From rcritten at redhat.com Tue Aug 8 19:34:45 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 08 Aug 2006 15:34:45 -0400 Subject: [Fedora-directory-devel] Please review: (200988) mod_admserv: use setresuid() in lieu of seteuid() on HP-UX Message-ID: <44D8E755.4060009@redhat.com> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200988 Bug(s) fixed: 200988 Bug Description: mod_admserv: use setresuid() in lieu of seteuid() on HP/ux Reviewed by: ??? Files: See diff Branch: HEAD Fix Description: Per Ulf's suggestion, use SETEUID macro. apxs will define -DHPUX11 on an HP/ux machine causing this code to be executed. I also included a generic HPUX and HPUX10 for completeness. I've only tested that it won't break FC, not that it works on HP/ux (but it seems obvious that it will). Maybe we can get Ulf's help in testing... Platforms tested: FC4 Flag Day: no Doc impact: no QA impact: no -------------- next part -------------- A non-text attachment was scrubbed... Name: mod_admserv.diff Type: text/x-patch Size: 1091 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Aug 8 19:38:49 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 08 Aug 2006 13:38:49 -0600 Subject: [Fedora-directory-devel] Please review: (200988) mod_admserv: use setresuid() in lieu of seteuid() on HP-UX In-Reply-To: <44D8E755.4060009@redhat.com> References: <44D8E755.4060009@redhat.com> Message-ID: <44D8E849.6050209@redhat.com> Ok. Rob Crittenden wrote: > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200988 > Bug(s) fixed: 200988 > Bug Description: mod_admserv: use setresuid() in lieu of seteuid() on > HP/ux > Reviewed by: ??? > Files: See diff > Branch: HEAD > Fix Description: Per Ulf's suggestion, use SETEUID macro. apxs will > define -DHPUX11 on an HP/ux machine causing this code to be executed. > I also included a generic HPUX and HPUX10 for completeness. I've only > tested that it won't break FC, not that it works on HP/ux (but it > seems obvious that it will). Maybe we can get Ulf's help in testing... > Platforms tested: FC4 > Flag Day: no > Doc impact: no > QA impact: no > ------------------------------------------------------------------------ > > Index: mod_admserv.c > =================================================================== > RCS file: /cvs/dirsec/mod_admserv/mod_admserv.c,v > retrieving revision 1.26 > diff -u -r1.26 mod_admserv.c > --- mod_admserv.c 17 Jul 2006 19:01:29 -0000 1.26 > +++ mod_admserv.c 8 Aug 2006 19:27:55 -0000 > @@ -65,6 +65,12 @@ > > #include "mod_admserv.h" > > +#if defined(HPUX) || defined(HPUX10) || defined(HPUX11) > +#define SETEUID(id) setresuid((uid_t) -1, id, (uid_t) -1) > +#else > +#define SETEUID(id) seteuid(id) > +#endif > + > /* > * These are keys for items we store in r->notes to pass data from one stage > * in the request to another. They must be unique. If necessary, prefix > @@ -2031,7 +2037,7 @@ > #ifdef CHANGE_EUID > /* make sure pset creates the cache file owned by the server uid, not root */ > if (geteuid() == 0) { > - seteuid(unixd_config.user_id); > + SETEUID(unixd_config.user_id); > reseteuid = 1; > } > #endif /* CHANGE_EUID */ > @@ -2044,7 +2050,7 @@ > > #ifdef CHANGE_EUID > if (reseteuid) { > - seteuid(0); > + SETEUID(0); > } > #endif /* CHANGE_EUID */ > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ulf.weltman at hp.com Tue Aug 8 19:52:46 2006 From: ulf.weltman at hp.com (Ulf Weltman) Date: Tue, 08 Aug 2006 12:52:46 -0700 Subject: [Fedora-directory-devel] Please review: (200988) mod_admserv: use setresuid() in lieu of seteuid() on HP-UX In-Reply-To: <44D8E755.4060009@redhat.com> References: <44D8E755.4060009@redhat.com> Message-ID: <44D8EB8E.4030502@hp.com> Tested OK on HP-UX B.11.11. Rob Crittenden wrote: > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200988 > Bug(s) fixed: 200988 > Bug Description: mod_admserv: use setresuid() in lieu of seteuid() on > HP/ux > Reviewed by: ??? > Files: See diff > Branch: HEAD > Fix Description: Per Ulf's suggestion, use SETEUID macro. apxs will > define -DHPUX11 on an HP/ux machine causing this code to be executed. > I also included a generic HPUX and HPUX10 for completeness. I've only > tested that it won't break FC, not that it works on HP/ux (but it > seems obvious that it will). Maybe we can get Ulf's help in testing... > Platforms tested: FC4 > Flag Day: no > Doc impact: no > QA impact: no > >------------------------------------------------------------------------ > >Index: mod_admserv.c >=================================================================== >RCS file: /cvs/dirsec/mod_admserv/mod_admserv.c,v >retrieving revision 1.26 >diff -u -r1.26 mod_admserv.c >--- mod_admserv.c 17 Jul 2006 19:01:29 -0000 1.26 >+++ mod_admserv.c 8 Aug 2006 19:27:55 -0000 >@@ -65,6 +65,12 @@ > > #include "mod_admserv.h" > >+#if defined(HPUX) || defined(HPUX10) || defined(HPUX11) >+#define SETEUID(id) setresuid((uid_t) -1, id, (uid_t) -1) >+#else >+#define SETEUID(id) seteuid(id) >+#endif >+ > /* > * These are keys for items we store in r->notes to pass data from one stage > * in the request to another. They must be unique. If necessary, prefix >@@ -2031,7 +2037,7 @@ > #ifdef CHANGE_EUID > /* make sure pset creates the cache file owned by the server uid, not root */ > if (geteuid() == 0) { >- seteuid(unixd_config.user_id); >+ SETEUID(unixd_config.user_id); > reseteuid = 1; > } > #endif /* CHANGE_EUID */ >@@ -2044,7 +2050,7 @@ > > #ifdef CHANGE_EUID > if (reseteuid) { >- seteuid(0); >+ SETEUID(0); > } > #endif /* CHANGE_EUID */ > > > >------------------------------------------------------------------------ > >-- >Fedora-directory-devel mailing list >Fedora-directory-devel at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-devel > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Aug 8 20:06:31 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 08 Aug 2006 16:06:31 -0400 Subject: [Fedora-directory-devel] Commmit: (200988) mod_admserv: use setresuid() in lieu of seteuid() on HP-UX Message-ID: <44D8EEC7.4060007@redhat.com> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200988 Bug(s) fixed: 200988 Bug Description: mod_admserv: use setresuid() in lieu of seteuid() on HP/ux Reviewed by: Rich and Ulf Files: See diff Branch: HEAD Fix Description: Per Ulf's suggestion, use SETEUID macro. apxs will define -DHPUX11 on an HP/ux machine causing this code to be executed. I also included a generic HPUX and HPUX10 for completeness. Platforms tested: FC4, HPUX11 Flag Day: no Doc impact: no QA impact: no -------------- next part -------------- A non-text attachment was scrubbed... Name: mod_admserv.diff Type: text/x-patch Size: 1092 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Wed Aug 16 21:20:19 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 16 Aug 2006 14:20:19 -0700 Subject: [Fedora-directory-devel] Please Review: (202872) Allow the password modify extended op when using SASL privacy layer Message-ID: <44E38C13.2030905@redhat.com> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=202872 Bug(s) fixed: 202872 Bug Description: The current behavior of the Directory Server is to only allow the password modify extended operation when the connection is using SSL or TLS. If you attempt to use a connection that is not using SSL or TLS, the server returns LDAP_CONFIDENTIALITY_REQUIRED. We should allow the password modify extended operation if the connection is using a SASL security layer that has privacy. Reviewed by: ??? Files: See diffs Branch: HEAD Fix Description: I added a new internal function "int ids_sasl_privacy_enabled(Connection *conn)" that will check if a SASL security layer supporting privacy has been negotiated for a particular connection. This function uses the sasl_getprop() function to check the SSF (security strength factor) to see if privacy has been negotiated. This function allows us to have the password modify extop code check if privacy is enabled so it can allow the operation to be processed. The new server behavior is to allow the password modify extended operation if using SSL, TLS, or a SASL privacy layer. All other attempts will return LDAP_CONFIDENTIALITY_REQUIRED. Platforms tested: RHEL4 Flag Day: no Doc impact: no https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=134347 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Thu Aug 17 23:14:50 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 17 Aug 2006 16:14:50 -0700 Subject: [Fedora-directory-devel] Please Review: (203043) Password modify extended operation should return better errors Message-ID: <44E4F86A.1030906@redhat.com> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=203043 Bug(s) fixed: 203043 Bug Description: When using the password modify extended operation, the password modify request is allowed to have all three of it's fields (userIdentity, oldPassword, newPassword) empty. When this happens, our server returns LDAP_PROTOCOL_ERROR along with an error message of "ber_scanf failed". Reviewed by: ??? Files: passwd_extop.c Branch: HEAD Fix Description: Even though all three of the password modify request fields are optional, our server requires a new password to be supplied since we don't support server-side password generation. Because of this, we can safely return an error message stating that the user must supply a new password. Platforms tested: RHEL4 Flag Day: no Doc impact: no https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=134417 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Fri Aug 18 21:49:14 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 18 Aug 2006 14:49:14 -0700 Subject: [Fedora-directory-devel] Please Review: (203043) Password modify extended operation should generate new passwords Message-ID: <44E635DA.3080907@redhat.com> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=203043 Bug(s) fixed: 203043 Bug Description: When using the password modify extended operation, if a new password is not supplied, the server should generate a new random password and return it to the user in en extended response. Reviewed by: ??? Files: passwd_extop.c Branch: HEAD Fix Description: If a user doesn't supply a new password in the password modify extop request, we will generate a random 8 character password, store it as the users password, and return it to the user in the password modify extop response. I also removed a block of code that was setting the extop return OID in the pb to the password modify OID. RFC3062 explicitly states that the password modify response should have the responseName field absent. Platforms tested: RHEL4 Flag Day: no Doc impact: no https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=134486 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From abartlet at samba.org Tue Aug 22 11:33:14 2006 From: abartlet at samba.org (Andrew Bartlett) Date: Tue, 22 Aug 2006 21:33:14 +1000 Subject: [Fedora-directory-devel] Samba4 onto Fedora DS Message-ID: <1156246394.30279.38.camel@localhost.localdomain> Many moons ago (November last year), I raised the idea that Samba4 might some day back onto Fedora DS. In the past few months, things have moved on, and I've done some work to back Samba4 onto OpenLDAP (which now works for a simple demo). Now I'm trying the same trick with Fedora DS. Now, I've managed to start the Fedora Directory server, and use the web (but not Java, for the J word is evil) interface. I'm happy with (and in fact prefer) command line management at this point. However, I'm now trying to load a schema into Fedora DS. I'm using the same schema that I've used with OpenLDAP, run though the od-schema-migrate.pl script. (Actually, I can also create the file directly, but they are the same, except for the dividing lines). Anyway, this is the error I get with the attached schema: [abartlet at piglett source]$ sudo /opt/fedora-ds/slapd-piglett/start-slapd Password: [22/Aug/2006:21:03:47 +1000] dse - The entry cn=schema in file /opt/fedora-ds/slapd-piglett/config/schema/01samba4.ldif is invalid, error code 20 (Type or value exists) - attribute type streetAddress: Does not match the OID "1.2.840.113556.1.2.256". Another attribute type is already using the name or OID. [22/Aug/2006:21:03:47 +1000] dse - Please edit the file to correct the reported problems and then restart the server. I can find no other reference (in the schema ldif files) to streetAddress, or that OID. Is there a list of builtin OIDs that I need to avoid conflicts with? (I had this trouble with OpenLDAP). Currently I'm adding the schema to the directory, but I expect I'll need to remove much of the Fedora DS schema. What is safe/unsafe to remove? Aside from things like the org chart not working, what else is likely to break? