strange ldap search
Guenther Deschner
gd at samba.org
Wed Feb 10 04:19:53 MST 2010
On Mon, Feb 08, 2010 at 07:18:46PM +0100, Björn JACKE wrote:
> Hi,
>
> I've stumbled upon a strange but quite frequent LDAP search request:
>
> smbldap_search_ext: base => [o=foo,c=faa], filter => [(&(|(objectclass=sambaGroupMapping)(sambaGroupType=4))(|(sambaSIDList=S-1-5-21-828240920-535362782-526260432-501)(sambaSIDList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-32-546)))], scope => [2]
>
> I wonder if the (|(objectclass=sambaGroupMapping)(sambaGroupType=4)) part of
> the search filter is actuallay intended. Shouldn't that be a & instead of |? In
> the end this can be simplified to
>
> (&(objectclass=sambaGroupMapping)(sambaGroupType=4)(|...
>
> As patches get stripped by our mailman, here's the proposed patch inline:
>
> diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
> index 0d498c8..63790c0 100644
> --- a/source3/passdb/pdb_ldap.c
> +++ b/source3/passdb/pdb_ldap.c
> @@ -3725,7 +3725,7 @@ static NTSTATUS ldapsam_alias_memberships(struct pdb_methods *methods,
> }
>
> filter = talloc_asprintf(mem_ctx,
> - "(&(|(objectclass=%s)(sambaGroupType=%d))(|",
> + "(&(objectclass=%s)(sambaGroupType=%d)(|",
> LDAP_OBJ_GROUPMAP, type);
>
> for (i=0; i<num_members; i++)
>
> Any comments?
Yes, looks good to me as well. An object holding "sambaGroupType" attribute will
always (enforced by schema) have objectclass=sambaGroupMapping. Looking
for (|(objectclass=sambaGroupMapping)(sambaGroupType=4)) potentially can
return sambaSIDList from non-aliases (sambaGroupType != 4).
Guenther
--
Günther Deschner GPG-ID: 8EE11688
Red Hat gdeschner at redhat.com
Samba Team gd at samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100210/e4444e3a/attachment.pgp>
More information about the samba-technical
mailing list