[PATCH] Samba 3 winbindd group queries using bitwise matching rule

Guenther Deschner gd at samba.org
Fri Oct 21 13:14:19 GMT 2005 

Hi Jeremy,

On Fri, Sep 23, 2005 at 03:28:59PM -0700, Jeremy Allison wrote:
> On Fri, Sep 23, 2005 at 06:02:43PM +0200, Guenther Deschner wrote:
> > Hi,
> > 
> > since we know how to do LDAP queries with the bitwise matching rule for a
> > long time, why don't we use it?
> > 
> > It makes a lot of sense in winbindd's group queries, making them much more
> > accurate. An example: when winbindd is just interested in global and
> > universal groups (from a trusted domain) it's just pointless to dig
> > through hundreds of builtin and domain local groups, instead it's better
> > to not even shovel them over the wire and exclude them from the search
> > directly.
> > 
> > Successfully tested latest ADS LDAP servers (w2k3 sp1 and w2k sp4 + all
> > fixes). 
> > 
> > Amazingly even the documented example search-strings from Microsoft fail
> > to succeed with w2k3 sp0 and w2k4 sp4 (without additional fixes) (verified
> > with two diferrent LDAP APIs).
> 
> This looks really good - can you put it in HEAD please ?

I've put in 3_0 and trunk now (hopefully thats fine). 

Debugging with various LDAP client libs and ADS versions showed why the
original version of the patch did not work with W2K3DC SP0 or W2K SP4 w/o
rollup-fixes:

* older ADS versions do not follow Section 5.1(4) of RFC 2251 when
  decoding the extended filter, new versions do and also accept the old
  behaviour 

* OpenLDAP & perl-ldap libs always encode the extended filter correctly
  (following the RFC).

* samba4 ldap lib does not follow the RFC (and therefor works with all ADS
  versions)


Cheers,
Guenther
-- 
Günther Deschner                    GPG-ID: 8EE11688
Novell / SUSE LINUX                       gd at suse.de
Samba Team                              gd at samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20051021/6e8e89d5/attachment.bin

More information about the samba-technical mailing list