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com -------------- next part -------------- dn: cn=schema attributeTypes: ( 1.2.840.113556.1.4.772 NAME 'aCSPolicyName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.159 NAME 'accountExpires' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1307 NAME 'accountNameHistory' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.2.256 NAME 'streetAddress' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.617 NAME 'homePostalAddress' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.614 NAME 'adminContextMenu' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.150 NAME 'adminCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.226 NAME 'adminDescription' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.194 NAME 'adminDisplayName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1690 NAME 'adminMultiselectPropertyPages' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.562 NAME 'adminPropertyPages' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.913 NAME 'allowedAttributes' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) attributeTypes: ( 1.2.840.113556.1.4.914 NAME 'allowedAttributesEffective' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) attributeTypes: ( 1.2.840.113556.1.4.911 NAME 'allowedChildClasses' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) attributeTypes: ( 1.2.840.113556.1.4.912 NAME 'allowedChildClassesEffective' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) attributeTypes: ( 1.2.840.113556.1.4.867 NAME 'altSecurityIdentities' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.218 NAME 'applicationName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.652 NAME 'assistant' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.748 NAME 'attributeDisplayNames' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.202 NAME 'auditingPolicy' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.351 NAME 'auxiliaryClass' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) attributeTypes: ( 1.2.840.113556.1.4.49 NAME 'badPasswordTime' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.12 NAME 'badPwdCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.820 NAME 'bridgeheadServerListBL' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.819 NAME 'bridgeheadTransportList' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.13 NAME 'builtinCreationTime' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.14 NAME 'builtinModifiedCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 2.5.4.15 NAME 'businessCategory' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 2.5.4.37 NAME 'cACertificate' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.4.916 NAME 'canonicalName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.675 NAME 'catalogs' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.610 NAME 'classDisplayName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.16 NAME 'codePage' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.81 NAME 'info' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.146 NAME 'company' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.499 NAME 'contextMenu' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.200 NAME 'controlAccessRights' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.4.25 NAME 'countryCode' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 2.5.4.6 NAME 'c' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.810 NAME 'createDialog' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.812 NAME 'createWizardExt' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.26 NAME 'creationTime' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.498 NAME 'creationWizard' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.27 NAME 'currentValue' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.55 NAME 'dBCSPwd' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.36 NAME 'dMDLocation' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.598 NAME 'dmdName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1242 NAME 'dNReferenceUpdate' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.619 NAME 'dNSHostName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1357 NAME 'dSCorePropagationData' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) attributeTypes: ( 1.2.840.113556.1.2.212 NAME 'dSHeuristics' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.74 NAME 'dSASignature' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.213 NAME 'defaultClassStore' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.480 NAME 'defaultGroup' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.518 NAME 'defaultHidingValue' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.57 NAME 'defaultLocalPolicyObject' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.783 NAME 'defaultObjectCategory' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.224 NAME 'defaultSecurityDescriptor' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.141 NAME 'department' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.346 NAME 'desktopProfile' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 2.5.4.27 NAME 'destinationIndicator' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.2.840.113556.1.2.13 NAME 'displayName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.353 NAME 'displayNamePrintable' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.261 NAME 'division' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.28 NAME 'dnsRoot' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME 'dc' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.32 NAME 'domainPolicyObject' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.158 NAME 'domainReplica' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.537 NAME 'dynamicLDAPServer' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 0.9.2342.19200300.100.1.3 NAME 'mail' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.268 NAME 'eFSPolicy' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.4.35 NAME 'employeeID' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.610 NAME 'employeeNumber' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.613 NAME 'employeeType' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.557 NAME 'Enabled' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.909 NAME 'extendedAttributeInfo' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.908 NAME 'extendedClassInfo' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.2.227 NAME 'extensionName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.1687 NAME 'extraColumns' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.876 NAME 'fRSMemberReferenceBL' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.487 NAME 'fRSRootPath' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.369 NAME 'fSMORoleOwner' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 2.5.4.23 NAME 'facsimileTelephoneNumber' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.38 NAME 'flags' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.39 NAME 'forceLogoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.356 NAME 'foreignIdentifier' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.910 NAME 'fromEntry' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributeTypes: ( 1.2.840.113556.1.4.870 NAME 'frsComputerReferenceBL' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.891 NAME 'gPLink' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.892 NAME 'gPOptions' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.301 NAME 'garbageCollPeriod' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 2.5.4.44 NAME 'generationQualifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 2.5.4.42 NAME 'givenName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.22 NAME 'governsID' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.152 NAME 'groupAttributes' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.166 NAME 'groupMembershipSAM' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.345 NAME 'groupPriority' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.750 NAME 'groupType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.344 NAME 'groupsToIgnore' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.2.14 NAME 'hasMasterNCs' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.2.15 NAME 'hasPartialReplicaNCs' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.44 NAME 'homeDirectory' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.45 NAME 'homeDrive' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.219 NAME 'iconPath' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 2.5.4.43 NAME 'initials' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.1 NAME 'instanceType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 2.5.4.25 NAME 'internationalISDNNumber' EQUALITY numericStringMatch SUBSTR numericStringSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 ) attributeTypes: ( 1.2.840.113556.1.2.115 NAME 'invocationId' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.868 NAME 'isCriticalSystemObject' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.661 NAME 'isDefunct' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.48 NAME 'isDeleted' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.102 NAME 'memberOf' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.638 NAME 'isPrivilegeHolder' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.2.460 NAME 'lDAPDisplayName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.66 NAME 'lSACreationTime' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.67 NAME 'lSAModifiedCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.519 NAME 'lastBackupRestorationTime' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.781 NAME 'lastKnownParent' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.51 NAME 'lastLogoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.52 NAME 'lastLogon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1696 NAME 'lastLogonTimestamp' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.53 NAME 'lastSetTime' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.655 NAME 'legacyExchangeDN' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.160 NAME 'lmPwdHistory' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.4.56 NAME 'localPolicyFlags' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.58 NAME 'localeID' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributeTypes: ( 2.5.4.7 NAME 'l' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.222 NAME 'location' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.61 NAME 'lockOutObservationWindow' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.60 NAME 'lockoutDuration' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.73 NAME 'lockoutThreshold' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.662 NAME 'lockoutTime' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 2.16.840.1.113730.3.1.36 NAME 'thumbnailLogo' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.169 NAME 'logonCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.64 NAME 'logonHours' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.65 NAME 'logonWorkstation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.650 NAME 'mhsORAddress' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.1843 NAME 'msDRM-IdentityCertificate' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.4.1789 NAME 'msDS-AllUsersTrustQuota' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1361 NAME 'mS-DS-ConsistencyChildCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1360 NAME 'mS-DS-ConsistencyGuid' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1410 NAME 'mS-DS-CreatorSID' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1411 NAME 'ms-DS-MachineAccountQuota' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1788 NAME 'msDS-PerUserTrustQuota' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1790 NAME 'msDS-PerUserTrustTombstonesQuota' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.948 NAME 'mSMQDigests' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.4.966 NAME 'mSMQDigestsMig' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.4.1308 NAME 'mSMQInterval1' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1309 NAME 'mSMQInterval2' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.960 NAME 'mSMQNt4Stub' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributeTypes: ( 1.2.840.113556.1.4.947 NAME 'mSMQSignCertificates' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.967 NAME 'mSMQSignCertificatesMig' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.961 NAME 'mSMQSiteForeign' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) attributeTypes: ( 1.2.840.113556.1.4.953 NAME 'mSMQSiteID' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.71 NAME 'machineRole' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.653 NAME 'managedBy' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.654 NAME 'managedObjects' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 0.9.2342.19200300.100.1.10 NAME 'manager' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1409 NAME 'masteredBy' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.74 NAME 'maxPwdAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.76 NAME 'maxStorage' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.25 NAME 'mayContain' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) attributeTypes: ( 2.5.4.31 NAME 'member' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.78 NAME 'minPwdAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.79 NAME 'minPwdLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.168 NAME 'modifiedCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.81 NAME 'modifiedCountAtLastProm' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1305 NAME 'moveTreeState' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.2.24 NAME 'mustContain' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) attributeTypes: ( 1.2.840.113556.1.2.16 NAME 'nCName' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.87 NAME 'nETBIOSName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.89 NAME 'nTGroupMembers' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.4.357 NAME 'nTMixedDomain' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.281 NAME 'nTSecurityDescriptor' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.359 NAME 'netbootGUID' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.358 NAME 'netbootInitialization' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.361 NAME 'netbootMachineFilePath' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1241 NAME 'netbootMirrorDataFile' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.1240 NAME 'netbootSIFFile' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.2.459 NAME 'networkAddress' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) attributeTypes: ( 1.2.840.113556.1.4.88 NAME 'nextRid' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.530 NAME 'nonSecurityMember' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.531 