active directory ldap extras
In addition to per-object and per attribute access controls, Active Directory supports limited write support to certain attributes by unprivileged users as long as the value being set passes a set of attribute-specific checks.
One common case for these validated writes is on the servicePrincipalName attribute found on security principals (users, computers, etc). These attributes may be written by self by default, but only after extra validation is done. This means that a computer joined to a domain may add its own SPNs as long as those SPNs pass Active Directory's smell test.
As an example, here are some of the tests that appear to be performed against an SPN being written to a computer account by that computer:
- The hostname portion of the SPN must match the dNSHostName attribute or one of the msDS-AdditionalDnsHostname attributes. The msDS-AdditionalDnsHostname attribute may be written as part of the same LDAP operation as the SPN.
- The domain name portion of the hostname in the SPN must be within the same DNS domain as the domain the object resides in, or match an explicitly defined suffix.
- The hostname portion of the SPN must be unique across the forest. Some Active Directory clients register a HOST SPN with a short (unqualified) hostname. This is OK if the name matches the object's common name attribute (?), but runs the risk that it isn't unique across the forest. The same may apply in cases where multiple domains in the forest share the same DNS domain.
Operations not passing these extra checks will fail with a Constraint Violation.
Each Active Directory domain controller contains pretty-much all of the attributes for all of the objects within its domain. Read-only domain controllers (RODCs) don't generally hold all user passwords for example.
Across each domain in a forest, some subset of domain controllers may also contain a subset of all of the attributes across all objects forest-wide. This collection of objects and attributes is called the Global Catalogue. It is available through an LDAP-protocol interface over TCP port 3268, or 3269 if using TLS.
More detail here would be good.