Hello Tridge. Here is what I have (pending the proposed changes for [MS-ADTS]:
The length of a delete-mangled RDN may indeed exceed rangeUpper, due to the
additional delete-mangle decoration.
I should first note that the delete-mangled RDN format contains a '\0A'
character - not a '\0'. Perhaps this is a typo in your email?
\0A is a character not allowed in Active Directory names, per [MS-ADTS]
3.1.1.5.1.2 - and is certainly a handy way to verify whether or not a name has
been mangled (a.k.a. strchr(pszRDN, (int)0x0a) ).
The format is, of course, noted in [MS-ADTS] 3.1.1.5.5 , like
"objectName\0ADEL:dashed_string_objectGUID". As noted in [MS-ADTS] 3.1.1.5.1.2.
the maximum RDN length is 255; it is further constrained to 64 ([MS-ADA1] 2.110
Attribute cn, rangeUpper: 64).
That said, the length of a delete-mangled RDN can be up to 105 characters (not
including the terminating NUL character): {rangeUpper:64} + {0x0A:1} +
{'DEL:':4} + {dashed-string-Guid:36}.
[MS-ADTS] 3.1.1.5.1.2 also notes that "Naming constraints are not enforced for
replicated updates.", so the additional length of a delete-mangled RDN will
replicate properly.
I have filed a TDI against [MS-ADTS] section 3.1.1.5.5 Delete Operation to have
this annotated.
References:
[MS-ADTS]: Active Directory Technical Specification
3.1.1.5.1.2 Naming Constraints
During an originating update of the Add, Modify, and Modify DN operations, the
server validates the following naming constraints. Unless otherwise specified,
the server returns LDAP error namingViolation if a naming constraint is not met.
o The RDN must not contain a character with value 0xA.
o The RDN must not contain a character with value 0x0; otherwise, the server
SHOULD return LDAP error invalidDNSyntax. However, if the DC functional level
is DS_BEHAVIOR_WIN2000, the server will not return an error.
o The DN must be compliant with [RFC2253].
o The RDN size must be less than 255 characters.
Naming constraints are not enforced for replicated updates.
3.1.1.5.5 Delete Operation
...
In most cases, upon deletion, a tombstone, deleted-object, or recycled-object
is moved into the Deleted Objects container of its NC; for exceptions see
section 3.1.1.5.5.6. The RDN of the object is changed to a "delete-mangled
RDN"-an RDN that is guaranteed to be unique within the Deleted Objects
container. If O is the object that is deleted, the delete-mangled RDN is the
concatenation of O!name, the character with value 0x0A, the string "DEL:", and
the dashed string representation ([RFC4122] section 3) of O!objectGUID. A
"delete-mangled DN" is a DN such that the leaf RDN is a delete-mangled RDN.
==============================================================================
Question:
From: tri...@samba.org [mailto:tri...@samba.org]
Sent: Monday, November 09, 2009 6:58 PM
To: Hongwei Sun
Cc: cifs-proto...@samba.org; h...@highlandsun.com
Subject: RE: limits on rDN size in AD ?
Hi Hongwei,
We're back to the old question of rDN size limits again!
I just got a DRS replication reply from w2k8-r2 with a CN that has a length
larger than 64. So I suspect that things are a bit more complex than what we'd
discussed before.
The object was:
CN=89532b80-09fe-445e-afef-965c0d7f7d15\0ADEL:462902b4-1824-4f02-8956-9f934f64fa01,CN=Deleted
Objects,CN=Configuration,DC=vsofs8,DC=com
which gives a length of 80.
Are we perhaps supposed to interpret the \0 as a termination character for the
purposes of this length constraint? (note that this is a \ followed by a 0, not
a nul byte).
Or perhaps deleted objects are special in their constraints in some way?
Cheers, Tridge
Regards,
Bill Wesse
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL: +1(980) 776-8200
CELL: +1(704) 661-5438
FAX: +1(704) 665-9606
From: Bill Wesse
Sent: Thursday, November 12, 2009 9:44 AM
To: 'tri...@samba.org'
Cc: 'cifs-proto...@samba.org'; 'h...@highlandsun.com'
Subject: Re: limits on rDN size in AD (SRX091112600056 [MS-ADTS] limits on rDN
size in AD)
Good morning Tridge! Since Hongwei is out of the office, I have created case
SRX091112600056 to track our work against your question about rDN size /
deleted object rDN.
I expect to be able to begin work on this tomorrow, and will keep you updated!
Regards,
Bill Wesse
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL: +1(980) 776-8200
CELL: +1(704) 661-5438
FAX: +1(704) 665-9606
-----Original Message-----
From: Hongwei Sun
Sent: Thursday, November 12, 2009 12:56 PM
To: 'tri...@samba.org'
Cc: cifs-proto...@samba.org; h...@highlandsun.com; Edgar Olougouna; Sebastian
Canevari
Subject: RE: limits on rDN size in AD ?
Tridge,
The RDN of Deleted Objects container is a little different from the normal
RDN. The following information in MS-ADTS 3.1.1.5.5 describes the composition
of RDN for objects in Deleted Object container:
"The RDN of the object is changed to a "delete-mangled RDN"-an RDN that is
guaranteed to be unique within the Deleted Objects container. If O is the
object that is deleted, the delete-mangled RDN is the concatenation of O!name,
the character with value 0x0A, the string "DEL:", and the dashed string
representation ([RFC4122] section 3) of O!objectGUID."
It looks like to me that for the Delete Objects container, the size
constraint should be dependent on the combination of the each sub component.
Since I am out of office, I will ask one of my team member to investigate and
confirm the behavior.
Thanks !
-----Original Message-----
From: tri...@samba.org [mailto:tri...@samba.org]
Sent: Monday, November 09, 2009 6:58 PM
To: Hongwei Sun
Cc: cifs-proto...@samba.org; h...@highlandsun.com
Subject: RE: limits on rDN size in AD ?
Hi Hongwei,
We're back to the old question of rDN size limits again!
I just got a DRS replication reply from w2k8-r2 with a CN that has a length
larger than 64. So I suspect that things are a bit more complex than what we'd
discussed before.
The object was:
CN=89532b80-09fe-445e-afef-965c0d7f7d15\0ADEL:462902b4-1824-4f02-8956-9f934f64fa01,CN=Deleted
Objects,CN=Configuration,DC=vsofs8,DC=com
which gives a length of 80.
Are we perhaps supposed to interpret the \0 as a termination character for the
purposes of this length constraint? (note that this is a \ followed by a 0, not
a nul byte).
Or perhaps deleted objects are special in their constraints in some way?
Cheers, Tridge
_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