NAME 'nonSecurityMemberBL' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.303 NAME 'notificationList' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.94 NAME 'ntPwdHistory' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.4.151 NAME 'oEMInformation' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.782 NAME 'objectCategory' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.370 NAME 'objectClassCategory' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.2 NAME 'objectGUID' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.146 NAME 'objectSid' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.76 NAME 'objectVersion' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.363 NAME 'operatingSystem' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.415 NAME 'operatingSystemHotfix' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.365 NAME 'operatingSystemServicePack' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.364 NAME 'operatingSystemVersion' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.144 NAME 'operatorCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.307 NAME 'options' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 2.5.4.10 NAME 'o' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 2.5.4.11 NAME 'ou' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.91 NAME 'otherLoginWorkstations' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.651 NAME 'otherMailbox' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.3.6.1.4.1.7165.4.1.8 NAME 'middleName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1359 NAME 'otherWellKnownObjects' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.663 NAME 'partialAttributeDeletionList' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.640 NAME 'partialAttributeSet' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.866 NAME 'pekKeyChangeInterval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.865 NAME 'pekList' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.615 NAME 'personalTitle' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.646 NAME 'otherFacsimileTelephoneNumber' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.2.277 NAME 'otherHomePhone' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 0.9.2342.19200300.100.1.20 NAME 'homePhone' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.649 NAME 'primaryInternationalISDNNumber' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.722 NAME 'otherIpPhone' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.721 NAME 'ipPhone' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.647 NAME 'otherMobile' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 0.9.2342.19200300.100.1.41 NAME 'mobile' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.18 NAME 'otherTelephone' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.2.118 NAME 'otherPager' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 0.9.2342.19200300.100.1.42 NAME 'pager' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.514 NAME 'physicalLocationObject' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 2.16.840.1.113730.3.1.35 NAME 'thumbnailPhoto' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.633 NAME 'policyReplicationFlags' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.8 NAME 'possSuperiors' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) attributeTypes: ( 1.2.840.113556.1.4.915 NAME 'possibleInferiors' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) attributeTypes: ( 2.5.4.18 NAME 'postOfficeBox' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 2.5.4.16 NAME 'postalAddress' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 2.5.4.17 NAME 'postalCode' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 2.5.4.28 NAME 'preferredDeliveryMethod' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributeTypes: ( 1.2.840.113556.1.4.97 NAME 'preferredOU' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.538 NAME 'prefixMap' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.98 NAME 'primaryGroupID' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1412 NAME 'primaryGroupToken' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.99 NAME 'priorSetTime' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.100 NAME 'priorValue' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.101 NAME 'privateKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.139 NAME 'profilePath' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1249 NAME 'proxiedObjectName' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.210 NAME 'proxyAddresses' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.95 NAME 'pwdHistoryLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.96 NAME 'pwdLastSet' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.93 NAME 'pwdProperties' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1355 NAME 'queryFilter' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.608 NAME 'queryPolicyBL' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.607 NAME 'queryPolicyObject' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.26 NAME 'rDNAttID' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.370 NAME 'rIDAvailablePool' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.368 NAME 'rIDManagerReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.669 NAME 'rIDSetReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 2.5.4.26 NAME 'registeredAddress' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.4.3 NAME 'replPropertyMetaData' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.677 NAME 'replTopologyStayOfExecution' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.4 NAME 'replUpToDateVector' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.109 NAME 'replicaSource' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.436 NAME 'directReports' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.2.91 NAME 'repsFrom' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.2.83 NAME 'repsTo' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.4.673 NAME 'retiredReplDSASignatures' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.145 NAME 'revision' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.153 NAME 'rid' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.674 NAME 'rootTrust' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.302 NAME 'sAMAccountType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1304 NAME 'sDRightsEffective' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.609 NAME 'sIDHistory' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.4.786 NAME 'mailAddress' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1347 NAME 'sPNMappings' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.120 NAME 'schemaFlagsEx' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.148 NAME 'schemaIDGUID' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1358 NAME 'schemaInfo' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.4.481 NAME 'schemaUpdate' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.471 NAME 'schemaVersion' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributeTypes: ( 1.2.840.113556.1.4.1354 NAME 'scopeFlags' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.62 NAME 'scriptPath' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 2.5.4.14 NAME 'searchGuide' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.4.121 NAME 'securityIdentifier' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 2.5.4.5 NAME 'serialNumber' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.2.840.113556.1.4.515 NAME 'serverReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.516 NAME 'serverReferenceBL' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.157 NAME 'serverRole' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.154 NAME 'serverState' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.771 NAME 'servicePrincipalName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.615 NAME 'shellContextMenu' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.563 NAME 'shellPropertyPages' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.644 NAME 'showInAddressBook' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.2.169 NAME 'showInAdvancedViewOnly' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.362 NAME 'siteGUID' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.512 NAME 'siteObject' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.513 NAME 'siteObjectBL' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 2.5.4.8 NAME 'st' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 2.5.4.9 NAME 'street' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.21 NAME 'subClassOf' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.7 NAME 'subRefs' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.532 NAME 'superiorDNSRoot' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.125 NAME 'supplementalCredentials' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 2.5.4.4 NAME 'sn' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.198 NAME 'systemAuxiliaryClass' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) attributeTypes: ( 1.2.840.113556.1.4.375 NAME 'systemFlags' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.196 NAME 'systemMayContain' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) attributeTypes: ( 1.2.840.113556.1.4.197 NAME 'systemMustContain' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) attributeTypes: ( 1.2.840.113556.1.4.170 NAME 'systemOnly' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.195 NAME 'systemPossSuperiors' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) attributeTypes: ( 2.5.4.20 NAME 'telephoneNumber' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 2.5.4.22 NAME 'teletexTerminalIdentifier' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 2.5.4.21 NAME 'telexNumber' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.4.648 NAME 'primaryTelexNumber' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.885 NAME 'terminalServer' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.131 NAME 'co' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 0.9.2342.19200300.100.1.2 NAME 'textEncodedORAddress' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 2.5.4.12 NAME 'title' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1301 NAME 'tokenGroups' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.4.1418 NAME 'tokenGroupsGlobalAndUniversal' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.4.1303 NAME 'tokenGroupsNoGCAcceptable' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.2.54 NAME 'tombstoneLifetime' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.806 NAME 'treatAsLeaf' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.660 NAME 'treeName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.471 NAME 'trustParent' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.155 NAME 'uASCompat' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.890 NAME 'uPNSuffixes' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.2.120 NAME 'uSNChanged' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.19 NAME 'uSNCreated' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.267 NAME 'uSNDSALastObjRemoved' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.469 NAME 'USNIntersite' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.121 NAME 'uSNLastObjRem' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.896 NAME 'uSNSource' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.90 NAME 'unicodePwd' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.8 NAME 'userAccountControl' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.645 NAME 'userCert' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.156 NAME 'comment' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.138 NAME 'userParameters' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.656 NAME 'userPrincipalName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 2.16.840.1.113730.3.140 NAME 'userSMIMECertificate' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.4.751 NAME 'userSharedFolder' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.752 NAME 'userSharedFolderOther' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.86 NAME 'userWorkstations' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.507 NAME 'volumeCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.464 NAME 'wWWHomePage' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.749 NAME 'url' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.301 NAME 'wbemPath' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.618 NAME 'wellKnownObjects' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.2.3 NAME 'whenChanged' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.2 NAME 'whenCreated' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) attributeTypes: ( 2.5.4.24 NAME 'x121Address' EQUALITY numericStringMatch SUBSTR numericStringSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 ) attributeTypes: ( 2.5.4.36 NAME 'userCertificate' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 2.5.4.58 NAME 'attributeCertificateAttribute' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 0.9.2342.19200300.100.1.55 NAME 'audio' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 2.16.840.1.113730.3.1.1 NAME 'carLicense' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 2.16.840.1.113730.3.1.2 NAME 'departmentNumber' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 2.5.4.51 NAME 'houseIdentifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 0.9.2342.19200300.100.1.60 NAME 'jpegPhoto' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.4.1424 NAME 'msCOM-PartitionSetLink' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.1425 NAME 'msCOM-UserLink' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.1426 NAME 