAP search filter F contains a clause C of the form 
"(objectCategory=V)", if V is not a DN but there exists an object O such that 
O!objectClass = classSchema and O!lDAPDisplayName = V, then the server treats 
the search filter as if clause C was replaced in F with the clause 
"(objectCategory=V')", where V' is O!defaultObjectCategory.
==============================================================================================================

_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol

Reply via email to