3.1.1 Abstract Data Model

  • Article

This protocol operates on a domain directory database, the data model for which is described in [MS-ADTS] section 3. For convenience, this section contains sufficient information from [MS-ADTS] section 3 to describe the message processing of this protocol.

The directory database is composed of a set of named objects. The name format is an X.500 name, as specified in [RFC1274]; therefore, the objects are arranged in a hierarchy by name. Each object name MUST be unique within the directory.

Each object possesses a collection of attributes. Each attribute is identified by a name specified in the attribute ldapDisplayName. For example, the X.500 name of the object is a single-valued attribute with the ldapDisplayName: distinguishedName. The complete list of attributes and associated constraints is specified in [MS-ADA1], [MS-ADA2], and [MS-ADA3].

Objects are retrieved from the directory database by specifying attribute-value constraints that the object attributes (and their values) MUST satisfy. Attribute values are updated by identifying the target object by distinguishedName and specifying the new set of attribute-value pairs.

Implementations must support creating, reading, updating, and deleting multiple objects, attributes, and attribute values with ACID (that is, atomic, consistent, isolated, and durable) properties. Such an update is referred to as a transaction in this specification.

Directory attributes and their semantics relevant to this protocol follow:

objectGUID: A GUID value (128 bit). Each object MUST have this attribute, and this attribute value MUST be unique within the universe. This value MUST be invariant throughout the object's lifetime; therefore, this attribute is a candidate primary key for database objects.

objectSid: The SID of an account.

pwdLastSet: The time (64-bit value) at which the unicodePwd value was last set; units MUST be 100 nanosecond time slices since January 1, 1601, midnight (GMT).

dbcsPwd: The LM hash of a clear-text password.

unicodePwd: The NT hash of a clear-text password.

badPwdCount: The number of logon attempts with a bad password since the last successful log on within the observation period specified in the attribute lockoutObservationWindow.

lockoutTime: The time at which the badPwdCount value exceeded the lockoutThreshold value; units are 100 nanosecond time slices since January 1, 1601, midnight (GMT).

lockoutThreshold: The number of invalid password attempts allowed before subsequent authentication attempts fail.

sAMAccountName: The logon name of an account.

lastLogonTimeStamp: The time (a 64-bit value) at which the user last logged on; units MUST be 100 nanosecond time slices since January 1, 1601, midnight (GMT).