'msCOM-UserPartitionSetLink' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1717 NAME 'msDS-AdditionalDnsHostName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.1718 NAME 'msDS-AdditionalSamAccountName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.1710 NAME 'msDS-AllowedDNSSuffixes' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.1787 NAME 'msDS-AllowedToDelegateTo' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.1669 NAME 'msDS-Approx-Immed-Subordinates' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1819 NAME 'msDS-AzApplicationData' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1798 NAME 'msDS-AzApplicationName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1817 NAME 'msDS-AzApplicationVersion' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1816 NAME 'msDS-AzClassId' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1795 NAME 'msDS-AzDomainTimeout' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1805 NAME 'msDS-AzGenerateAudits' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1792 NAME 'msDS-AzLDAPQuery' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1824 NAME 'msDS-AzMajorVersion' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1825 NAME 'msDS-AzMinorVersion' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1799 NAME 'msDS-AzScopeName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1796 NAME 'msDS-AzScriptEngineCacheMax' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1797 NAME 'msDS-AzScriptTimeout' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1459 NAME 'msDS-Behavior-Version' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1441 NAME 'msDS-Cached-Membership' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1442 NAME 'msDS-Cached-Membership-Time-Stamp' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1719 NAME 'msDS-DnsRootAlias' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1783 NAME 'msDS-ExecuteScriptPassword' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1820 NAME 'msDS-HasDomainNCs' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.1709 NAME 'msDS-HasInstantiatedNCs' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.1836 NAME 'msDS-hasMasterNCs' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.1716 NAME 'msDS-IntId' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1782 NAME 'msDS-KeyVersionNumber' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1784 NAME 'msDS-LogonTimeSyncInterval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1837 NAME 'msDs-masteredBy' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.1807 NAME 'msDS-MembersForAzRoleBL' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.1704 NAME 'msDS-NCReplCursors' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.1705 NAME 'msDS-NCReplInboundNeighbors' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.1706 NAME 'msDS-NCReplOutboundNeighbors' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.1661 NAME 'msDS-NC-Replica-Locations' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.1793 NAME 'msDS-NonMembers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.1794 NAME 'msDS-NonMembersBL' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.1840 NAME 'msDS-ObjectReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.1841 NAME 'msDS-ObjectReferenceBL' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.1813 NAME 'msDS-OperationsForAzRoleBL' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.1809 NAME 'msDS-OperationsForAzTaskBL' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.1621 NAME 'msDS-Other-Settings' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.1707 NAME 'msDS-ReplAttributeMetaData' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.1708 NAME 'msDS-ReplValueMetaData' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.1663 NAME 'msDS-Replication-Notify-First-DSA-Delay' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1664 NAME 'msDS-Replication-Notify-Subsequent-DSA-Delay' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1720 NAME 'msDS-ReplicationEpoch' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1826 NAME 'msDS-RetiredReplNCSignatures' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1711 NAME 'msDS-SDReferenceDomain' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1715 NAME 'msDS-SPNSuffixes' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.1697 NAME 'msDS-Settings' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.4.1443 NAME 'msDS-Site-Affinity' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.4.1815 NAME 'msDS-TasksForAzRoleBL' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.1811 NAME 'msDS-TasksForAzTaskBL' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.1721 NAME 'msDS-UpdateScript' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1460 NAME 'msDS-User-Account-Control-Computed' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.444 NAME 'msExchAssistantName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.596 NAME 'msExchHouseIdentifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.2.593 NAME 'msExchLabeledURI' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.2.840.113556.1.2.104 NAME 'ownerBL' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.2.840.113556.1.4.1786 NAME 'msIIS-FTPDir' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1785 NAME 'msIIS-FTPRoot' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1440 NAME 'msDs-Schema-Extensions' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.2.840.113556.1.4.1119 NAME 'msNPAllowDialin' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1124 NAME 'msNPCallingStationID' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.2.840.113556.1.4.1130 NAME 'msNPSavedCallingStationID' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.2.840.113556.1.4.1145 NAME 'msRADIUSCallbackNumber' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1153 NAME 'msRADIUSFramedIPAddress' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1158 NAME 'msRADIUSFramedRoute' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.2.840.113556.1.4.1171 NAME 'msRADIUSServiceType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1189 NAME 'msRASSavedCallbackNumber' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1190 NAME 'msRASSavedFramedIPAddress' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.2.840.113556.1.4.1191 NAME 'msRASSavedFramedRoute' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.2.840.113556.1.4.864 NAME 'netbootSCPBL' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 0.9.2342.19200300.100.1.7 NAME 'photo' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 2.16.840.1.113730.3.1.39 NAME 'preferredLanguage' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 0.9.2342.19200300.100.1.6 NAME 'roomNumber' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 0.9.2342.19200300.100.1.21 NAME 'secretary' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) attributeTypes: ( 1.3.6.1.4.1.7165.4.1.9 NAME 'unixName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 SINGLE-VALUE ) attributeTypes: ( 2.16.840.1.113730.3.1.216 NAME 'userPKCS12' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 2.5.4.45 NAME 'x500uniqueIdentifier' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.3.6.1.4.1.7165.4.1.6 NAME 'dnsDomain' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) attributeTypes: ( 1.3.6.1.4.1.5322.10.1.10 NAME 'krb5Key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.3.6.1.4.1.7165.4.1.2 NAME 'lmpwdhash' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.7165.4.1.1 NAME 'ntpwdhash' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.7165.4.1.7 NAME 'privilege' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) attributeTypes: ( 1.3.6.1.4.1.7165.4.1.4 NAME 'sambaLmPwdHistory' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 1.3.6.1.4.1.7165.4.1.3 NAME 'sambaNtPwdHistory' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.7165.4.1.5 NAME 'sambaPassword' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) objectClasses: ( 1.2.840.113556.1.5.7000.49 NAME 'applicationSettings' SUP top ABSTRACT MAY ( notificationList $ msDS-Settings $ applicationName ) ) objectClasses: ( 1.2.840.113556.1.5.7000.47 NAME 'nTDSDSA' SUP applicationSettings STRUCTURAL MAY ( serverReference $ msDS-RetiredReplNCSignatures $ retiredReplDSASignatures $ queryPolicyObject $ options $ networkAddress $ msDS-ReplicationEpoch $ msDS-HasInstantiatedNCs $ msDS-hasMasterNCs $ msDS-HasDomainNCs $ msDS-Behavior-Version $ managedBy $ lastBackupRestorationTime $ invocationId $ hasPartialReplicaNCs $ hasMasterNCs $ fRSRootPath $ dMDLocation ) ) objectClasses: ( 1.2.840.113556.1.5.4 NAME 'builtinDomain' SUP top STRUCTURAL ) objectClasses: ( 1.2.840.113556.1.3.13 NAME 'classSchema' SUP top STRUCTURAL MUST ( subClassOf $ schemaIDGUID $ objectClassCategory $ governsID $ defaultObjectCategory $ cn ) MAY ( systemPossSuperiors $ systemOnly $ systemMustContain $ systemMayContain $ systemAuxiliaryClass $ schemaFlagsEx $ rDNAttID $ possSuperiors $ mustContain $ msDs-Schema-Extensions $ msDS-IntId $ mayContain $ lDAPDisplayName $ isDefunct $ defaultSecurityDescriptor $ defaultHidingValue $ classDisplayName $ auxiliaryClass ) ) objectClasses: ( 1.2.840.113556.1.5.12 NAME 'configuration' SUP top STRUCTURAL MUST ( cn ) MAY ( gPOptions $ gPLink ) ) objectClasses: ( 1.2.840.113556.1.3.23 NAME 'container' SUP top STRUCTURAL MUST ( cn ) MAY ( msDS-ObjectReference $ schemaVersion $ defaultClassStore ) ) objectClasses: ( 2.5.6.2 NAME 'country' SUP top MUST ( c ) MAY ( co $ searchGuide ) ) objectClasses: ( 1.2.840.113556.1.3.11 NAME 'crossRef' SUP top STRUCTURAL MUST ( nCName $ dnsRoot $ cn ) MAY ( trustParent $ superiorDNSRoot $ rootTrust $ nTMixedDomain $ nETBIOSName $ Enabled $ msDS-SDReferenceDomain $ msDS-Replication-Notify-Subsequent-DSA-Delay $ msDS-Replication-Notify-First-DSA-Delay $ msDS-NC-Replica-Locations $ msDS-DnsRootAlias $ msDS-Behavior-Version ) ) objectClasses: ( 1.2.840.113556.1.5.7000.53 NAME 'crossRefContainer' SUP top STRUCTURAL MAY ( msDS-SPNSuffixes $ uPNSuffixes $ msDS-UpdateScript $ msDS-ExecuteScriptPassword $ msDS-Behavior-Version ) ) objectClasses: ( 1.2.840.113556.1.3.9 NAME 'dMD' SUP top STRUCTURAL MUST ( cn ) MAY ( schemaUpdate $ schemaInfo $ prefixMap $ msDs-Schema-Extensions $ msDS-IntId $ dmdName ) ) objectClasses: ( 1.2.840.113556.1.5.84 NAME 'displaySpecifier' SUP top STRUCTURAL MAY ( treatAsLeaf $ shellPropertyPages $ shellContextMenu $ scopeFlags $ queryFilter $ iconPath $ extraColumns $ creationWizard $ createWizardExt $ createDialog $ contextMenu $ classDisplayName $ attributeDisplayNames $ adminPropertyPages $ adminMultiselectPropertyPages $ adminContextMenu ) ) objectClasses: ( 1.2.840.113556.1.5.66 NAME 'domain' SUP top ABSTRACT MUST ( dc ) ) objectClasses: ( 1.2.840.113556.1.5.67 NAME 'domainDNS' SUP domain STRUCTURAL MAY ( msDS-Behavior-Version $ msDS-AllowedDNSSuffixes $ managedBy ) ) objectClasses: ( 1.2.840.113556.1.5.76 NAME 'foreignSecurityPrincipal' SUP top STRUCTURAL MUST ( objectSid ) MAY ( foreignIdentifier ) ) objectClasses: ( 1.2.840.113556.1.5.8 NAME 'group' SUP top STRUCTURAL MUST ( groupType ) MAY ( primaryGroupToken $ operatorCount $ nTGroupMembers $ nonSecurityMember $ msDS-NonMembers $ msDS-AzLDAPQuery $ member $ managedBy $ groupMembershipSAM $ groupAttributes $ mail $ desktopProfile $ controlAccessRights $ adminCount ) ) objectClasses: ( 1.2.840.113556.1.5.175 NAME 'infrastructureUpdate' SUP top STRUCTURAL MAY ( dNReferenceUpdate ) ) objectClasses: ( 1.2.840.113556.1.5.20 NAME 'leaf' SUP top ABSTRACT ) objectClasses: ( 1.2.840.113556.1.5.28 NAME 'secret' SUP leaf STRUCTURAL MAY ( priorValue $ priorSetTime $ lastSetTime $ currentValue ) ) objectClasses: ( 2.5.6.3 NAME 'locality' SUP top STRUCTURAL MUST ( l ) MAY ( street $ st $ seeAlso $ searchGuide ) ) objectClasses: ( 1.2.840.113556.1.5.139 NAME 'lostAndFound' SUP top STRUCTURAL MAY ( moveTreeState ) ) objectClasses: ( 1.2.840.113556.1.3.46 NAME 'mailRecipient' SUP top AUXILIARY MUST ( cn ) MAY ( userSMIMECertificate $ secretary $ msExchLabeledURI $ msExchAssistantName $ labeledURI $ userCertificate $ userCert $ textEncodedORAddress $ telephoneNumber $ showInAddressBook $ legacyExchangeDN $ garbageCollPeriod $ info ) ) objectClasses: ( 1.2.840.113556.1.5.72 NAME 'nTDSService' SUP top STRUCTURAL MAY ( tombstoneLifetime $ sPNMappings $ replTopologyStayOfExecution $ msDS-Other-Settings $ garbageCollPeriod $ dSHeuristics ) ) objectClasses: ( 2.5.6.4 NAME 'organization' SUP top STRUCTURAL MUST ( o ) MAY ( x121Address $ userPassword $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ street $ st $ seeAlso $ searchGuide $ registeredAddress $ preferredDeliveryMethod $ postalCode $ postalAddress $ postOfficeBox $ physicalDeliveryOfficeName $ l $ internationalISDNNumber $ facsimileTelephoneNumber $ destinationIndicator $ businessCategory ) ) objectClasses: ( 2.5.6.5 NAME 'organizationalUnit' SUP top STRUCTURAL MUST ( ou ) MAY ( x121Address $ userPassword $ uPNSuffixes $ co $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ street $ st $ seeAlso $ searchGuide $ registeredAddress $ preferredDeliveryMethod $ postalCode $ postalAddress $ postOfficeBox $ physicalDeliveryOfficeName $ msCOM-UserPartitionSetLink $ managedBy $ thumbnailLogo $ l $ internationalISDNNumber $ gPOptions $ gPLink $ facsimileTelephoneNumber $ destinationIndicator $ desktopProfile $ defaultGroup $ countryCode $ c $ businessCategory ) ) objectClasses: ( 2.5.6.6 NAME 'person' SUP top MUST ( cn ) MAY ( attributeCertificateAttribute $ userPassword $ telephoneNumber $ sn $ serialNumber $ seeAlso ) ) objectClasses: ( 2.5.6.7 NAME 'organizationalPerson' SUP person MAY ( houseIdentifier $ msExchHouseIdentifier $ homePostalAddress $ x121Address $ comment $ title $ co $ primaryTelexNumber $ telexNumber $ teletexTerminalIdentifier $ street $ st $ registeredAddress $ preferredDeliveryMethod $ postalCode $ postalAddress $ postOfficeBox $ thumbnailPhoto $ physicalDeliveryOfficeName $ pager $ otherPager $ otherTelephone $ mobile $ otherMobile $ primaryInternationalISDNNumber $ ipPhone $ otherIpPhone $ otherHomePhone $ homePhone $ otherFacsimileTelephoneNumber $ personalTitle $ middleName $ otherMailbox $ ou $ o $ mhsORAddress $ msDS-AllowedToDelegateTo $ manager $ thumbnailLogo $ l $ internationalISDNNumber $ initials $ givenName $ generationQualifier $ facsimileTelephoneNumber $ employeeID $ mail $ division $ destinationIndicator $ department $ c $ countryCode $ company $ assistant $ streetAddress ) ) objectClasses: ( 1.2.840.113556.1.5.9 NAME 'user' SUP organizationalPerson STRUCTURAL MAY ( x500uniqueIdentifier $ userSMIMECertificate $ userPKCS12 $ uid $ secretary $ roomNumber $ preferredLanguage $ photo $ labeledURI $ jpegPhoto $ homePostalAddress $ givenName $ employeeType $ employeeNumber $ displayName $ departmentNumber $ carLicense $ audio $ pager $ o $ mobile $ manager $ mail $ initials $ homePhone $ businessCategory $ userCertificate $ userWorkstations $ userSharedFolderOther $ userSharedFolder $ userPrincipalName $ userParameters $ userAccountControl $ unicodePwd $ terminalServer $ servicePrincipalName $ scriptPath $ pwdLastSet $ profilePath $ primaryGroupID $ preferredOU $ otherLoginWorkstations $ operatorCount $ ntPwdHistory $ networkAddress $ msRASSavedFramedRoute $ msRASSavedFramedIPAddress $ msRASSavedCallbackNumber $ msRADIUSServiceType $ msRADIUSFramedRoute $ msRADIUSFramedIPAddress $ msRADIUSCallbackNumber $ msNPSavedCallingStationID $ msNPCallingStationID $ msNPAllowDialin $ mSMQSignCertificatesMig $ mSMQSignCertificates $ mSMQDigestsMig $ mSMQDigests $ msIIS-FTPRoot $ msIIS-FTPDir $ msDS-User-Account-Control-Computed $ msDS-Site-Affinity $ mS-DS-CreatorSID $ msDS-Cached-Membership-Time-Stamp $ msDS-Cached-Membership $ msDRM-IdentityCertificate $ msCOM-UserPartitionSetLink $ maxStorage $ logonWorkstation $ logonHours $ logonCount $ lockoutTime $ localeID $ lmPwdHistory $ lastLogonTimestamp $ lastLogon $ lastLogoff $ homeDrive $ homeDirectory $ groupsToIgnore $ groupPriority $ groupMembershipSAM $ dynamicLDAPServer $ desktopProfile $ defaultClassStore $ dBCSPwd $ controlAccessRights $ codePage $ badPwdCount $ badPasswordTime $ adminCount $ aCSPolicyName $ accountExpires ) ) objectClasses: ( 1.2.840.113556.1.3.30 NAME 'computer' SUP user STRUCTURAL MAY ( volumeCount $ siteGUID $ rIDSetReferences $ policyReplicationFlags $ physicalLocationObject $ operatingSystemVersion $ operatingSystemServicePack $ operatingSystemHotfix $ operatingSystem $ networkAddress $ netbootSIFFile $ netbootMirrorDataFile $ netbootMachineFilePath $ netbootInitialization $ netbootGUID $ msDS-AdditionalSamAccountName $ msDS-AdditionalDnsHostName $ managedBy $ machineRole $ location $ localPolicyFlags $ dNSHostName $ defaultLocalPolicyObject $ cn $ catalogs ) ) objectClasses: ( 1.2.840.113556.1.5.83 NAME 'rIDManager' SUP top STRUCTURAL MUST ( rIDAvailablePool ) ) objectClasses: ( 1.2.840.113556.1.5.3 NAME 'samDomain' SUP top AUXILIARY MAY ( treeName $ rIDManagerReference $ replicaSource $ pwdProperties $ pwdHistoryLength $ privateKey $ pekList $ pekKeyChangeInterval $ nTMixedDomain $ nextRid $ nETBIOSName $ msDS-PerUserTrustTombstonesQuota $ msDS-PerUserTrustQuota $ ms-DS-MachineAccountQuota $ msDS-LogonTimeSyncInterval $ msDS-AllUsersTrustQuota $ modifiedCountAtLastProm $ minPwdLength $ minPwdAge $ maxPwdAge $ lSAModifiedCount $ lSACreationTime $ lockoutThreshold $ lockoutDuration $ lockOutObservationWindow $ gPOptions $ gPLink $ eFSPolicy $ domainPolicyObject $ desktopProfile $ description $ defaultLocalPolicyObject $ creationTime $ controlAccessRights $ cACertificate $ builtinModifiedCount $ builtinCreationTime $ auditingPolicy ) ) objectClasses: ( 1.2.840.113556.1.5.2 NAME 'samDomainBase' SUP top AUXILIARY MAY ( uASCompat $ serverState $ serverRole $ revision $ pwdProperties $ pwdHistoryLength $ oEMInformation $ objectSid $ nTSecurityDescriptor $ nextRid $ modifiedCountAtLastProm $ modifiedCount $ minPwdLength $ minPwdAge $ maxPwdAge $ lockoutThreshold $ lockoutDuration $ lockOutObservationWindow $ forceLogoff $ domainReplica $ creationTime ) ) objectClasses: ( 1.2.840.113556.1.5.6 NAME 'securityPrincipal' SUP top AUXILIARY MUST ( sAMAccountName $ objectSid ) MAY ( supplementalCredentials $ sIDHistory $ securityIdentifier $ sAMAccountType $ rid $ tokenGroupsNoGCAcceptable $ tokenGroupsGlobalAndUniversal $ tokenGroups $ nTSecurityDescriptor $ msDS-KeyVersionNumber $ altSecurityIdentities $ accountNameHistory ) ) objectClasses: ( 1.2.840.113556.1.5.17 NAME 'server' SUP top STRUCTURAL MAY ( mailAddress $ serverReference $ serialNumber $ managedBy $ dNSHostName $ bridgeheadTransportList ) ) objectClasses: ( 1.2.840.113556.1.5.7000.48 NAME 'serversContainer' SUP top STRUCTURAL ) objectClasses: ( 1.2.840.113556.1.5.31 NAME 'site' SUP top STRUCTURAL MAY ( notificationList $ mSMQSiteID $ mSMQSiteForeign $ mSMQNt4Stub $ mSMQInterval2 $ mSMQInterval1 $ managedBy $ location $ gPOptions $ gPLink ) ) objectClasses: ( 1.2.840.113556.1.5.107 NAME 'sitesContainer' SUP top STRUCTURAL ) objectClasses: ( 1.2.840.113556.1.5.96 NAME 'subnet' SUP top STRUCTURAL MAY ( siteObject $ physicalLocationObject $ location ) ) objectClasses: ( 1.2.840.113556.1.5.95 NAME 'subnetContainer' SUP top STRUCTURAL ) objectClasses: ( 1.2.840.113556.1.5.234 NAME 'msDS-AzAdminManager' SUP top STRUCTURAL MAY ( msDS-AzMinorVersion $ msDS-AzMajorVersion $ msDS-AzApplicationData $ msDS-AzGenerateAudits $ msDS-AzScriptTimeout $ msDS-AzScriptEngineCacheMax $ msDS-AzDomainTimeout $ description ) ) objectClasses: ( 1.2.840.113556.1.5.235 NAME 'msDS-AzApplication' SUP top STRUCTURAL MAY ( msDS-AzApplicationData $ msDS-AzGenerateAudits $ msDS-AzApplicationVersion $ msDS-AzClassId $ msDS-AzApplicationName $ description ) ) objectClasses: ( 1.2.840.113556.1.5.237 NAME 'msDS-AzScope' SUP top STRUCTURAL MUST ( msDS-AzScopeName ) MAY ( msDS-AzApplicationData $ description ) ) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From koippa at gmail.com Tue Aug 22 14:53:19 2006 From: koippa at gmail.com (Kimmo Koivisto) Date: Tue, 22 Aug 2006 17:53:19 +0300 Subject: [Fedora-directory-devel] Samba4 onto Fedora DS In-Reply-To: <1156246394.30279.38.camel@localhost.localdomain> References: <1156246394.30279.38.camel@localhost.localdomain> Message-ID: <200608221753.19769.koippa@gmail.com> Andrew Bartlett wrote: [snip] > Anyway, this is the error I get with the attached schema: > > [abartlet at piglett source]$ sudo /opt/fedora-ds/slapd-piglett/start-slapd > Password: > [22/Aug/2006:21:03:47 +1000] dse - The entry cn=schema in > file /opt/fedora-ds/slapd-piglett/config/schema/01samba4.ldif is > invalid, error code 20 (Type or value exists) - attribute type > streetAddress: Does not match the OID "1.2.840.113556.1.2.256". Another > attribute type is already using the name or OID. > [22/Aug/2006:21:03:47 +1000] dse - Please edit the file to correct the > reported problems and then restart the server. > > I can find no other reference (in the schema ldif files) to > streetAddress, or that OID. > See 00core.ldif: attributeTypes: ( 2.5.4.9 NAME ( 'street' 'streetaddress' ) DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 2256' ) Maybe this is what you wan't to remove? Best Regards Kimmo Koivisto From prowley at redhat.com Tue Aug 22 17:03:15 2006 From: prowley at redhat.com (Pete Rowley) Date: Tue, 22 Aug 2006 10:03:15 -0700 Subject: [Fedora-directory-devel] Samba4 onto Fedora DS In-Reply-To: <200608221753.19769.koippa@gmail.com> References: <1156246394.30279.38.camel@localhost.localdomain> <200608221753.19769.koippa@gmail.com> Message-ID: <44EB38D3.1000405@redhat.com> Kimmo Koivisto wrote: >Andrew Bartlett wrote: >[snip] > > >>Anyway, this is the error I get with the attached schema: >> >>[abartlet at piglett source]$ sudo /opt/fedora-ds/slapd-piglett/start-slapd >>Password: >>[22/Aug/2006:21:03:47 +1000] dse - The entry cn=schema in >>file /opt/fedora-ds/slapd-piglett/config/schema/01samba4.ldif is >>invalid, error code 20 (Type or value exists) - attribute type >>streetAddress: Does not match the OID "1.2.840.113556.1.2.256". Another >>attribute type is already using the name or OID. >>[22/Aug/2006:21:03:47 +1000] dse - Please edit the file to correct the >>reported problems and then restart the server. >> >>I can find no other reference (in the schema ldif files) to >>streetAddress, or that OID. >> >> >> >See 00core.ldif: >attributeTypes: ( 2.5.4.9 NAME ( 'street' 'streetaddress' ) DESC 'Standard >LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC >2256' ) > >Maybe this is what you wan't to remove? > > It would be bad form to remove a standard attribute and replace it with one of the same name but different OID. It would be better to use the standard attribute. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From abartlet at samba.org Tue Aug 22 21:13:17 2006 From: abartlet at samba.org (Andrew Bartlett) Date: Wed, 23 Aug 2006 07:13:17 +1000 Subject: [Fedora-directory-devel] Samba4 onto Fedora DS In-Reply-To: <200608221753.19769.koippa@gmail.com> References: <1156246394.30279.38.camel@localhost.localdomain> <200608221753.19769.koippa@gmail.com> Message-ID: <1156281198.30279.40.camel@localhost.localdomain> On Tue, 2006-08-22 at 17:53 +0300, Kimmo Koivisto wrote: > Andrew Bartlett wrote: > [snip] > > Anyway, this is the error I get with the attached schema: > > > > [abartlet at piglett source]$ sudo /opt/fedora-ds/slapd-piglett/start-slapd > > Password: > > [22/Aug/2006:21:03:47 +1000] dse - The entry cn=schema in > > file /opt/fedora-ds/slapd-piglett/config/schema/01samba4.ldif is > > invalid, error code 20 (Type or value exists) - attribute type > > streetAddress: Does not match the OID "1.2.840.113556.1.2.256". Another > > attribute type is already using the name or OID. > > [22/Aug/2006:21:03:47 +1000] dse - Please edit the file to correct the > > reported problems and then restart the server. > > > > I can find no other reference (in the schema ldif files) to > > streetAddress, or that OID. > > > See 00core.ldif: > attributeTypes: ( 2.5.4.9 NAME ( 'street' 'streetaddress' ) DESC 'Standard > LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC > 2256' ) > > Maybe this is what you wan't to remove? Thanks. That will teach me to use case-sensitive grep... Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From abartlet at samba.org Tue Aug 22 21:38:41 2006 From: abartlet at samba.org (Andrew Bartlett) Date: Wed, 23 Aug 2006 07:38:41 +1000 Subject: [Fedora-directory-devel] Samba4 onto Fedora DS In-Reply-To: <44EB38D3.1000405@redhat.com> References: <1156246394.30279.38.camel@localhost.localdomain> <200608221753.19769.koippa@gmail.com> <44EB38D3.1000405@redhat.com> Message-ID: <1156282721.30279.56.camel@localhost.localdomain> On Tue, 2006-08-22 at 10:03 -0700, Pete Rowley wrote: > Kimmo Koivisto wrote: > > >Andrew Bartlett wrote: > >[snip] > > > > > >>Anyway, this is the error I get with the attached schema: > >> > >>[abartlet at piglett source]$ sudo /opt/fedora-ds/slapd-piglett/start-slapd > >>Password: > >>[22/Aug/2006:21:03:47 +1000] dse - The entry cn=schema in > >>file /opt/fedora-ds/slapd-piglett/config/schema/01samba4.ldif is > >>invalid, error code 20 (Type or value exists) - attribute type > >>streetAddress: Does not match the OID "1.2.840.113556.1.2.256". Another > >>attribute type is already using the name or OID. > >>[22/Aug/2006:21:03:47 +1000] dse - Please edit the file to correct the > >>reported problems and then restart the server. > >> > >>I can find no other reference (in the schema ldif files) to > >>streetAddress, or that OID. > >> > >> > >> > >See 00core.ldif: > >attributeTypes: ( 2.5.4.9 NAME ( 'street' 'streetaddress' ) DESC 'Standard > >LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC > >2256' ) > > > >Maybe this is what you wan't to remove? > > > > > It would be bad form to remove a standard attribute and replace it with > one of the same name but different OID. It would be better to use the > standard attribute. What would go wrong if I did that? When I started with OpenLDAP, I initially tried to load standard schema, then Microsoft's modifications, but very quickly got into a mess: Because I wanted a reproducible solution, I didn't want to edit these schema files, but they declared objectClasses that I had to override. So I ended up just using the converted AD schema. Would it be possible to split the 00core.ldif into 'attributes required for the operation of the directory' and 'core ldap standards'? What will happen if I fail to load the 'attributes required for operation of the directory'? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From rmeggins at redhat.com Tue Aug 22 22:06:39 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 22 Aug 2006 16:06:39 -0600 Subject: [Fedora-directory-devel] Samba4 onto Fedora DS In-Reply-To: <1156282721.30279.56.camel@localhost.localdomain> References: <1156246394.30279.38.camel@localhost.localdomain> <200608221753.19769.koippa@gmail.com> <44EB38D3.1000405@redhat.com> <1156282721.30279.56.camel@localhost.localdomain> Message-ID: <44EB7FEF.7000502@redhat.com> Andrew Bartlett wrote: > On Tue, 2006-08-22 at 10:03 -0700, Pete Rowley wrote: > >> Kimmo Koivisto wrote: >> >> >>> Andrew Bartlett wrote: >>> [snip] >>> >>> >>> >>>> Anyway, this is the error I get with the attached schema: >>>> >>>> [abartlet at piglett source]$ sudo /opt/fedora-ds/slapd-piglett/start-slapd >>>> Password: >>>> [22/Aug/2006:21:03:47 +1000] dse - The entry cn=schema in >>>> file /opt/fedora-ds/slapd-piglett/config/schema/01samba4.ldif is >>>> invalid, error code 20 (Type or value exists) - attribute type >>>> streetAddress: Does not match the OID "1.2.840.113556.1.2.256". Another >>>> attribute type is already using the name or OID. >>>> [22/Aug/2006:21:03:47 +1000] dse - Please edit the file to correct the >>>> reported problems and then restart the server. >>>> >>>> I can find no other reference (in the schema ldif files) to >>>> streetAddress, or that OID. >>>> >>>> >>>> >>>> >>> See 00core.ldif: >>> attributeTypes: ( 2.5.4.9 NAME ( 'street' 'streetaddress' ) DESC 'Standard >>> LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC >>> 2256' ) >>> >>> Maybe this is what you wan't to remove? >>> >>> >>> >> It would be bad form to remove a standard attribute and replace it with >> one of the same name but different OID. It would be better to use the >> standard attribute. >> > > What would go wrong if I did that? > The server might not start, apps might break. > When I started with OpenLDAP, I initially tried to load standard schema, > then Microsoft's modifications, but very quickly got into a mess: > Because I wanted a reproducible solution, I didn't want to edit these > schema files, but they declared objectClasses that I had to override. > > So I ended up just using the converted AD schema. > > Would it be possible to split the 00core.ldif into 'attributes required > for the operation of the directory' and 'core ldap standards'? Yes. Something like internally used attributes vs. externally used attributes? > What > will happen if I fail to load the 'attributes required for operation of > the directory'? > Things may break. It's hard to tell without specific attributes or objectclass names or OIDs. > Andrew Bartlett > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From abartlet at samba.org Tue Aug 22 22:15:48 2006 From: abartlet at samba.org (Andrew Bartlett) Date: Wed, 23 Aug 2006 08:15:48 +1000 Subject: [Fedora-directory-devel] Samba4 onto Fedora DS In-Reply-To: <44EB7FEF.7000502@redhat.com> References: <1156246394.30279.38.camel@localhost.localdomain> <200608221753.19769.koippa@gmail.com> <44EB38D3.1000405@redhat.com> <1156282721.30279.56.camel@localhost.localdomain> <44EB7FEF.7000502@redhat.com> Message-ID: <1156284948.30279.72.camel@localhost.localdomain> On Tue, 2006-08-22 at 16:06 -0600, Richard Megginson wrote: > Andrew Bartlett wrote: > > On Tue, 2006-08-22 at 10:03 -0700, Pete Rowley wrote: > > > >> Kimmo Koivisto wrote: > >> > >> > >>> Andrew Bartlett wrote: > >>> [snip] > >>> > >>> > >>> > >>>> Anyway, this is the error I get with the attached schema: > >>>> > >>>> [abartlet at piglett source]$ sudo /opt/fedora-ds/slapd-piglett/start-slapd > >>>> Password: > >>>> [22/Aug/2006:21:03:47 +1000] dse - The entry cn=schema in > >>>> file /opt/fedora-ds/slapd-piglett/config/schema/01samba4.ldif is > >>>> invalid, error code 20 (Type or value exists) - attribute type > >>>> streetAddress: Does not match the OID "1.2.840.113556.1.2.256". Another > >>>> attribute type is already using the name or OID. > >>>> [22/Aug/2006:21:03:47 +1000] dse - Please edit the file to correct the > >>>> reported problems and then restart the server. > >>>> > >>>> I can find no other reference (in the schema ldif files) to > >>>> streetAddress, or that OID. > >>>> > >>>> > >>>> > >>>> > >>> See 00core.ldif: > >>> attributeTypes: ( 2.5.4.9 NAME ( 'street' 'streetaddress' ) DESC 'Standard > >>> LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC > >>> 2256' ) > >>> > >>> Maybe this is what you wan't to remove? > >>> > >>> > >>> > >> It would be bad form to remove a standard attribute and replace it with > >> one of the same name but different OID. It would be better to use the > >> standard attribute. > >> > > > > What would go wrong if I did that? > > > The server might not start, apps might break. Do apps read the OID? I thought they just query by name. (The syntax is identical in this case). I'm trying to pick a line between 'bad form' (doing anything with Microsoft 'LDAP' could easily be considered 'bad form') and 'fatal'. My long term hope is to have more mappings, so that the backend can use more and more standard schema, but this is a long way off yet. For the moment, if I get the Samba4 provision to load, and Samba4 as the only client to operate, then I'll be a very happy man. > > When I started with OpenLDAP, I initially tried to load standard schema, > > then Microsoft's modifications, but very quickly got into a mess: > > Because I wanted a reproducible solution, I didn't want to edit these > > schema files, but they declared objectClasses that I had to override. > > > > So I ended up just using the converted AD schema. > > > > Would it be possible to split the 00core.ldif into 'attributes required > > for the operation of the directory' and 'core ldap standards'? > Yes. Something like internally used attributes vs. externally used > attributes? That's what I'm looking for. > > What > > will happen if I fail to load the 'attributes required for operation of > > the directory'? > > > Things may break. It's hard to tell without specific attributes or > objectclass names or OIDs. I was kind of hoping someone might be able to give me that list, so I can split the 00core.ldif. Once I know that list, I can place them into my excludes file, and not have the AD schema replace them. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From prowley at redhat.com Tue Aug 22 22:31:26 2006 From: prowley at redhat.com (Pete Rowley) Date: Tue, 22 Aug 2006 15:31:26 -0700 Subject: [Fedora-directory-devel] Samba4 onto Fedora DS In-Reply-To: <1156282721.30279.56.camel@localhost.localdomain> References: <1156246394.30279.38.camel@localhost.localdomain> <200608221753.19769.koippa@gmail.com> <44EB38D3.1000405@redhat.com> <1156282721.30279.56.camel@localhost.localdomain> Message-ID: <44EB85BE.4090205@redhat.com> Andrew Bartlett wrote: >On Tue, 2006-08-22 at 10:03 -0700, Pete Rowley wrote: > > >>It would be bad form to remove a standard attribute and replace it with >>one of the same name but different OID. It would be better to use the >>standard attribute. >> >> > >What would go wrong if I did that? > > > Those rare clients that actually did the right thing and checked schema would break. Clients that request by OID would also break. These are admittedly few and far between but it seems a shame to punish those who do the right thing. It would technically make the server non-LDAP standards compliant, and that's actually a big deal even if nothing breaks. >When I started with OpenLDAP, I initially tried to load standard schema, >then Microsoft's modifications, but very quickly got into a mess: >Because I wanted a reproducible solution, I didn't want to edit these >schema files, but they declared objectClasses that I had to override. > > I do understand your pain. The MS schema that is derived from the standards is actually not compliant to them - MS made some modifications. >So I ended up just using the converted AD schema. > > This is OK to get by for now, but I would strongly suggest an approach that is more accomodating to the standards and also existing deployments - few major deployers will want to change the standard schema. >Would it be possible to split the 00core.ldif into 'attributes required >for the operation of the directory' and 'core ldap standards'? > Sure, all of the schema files are just split as a matter of convenience and managability. > What >will happen if I fail to load the 'attributes required for operation of >the directory'? > > The directory won't operate? :) -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From prowley at redhat.com Tue Aug 22 22:35:40 2006 From: prowley at redhat.com (Pete Rowley) Date: Tue, 22 Aug 2006 15:35:40 -0700 Subject: [Fedora-directory-devel] Samba4 onto Fedora DS In-Reply-To: <1156284948.30279.72.camel@localhost.localdomain> References: <1156246394.30279.38.camel@localhost.localdomain> <200608221753.19769.koippa@gmail.com> <44EB38D3.1000405@redhat.com> <1156282721.30279.56.camel@localhost.localdomain> <44EB7FEF.7000502@redhat.com> <1156284948.30279.72.camel@localhost.localdomain> Message-ID: <44EB86BC.7030100@redhat.com> Andrew Bartlett wrote: >On Tue, 2006-08-22 at 16:06 -0600, Richard Megginson wrote: > > >>Andrew Bartlett wrote: >> >> >>>On Tue, 2006-08-22 at 10:03 -0700, Pete Rowley wrote: >>> >>> >>> >>>>Kimmo Koivisto wrote: >>>> >>>> >>>> >>>> >>>>>Andrew Bartlett wrote: >>>>>[snip] >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>Anyway, this is the error I get with the attached schema: >>>>>> >>>>>>[abartlet at piglett source]$ sudo /opt/fedora-ds/slapd-piglett/start-slapd >>>>>>Password: >>>>>>[22/Aug/2006:21:03:47 +1000] dse - The entry cn=schema in >>>>>>file /opt/fedora-ds/slapd-piglett/config/schema/01samba4.ldif is >>>>>>invalid, error code 20 (Type or value exists) - attribute type >>>>>>streetAddress: Does not match the OID "1.2.840.113556.1.2.256". Another >>>>>>attribute type is already using the name or OID. >>>>>>[22/Aug/2006:21:03:47 +1000] dse - Please edit the file to correct the >>>>>>reported problems and then restart the server. >>>>>> >>>>>>I can find no other reference (in the schema ldif files) to >>>>>>streetAddress, or that OID. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>See 00core.ldif: >>>>>attributeTypes: ( 2.5.4.9 NAME ( 'street' 'streetaddress' ) DESC 'Standard >>>>>LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC >>>>>2256' ) >>>>> >>>>>Maybe this is what you wan't to remove? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>It would be bad form to remove a standard attribute and replace it with >>>>one of the same name but different OID. It would be better to use the >>>>standard attribute. >>>> >>>> >>>> >>>What would go wrong if I did that? >>> >>> >>> >>The server might not start, apps might break. >> >> > >Do apps read the OID? I thought they just query by name. (The syntax is >identical in this case). > > > Typically a careful client would request attributes by OID, change the OID and you break the good apps. >I was kind of hoping someone might be able to give me that list, so I >can split the 00core.ldif. Once I know that list, I can place them into >my excludes file, and not have the AD schema replace them. > > Why not deal with the specific problems that arise when /adding/ the AD schema? I'm guessing that would be a shorter list? -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From abartlet at samba.org Tue Aug 22 23:24:41 2006 From: abartlet at samba.org (Andrew Bartlett) Date: Wed, 23 Aug 2006 09:24:41 +1000 Subject: [Fedora-directory-devel] Samba4 onto Fedora DS In-Reply-To: <44EB86BC.7030100@redhat.com> References: <1156246394.30279.38.camel@localhost.localdomain> <200608221753.19769.koippa@gmail.com> <44EB38D3.1000405@redhat.com> <1156282721.30279.56.camel@localhost.localdomain> <44EB7FEF.7000502@redhat.com> <1156284948.30279.72.camel@localhost.localdomain> <44EB86BC.7030100@redhat.com> Message-ID: <1156289081.30279.87.camel@localhost.localdomain> On Tue, 2006-08-22 at 15:35 -0700, Pete Rowley wrote: > Andrew Bartlett wrote: > > >On Tue, 2006-08-22 at 16:06 -0600, Richard Megginson wrote: > > > > > >>Andrew Bartlett wrote: > >> > >> > >>>On Tue, 2006-08-22 at 10:03 -0700, Pete Rowley wrote: > >>> > >>> > >>> > >>>>Kimmo Koivisto wrote: > >>>> > >>>> > >>>> > >>>> > >>>>>Andrew Bartlett wrote: > >>>>>[snip] > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>>Anyway, this is the error I get with the attached schema: > >>>>>> > >>>>>>[abartlet at piglett source]$ sudo /opt/fedora-ds/slapd-piglett/start-slapd > >>>>>>Password: > >>>>>>[22/Aug/2006:21:03:47 +1000] dse - The entry cn=schema in > >>>>>>file /opt/fedora-ds/slapd-piglett/config/schema/01samba4.ldif is > >>>>>>invalid, error code 20 (Type or value exists) - attribute type > >>>>>>streetAddress: Does not match the OID "1.2.840.113556.1.2.256". Another > >>>>>>attribute type is already using the name or OID. > >>>>>>[22/Aug/2006:21:03:47 +1000] dse - Please edit the file to correct the > >>>>>>reported problems and then restart the server. > >>>>>> > >>>>>>I can find no other reference (in the schema ldif files) to > >>>>>>streetAddress, or that OID. > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>See 00core.ldif: > >>>>>attributeTypes: ( 2.5.4.9 NAME ( 'street' 'streetaddress' ) DESC 'Standard > >>>>>LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC > >>>>>2256' ) > >>>>> > >>>>>Maybe this is what you wan't to remove? > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>It would be bad form to remove a standard attribute and replace it with > >>>>one of the same name but different OID. It would be better to use the > >>>>standard attribute. > >>>> > >>>> > >>>> > >>>What would go wrong if I did that? > >>> > >>> > >>> > >>The server might not start, apps might break. > >> > >> > > > >Do apps read the OID? I thought they just query by name. (The syntax is > >identical in this case). > > > > > > > Typically a careful client would request attributes by OID, change the > OID and you break the good apps. OK. I wasn't aware you could even do that. I know Samba4 doesn't support it :-) > >I was kind of hoping someone might be able to give me that list, so I > >can split the 00core.ldif. Once I know that list, I can place them into > >my excludes file, and not have the AD schema replace them. > > > > > Why not deal with the specific problems that arise when /adding/ the AD > schema? I'm guessing that would be a shorter list? Because the AD schema is a whole schema, not just some extra attributes/objectClasses, I need to be able to replace 'person', and many other classes that Microsoft has modified. Once I start replacing classes, I need to know the list of 'if I replace this, bad things happen'. I'm not sure, both lists are pretty long. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From prowley at redhat.com Wed Aug 23 00:54:05 2006 From: prowley at redhat.com (Pete Rowley) Date: Tue, 22 Aug 2006 17:54:05 -0700 Subject: [Fedora-directory-devel] Samba4 onto Fedora DS In-Reply-To: <1156289081.30279.87.camel@localhost.localdomain> References: <1156246394.30279.38.camel@localhost.localdomain> <200608221753.19769.koippa@gmail.com> <44EB38D3.1000405@redhat.com> <1156282721.30279.56.camel@localhost.localdomain> <44EB7FEF.7000502@redhat.com> <1156284948.30279.72.camel@localhost.localdomain> <44EB86BC.7030100@redhat.com> <1156289081.30279.87.camel@localhost.localdomain> Message-ID: <44EBA72D.9050800@redhat.com> Andrew Bartlett wrote: On Tue, 2006-08-22 at 15:35 -0700, Pete Rowley wrote: >>Why not deal with the specific problems that arise when /adding/ the AD >> >> >>schema? I'm guessing that would be a shorter list? >> >> > >Because the AD schema is a whole schema, not just some extra >attributes/objectClasses, I need to be able to replace 'person', and >many other classes that Microsoft has modified. > >Once I start replacing classes, I need to know the list of 'if I replace >this, bad things happen'. > > The problem is the list of broken things is open ended. Perhaps we should drill down on a specific example (like the "person" objectclass and associated attributes) and look at what is different. At least that will make sure we are all talking about the same thing and the folks on the list might have more targetted suggestions. Though, I thought the plan was to make the DS look like AD through Sambas lens? Are we just talking about an interim development situation until you add the "lens"? If so, I say break what you like. Otherwise I would have big concerns about integration with existing DS deployments. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From abartlet at samba.org Wed Aug 23 01:11:17 2006 From: abartlet at samba.org (Andrew Bartlett) Date: Wed, 23 Aug 2006 11:11:17 +1000 Subject: [Fedora-directory-devel] Samba4 onto Fedora DS In-Reply-To: <44EBA72D.9050800@redhat.com> References: <1156246394.30279.38.camel@localhost.localdomain> <200608221753.19769.koippa@gmail.com> <44EB38D3.1000405@redhat.com> <1156282721.30279.56.camel@localhost.localdomain> <44EB7FEF.7000502@redhat.com> <1156284948.30279.72.camel@localhost.localdomain> <44EB86BC.7030100@redhat.com> <1156289081.30279.87.camel@localhost.localdomain> <44EBA72D.9050800@redhat.com> Message-ID: <1156295477.30279.104.camel@localhost.localdomain> On Tue, 2006-08-22 at 17:54 -0700, Pete Rowley wrote: > Andrew Bartlett wrote: > > On Tue, 2006-08-22 at 15:35 -0700, Pete Rowley wrote: > > >>Why not deal with the specific problems that arise when /adding/ the AD > >> > >> > >>schema? I'm guessing that would be a shorter list? > >> > >> > > > >Because the AD schema is a whole schema, not just some extra > >attributes/objectClasses, I need to be able to replace 'person', and > >many other classes that Microsoft has modified. > > > >Once I start replacing classes, I need to know the list of 'if I replace > >this, bad things happen'. > > > > > The problem is the list of broken things is open ended. Perhaps we > should drill down on a specific example (like the "person" objectclass > and associated attributes) and look at what is different. At least that > will make sure we are all talking about the same thing and the folks on > the list might have more targetted suggestions. > > Though, I thought the plan was to make the DS look like AD through > Sambas lens? Are we just talking about an interim development situation > until you add the "lens"? If so, I say break what you like. Otherwise I > would have big concerns about integration with existing DS deployments. Yeah, at the moment I'm looking at DS as a replicating (transactional?) LDAP-speaking backend, which clients will never talk to. All clients will use the Samba lens (as you so very well put it). Currently, the lens (written for OpenLDAP) maps entryUUID <-> objectClass, canoncalises objectSid and objectCategory and maps some timestamps. Once I get that working, I'll start ramping up the lens power: the obvious next step is to map attributes to the same attributes used in the winSync plugin. Integration with existing DS deployments is a very, very long way off, but is clearly the holy grail. I want to start by getting the parts to talk together at all :-) I suspect I'll just need to figure out what I can remove/must keep by trial and error. The problem with this is any attributes in the class of 'used by the directory, but it will still start up and appear to operate', which was part of the reason for my initial enquiry. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From abartlet at samba.org Wed Aug 23 01:18:08 2006 From: abartlet at samba.org (Andrew Bartlett) Date: Wed, 23 Aug 2006 11:18:08 +1000 Subject: [Fedora-directory-devel] Samba4 onto Fedora DS In-Reply-To: <44EB85BE.4090205@redhat.com> References: <1156246394.30279.38.camel@localhost.localdomain> <200608221753.19769.koippa@gmail.com> <44EB38D3.1000405@redhat.com> <1156282721.30279.56.camel@localhost.localdomain> <44EB85BE.4090205@redhat.com> Message-ID: <1156295888.30279.111.camel@localhost.localdomain> On Tue, 2006-08-22 at 15:31 -0700, Pete Rowley wrote: > Andrew Bartlett wrote: > > >On Tue, 2006-08-22 at 10:03 -0700, Pete Rowley wrote: > > > >When I started with OpenLDAP, I initially tried to load standard schema, > >then Microsoft's modifications, but very quickly got into a mess: > >Because I wanted a reproducible solution, I didn't want to edit these > >schema files, but they declared objectClasses that I had to override. > > > > > I do understand your pain. The MS schema that is derived from the > standards is actually not compliant to them - MS made some modifications. Does anybody have some kind of graphical 'diff' of the schema modifications? > >So I ended up just using the converted AD schema. > > > > > This is OK to get by for now, but I would strongly suggest an approach > that is more accomodating to the standards and also existing deployments > - few major deployers will want to change the standard schema. Indeed. And where Microsoft has just added attributes, I can see us just adding extra objectClasses during Samba4's mapping to cope with them. I'm however still not quite sure how we will cope with 'sn' being removed from person however. Perhaps an msPerson objectClass? (Used when we detect a person without an 'sn', and changed to a person if an 'sn' is added? But this is a long way off. I'm hoping to work with a bare-bones, 'not really LDAP any more' DS for now. > >Would it be possible to split the 00core.ldif into 'attributes required > >for the operation of the directory' and 'core ldap standards'? > > > Sure, all of the schema files are just split as a matter of convenience > and managability. > > > What > >will happen if I fail to load the 'attributes required for operation of > >the directory'? > > > > > The directory won't operate? :) As I mention in my other mail. Ff it's that easy, then I've got a chance of getting this right... Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From hyc at symas.com Wed Aug 23 01:49:28 2006 From: hyc at symas.com (Howard Chu) Date: Tue, 22 Aug 2006 18:49:28 -0700 Subject: [Fedora-directory-devel] Re: Samba4 onto Fedora DS In-Reply-To: <20060823005411.0CBDD72F83@hormel.redhat.com> References: <20060823005411.0CBDD72F83@hormel.redhat.com> Message-ID: <44EBB428.9040305@symas.com> > Date: Tue, 22 Aug 2006 17:54:05 -0700 From: Pete Rowley > Andrew Bartlett wrote: On Tue, 2006-08-22 at > 15:35 -0700, Pete Rowley wrote: >>> >>Why not deal with the specific problems that arise when /adding/ the AD >>> >>schema? I'm guessing that would be a shorter list? >> > >> >Because the AD schema is a whole schema, not just some extra >> >attributes/objectClasses, I need to be able to replace 'person', and >> >many other classes that Microsoft has modified. >> > >> >Once I start replacing classes, I need to know the list of 'if I replace >> >this, bad things happen'. > The problem is the list of broken things is open ended. Perhaps we > should drill down on a specific example (like the "person" objectclass > and associated attributes) and look at what is different. At least that > will make sure we are all talking about the same thing and the folks on > the list might have more targetted suggestions. > > Though, I thought the plan was to make the DS look like AD through > Sambas lens? Are we just talking about an interim development situation > until you add the "lens"? If so, I say break what you like. Otherwise I > would have big concerns about integration with existing DS deployments. Ultimately, if you need to make a clone of AD in order to satisfy Windows clients, you are going to have to break the existing LDAP standards the same way Microsoft did. You pretty much need bug-for-bug compatibility, otherwise some random MS app will come along later and break. This means doing such ugly things as requiring "cn" to be single- valued, etc. etc. Consider that Microsoft redefines the "top" objectclass to contain a plethora of attributes; it all goes downhill from there. Andrew, I certainly don't envy you the job ahead of you. Eventually, when you finish your work, you'll have another server that is just as broken and non-compliant as Microsoft's. I don't see you having a lot of choice in the matter, you just have to do what you have to do. The MS schema just doesn't coexist with real LDAP... -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From abartlet at samba.org Wed Aug 23 02:37:27 2006 From: abartlet at samba.org (Andrew Bartlett) Date: Wed, 23 Aug 2006 12:37:27 +1000 Subject: [Fedora-directory-devel] Re: Samba4 onto Fedora DS In-Reply-To: <44EBB428.9040305@symas.com> References: <20060823005411.0CBDD72F83@hormel.redhat.com> <44EBB428.9040305@symas.com> Message-ID: <1156300647.30279.120.camel@localhost.localdomain> On Tue, 2006-08-22 at 18:49 -0700, Howard Chu wrote: > > Date: Tue, 22 Aug 2006 17:54:05 -0700 From: Pete Rowley > > Andrew Bartlett wrote: On Tue, 2006-08-22 at > > 15:35 -0700, Pete Rowley wrote: > >>> >>Why not deal with the specific problems that arise when /adding/ the AD > >>> >>schema? I'm guessing that would be a shorter list? > >> > > >> >Because the AD schema is a whole schema, not just some extra > >> >attributes/objectClasses, I need to be able to replace 'person', and > >> >many other classes that Microsoft has modified. > >> > > >> >Once I start replacing classes, I need to know the list of 'if I replace > >> >this, bad things happen'. > > The problem is the list of broken things is open ended. Perhaps we > > should drill down on a specific example (like the "person" objectclass > > and associated attributes) and look at what is different. At least that > > will make sure we are all talking about the same thing and the folks on > > the list might have more targetted suggestions. > > > > Though, I thought the plan was to make the DS look like AD through > > Sambas lens? Are we just talking about an interim development situation > > until you add the "lens"? If so, I say break what you like. Otherwise I > > would have big concerns about integration with existing DS deployments. > Ultimately, if you need to make a clone of AD in order to satisfy > Windows clients, you are going to have to break the existing LDAP > standards the same way Microsoft did. You pretty much need bug-for-bug > compatibility, otherwise some random MS app will come along later and > break. I suppose the fact that I've been doing this for years in every other protocol is why I don't find the notion quite so shocking :-) > This means doing such ugly things as requiring "cn" to be single- > valued, etc. etc. Consider that Microsoft redefines the "top" > objectclass to contain a plethora of attributes; it all goes downhill > from there. I'm not sure redefining top is the worst of them. If I am backing onto a standards-compliant server, and trying to put the worst of the non-standard behaviour in Samba4, then I think I can create an ms_top auxillary class for the attributes I can't map/invent etc. Downhill is things like redefining 'person' without 'sn'... > Andrew, I certainly don't envy you the job ahead of you. > Eventually, when you finish your work, you'll have another server that > is just as broken and non-compliant as Microsoft's. That's the aim ;-) That's particularly the aim for the internal Samba4 server. I'm hoping that with the proxy mode, we might eventually have both worlds: compliant (directly) and non-compliant (via Samba). > I don't see you > having a lot of choice in the matter, you just have to do what you have > to do. The MS schema just doesn't coexist with real LDAP... Indeed. The real measure of how successful I am is how maintainable the mapping layer is, and how bad the server-side hacks are. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From prowley at redhat.com Wed Aug 23 17:14:09 2006 From: prowley at redhat.com (Pete Rowley) Date: Wed, 23 Aug 2006 10:14:09 -0700 Subject: [Fedora-directory-devel] Samba4 onto Fedora DS In-Reply-To: <1156295888.30279.111.camel@localhost.localdomain> References: <1156246394.30279.38.camel@localhost.localdomain> <200608221753.19769.koippa@gmail.com> <44EB38D3.1000405@redhat.com> <1156282721.30279.56.camel@localhost.localdomain> <44EB85BE.4090205@redhat.com> <1156295888.30279.111.camel@localhost.localdomain> Message-ID: <44EC8CE1.9090503@redhat.com> Andrew Bartlett wrote: >On Tue, 2006-08-22 at 15:31 -0700, Pete Rowley wrote: > > >>Andrew Bartlett wrote: >> >> >> >> >> >>> >>> >>I do understand your pain. The MS schema that is derived from the >>standards is actually not compliant to them - MS made some modifications. >> >> > >Does anybody have some kind of graphical 'diff' of the schema >modifications? > > > No, but with the two servers side by side a little script could do most of the work for you by extracting the schema, sorting the results from each, and then doing a diff. >>>So I ended up just using the converted AD schema. >>> >>> >>> >>> >>This is OK to get by for now, but I would strongly suggest an approach >>that is more accomodating to the standards and also existing deployments >>- few major deployers will want to change the standard schema. >> >> > >Indeed. And where Microsoft has just added attributes, I can see us >just adding extra objectClasses during Samba4's mapping to cope with >them. > >I'm however still not quite sure how we will cope with 'sn' being >removed from person however. Perhaps an msPerson objectClass? (Used >when we detect a person without an 'sn', and changed to a person if an >'sn' is added? > > In that case why worry? If MS removed an attribute it doesn't hurt us to leave it in and doc the difference from AD and why. What's that phrase? Embrace and extend :) Of more concern to me would be examples where the schema for attributes have been changed e.g. AD defines some attributes to be single valued that are defined as multi-valued in the relevant RFC. > > >As I mention in my other mail. Ff it's that easy, then I've got a >chance of getting this right... > > > You will not break things by changing the schema if you only add to the schema. Most things that matter to the server are operational attributes, don't touch any of those. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From hyc at symas.com Wed Aug 23 18:19:08 2006 From: hyc at symas.com (Howard Chu) Date: Wed, 23 Aug 2006 11:19:08 -0700 Subject: [Fedora-directory-devel] Samba4 onto Fedora DS In-Reply-To: <20060823160023.681D3734F8@hormel.redhat.com> References: <20060823160023.681D3734F8@hormel.redhat.com> Message-ID: <44EC9C1C.2020305@symas.com> > Date: Wed, 23 Aug 2006 11:11:17 +1000 > From: Andrew Bartlett > > Yeah, at the moment I'm looking at DS as a replicating (transactional?) > LDAP-speaking backend, which clients will never talk to. All clients > will use the Samba lens (as you so very well put it). > > Currently, the lens (written for OpenLDAP) maps entryUUID <-> > objectClass, canoncalises objectSid and objectCategory and maps some > timestamps. > I think you meant entryUUID <-> objectGUID. We've done some mapping to allow OpenLDAP to replicate to AD; it's quite convoluted. There are a variety of attributes that AD doesn't allow us to write (like objectGUID) so we retrieve them instead, and stuff them into the OpenLDAP side. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From nkinder at redhat.com Mon Aug 28 17:42:11 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 28 Aug 2006 10:42:11 -0700 Subject: [Fedora-directory-devel] Please Review: (204355) Winsync code should be removed from ldapserver tree Message-ID: <44F32AF3.9040507@redhat.com> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204355 Bug(s) fixed: 204355 Bug Description: The Windows Sync code (for both ntds.msi and passsync.msi) should be removed from the ldapserver top-level directory in the source tree. This code was moved to it's own top-level winsync directory some time ago. Reviewed by: ??? Files: See diffs Branch: HEAD Fix Description: We can safely remove the ldapserver/ldap/synctools and ldapserver/ldap/servers/ntds directories from the ldapserver tree. Some Makefile changes are also necessary to not build these pieces and to not pull some of the components needed to build them. Platforms tested: RHEL4 Flag Day: no Doc impact: no https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=135064 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Aug 28 17:46:05 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Aug 2006 13:46:05 -0400 Subject: [Fedora-directory-devel] Please Review: (204355) Winsync code should be removed from ldapserver tree In-Reply-To: <44F32AF3.9040507@redhat.com> References: <44F32AF3.9040507@redhat.com> Message-ID: <44F32BDD.7090108@redhat.com> Nathan Kinder wrote: > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204355 > Bug(s) fixed: 204355 > Bug Description: The Windows Sync code (for both ntds.msi and > passsync.msi) should > be removed from the ldapserver top-level directory in the source > tree. This > code was moved to it's own top-level winsync directory some time ago. > Reviewed by: ??? > Files: See diffs > Branch: HEAD > Fix Description: We can safely remove the ldapserver/ldap/synctools and > ldapserver/ldap/servers/ntds directories from the ldapserver tree. Some > Makefile changes are also necessary to not build these pieces and to not > pull some of the components needed to build them. > Platforms tested: RHEL4 > Flag Day: no > Doc impact: no > https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=135064 Where does BUILD_NTDS get set? Is that needed anywhere else? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Mon Aug 28 17:50:10 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 28 Aug 2006 10:50:10 -0700 Subject: [Fedora-directory-devel] Please Review: (204355) Winsync code should be removed from ldapserver tree In-Reply-To: <44F32BDD.7090108@redhat.com> References: <44F32AF3.9040507@redhat.com> <44F32BDD.7090108@redhat.com> Message-ID: <44F32CD2.2020507@redhat.com> Rob Crittenden wrote: > Nathan Kinder wrote: >> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204355 >> Bug(s) fixed: 204355 >> Bug Description: The Windows Sync code (for both ntds.msi and >> passsync.msi) should >> be removed from the ldapserver top-level directory in the source >> tree. This >> code was moved to it's own top-level winsync directory some time ago. >> Reviewed by: ??? >> Files: See diffs >> Branch: HEAD >> Fix Description: We can safely remove the ldapserver/ldap/synctools and >> ldapserver/ldap/servers/ntds directories from the ldapserver >> tree. Some >> Makefile changes are also necessary to not build these pieces and >> to not >> pull some of the components needed to build them. >> Platforms tested: RHEL4 >> Flag Day: no >> Doc impact: no >> https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=135064 > > Where does BUILD_NTDS get set? Is that needed anywhere else? That's a build option that is supplied on the command-line when invoking make. It's not needed for anything else. -NGK > > rob > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Aug 28 17:56:51 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 28 Aug 2006 11:56:51 -0600 Subject: [Fedora-directory-devel] Please Review: (204355) Winsync code should be removed from ldapserver tree In-Reply-To: <44F32AF3.9040507@redhat.com> References: <44F32AF3.9040507@redhat.com> Message-ID: <44F32E63.6010204@redhat.com> Ok. Nathan Kinder wrote: > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204355 > Bug(s) fixed: 204355 > Bug Description: The Windows Sync code (for both ntds.msi and > passsync.msi) should > be removed from the ldapserver top-level directory in the source > tree. This > code was moved to it's own top-level winsync directory some time ago. > Reviewed by: ??? > Files: See diffs > Branch: HEAD > Fix Description: We can safely remove the ldapserver/ldap/synctools and > ldapserver/ldap/servers/ntds directories from the ldapserver tree. > Some > Makefile changes are also necessary to not build these pieces and > to not > pull some of the components needed to build them. > Platforms tested: RHEL4 > Flag Day: no > Doc impact: no > https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=135064 > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Aug 28 18:01:36 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Aug 2006 14:01:36 -0400 Subject: [Fedora-directory-devel] Please Review: (204355) Winsync code should be removed from ldapserver tree In-Reply-To: <44F32CD2.2020507@redhat.com> References: <44F32AF3.9040507@redhat.com> <44F32BDD.7090108@redhat.com> <44F32CD2.2020507@redhat.com> Message-ID: <44F32F80.3050805@redhat.com> Nathan Kinder wrote: > Rob Crittenden wrote: > >> Nathan Kinder wrote: >> >>> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204355 >>> Bug(s) fixed: 204355 >>> Bug Description: The Windows Sync code (for both ntds.msi and >>> passsync.msi) should >>> be removed from the ldapserver top-level directory in the source >>> tree. This >>> code was moved to it's own top-level winsync directory some time ago. >>> Reviewed by: ??? >>> Files: See diffs >>> Branch: HEAD >>> Fix Description: We can safely remove the ldapserver/ldap/synctools and >>> ldapserver/ldap/servers/ntds directories from the ldapserver >>> tree. Some >>> Makefile changes are also necessary to not build these pieces and >>> to not >>> pull some of the components needed to build them. >>> Platforms tested: RHEL4 >>> Flag Day: no >>> Doc impact: no >>> https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=135064 >> >> >> Where does BUILD_NTDS get set? Is that needed anywhere else? > > That's a build option that is supplied on the command-line when invoking > make. It's not needed for anything else. > > -NGK Ok, it looks fine then. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Tue Aug 29 18:35:40 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 29 Aug 2006 11:35:40 -0700 Subject: [Fedora-directory-devel] Please Review: (204517) Server needs to use new ber types Message-ID: <44F488FC.5010409@redhat.com> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204517 Bug(s) fixed: 204517 Bug Description: In order to use the latest Mozilla LDAP C SDK in the directory server, we need to start using the new ber types (ber_tag_t, ber_len_t, ber_int_t, etc.). Reviewed by: ??? Files: See diffs Branch: HEAD Fix Description: These diffs are from scanning the compiler output for warnings related to the new ber types. This mainly caught places where we need to use ber_tag_t and ber_len_t. I also fixed the usage of ber_scanf() in nearby code. This fix is a first pass. We will still have to do a manual scan to check the usage of the ber_printf(), ber_scanf() and ber_get_*() functions. Platforms tested: RHEL4 Flag Day: no Doc impact: no https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=135159 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From nhosoi at redhat.com Wed Aug 30 01:43:17 2006 From: nhosoi at redhat.com (Noriko Hosoi) Date: Tue, 29 Aug 2006 18:43:17 -0700 Subject: [Fedora-directory-devel] Please review: [Bug 204566] Adjustment for new LDAP C SDK In-Reply-To: References: Message-ID: <44F4ED35.7000102@redhat.com> Summary: Adjustment for new LDAP C SDK https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204566 Summary: Adjustment for new LDAP C SDK Product: Fedora Directory Server Version: 1.0.2 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: Directory Server AssignedTo: nhosoi at redhat.com ReportedBy: nhosoi at redhat.com QAContact: ohegarty at redhat.com CC: ohegarty at redhat.com Estimated Hours: 0.0 Description of problem: LDAP C SDK function -- ber_get_next_buffer_ext's API has been changed since the Sun code merge. (See also https://bugzilla.mozilla.org/show_bug.cgi?id=347933) We need to update the connection code to adjust. ber_get_next_buffer_ext in mozilla/directory/c-sdk/ldap/libraries/liblber/io.c Original: /* * Returns the tag of the message or LBER_DEFAULT if an error occurs. There * are two cases where LBER_DEFAULT is returned: * * 1) There was not enough data in the buffer to complete the message; this * is a "soft" error. In this case, *Bytes_Scanned is set to a positive * number. * * 2) A "fatal" error occurs. In this case, *Bytes_Scanned is set to zero. * To check for specific errors, the system error number (errno) must * be consulted. These errno values are explicitly set by this * function; other errno values may be set by underlying OS functions: * * EINVAL - LBER_SOCKBUF_OPT_VALID_TAG option set but tag does not match. * EMSGSIZE - length was not represented as <= sizeof(long) bytes or the * LBER_SOCKBUF_OPT_MAX_INCOMING_SIZE option was set and the * message is longer than the maximum. *len will be set in * the latter situation. */ New: /* * Returns the tag of the message or LBER_ return code if an error occurs. * * If there was not enough data in the buffer to complete the message this * is a "soft" error. In this case, *Bytes_Scanned is set to a positive * number and return code is set to LBER_DEFAULT. * * On overflow condition when the length is either bigger than ber_uint_t * type or the value preset via LBER_SOCKBUF_OPT_MAX_INCOMING_SIZE option, * *Bytes_Scanned is set to zero and return code is set to LBER_OVERFLOW. * * For backward compatibility errno is also set on these error conditions: * * EINVAL - LBER_SOCKBUF_OPT_VALID_TAG option set but tag doesnt match. * EMSGSIZE - an overflow condition as described above for LBER_OVERFLOW. */ ------- Additional Comments From nhosoi at redhat.com 2006-08-29 21:26 EST ------- Created an attachment (id=135178) --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=135178&action=view) cvs diff ldapserver/ldap/servers/slapd/connection.c File: ldapserver/ldap/servers/slapd/connection.c Changes: 1) When ber_get_next_buffer_ext fails, not just LBER_DEFAULT but LBER_OVERFLOW can be set to the ber tag. Thus, LBER_OVERFLOW is also checked in the error check now. 2) The too large length error used be checked as "errno == EMSGSIZE", which is replaced with "tag == LBER_OVERFLOW" 3) When the too large length error occurs, the following error was logged in the errors log, which was not appropriate since increasing nsslapd-maxbersize did not solve the problem. connection - conn=7 fd=65 Incoming BER Element was too long, max allowable is 2097152 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. Removed the error logging. 4) When the error occurs, B2 (== SLAPD_DISCONNECT_BER_TOO_BIG) is added at the end of the closed error in the access log. Error code EMSGSIZE and its description has been added: conn=7 op=-1 fd=65 closed error 90 (Message too long) - B2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3170 bytes Desc: S/MIME Cryptographic Signature URL: