RootDSE search with extended-dn (bug #10949)

Stefan (metze) Metzmacher metze at samba.org
Tue Dec 9 07:49:50 MST 2014 

And the attachment...

Am 09.12.2014 um 15:48 schrieb Stefan (metze) Metzmacher:
> Hi,
> 
> here's patches for https://bugzilla.samba.org/show_bug.cgi?id=10949.
> 
> An anonymous client can ask for extended-dn on the RootDSE record,
> currently we fail to handle this over LDAP:
> 
> root at ub1204-161:~# ldbsearch -U% -H ldap://172.31.9.161 -b '' -s base
> --extended-dn serverName
> search error - LDAP error 1 LDAP_OPERATIONS_ERROR -  <00002020:
> operations error at ../source4/dsdb/samdb/ldb_modules/rootdse.c:567> <>
> 
> But it works fine locally (as system).
> 
> root at ub1204-161:~# ldbsearch -U% -H /var/lib/samba/private/sam.ldb -b ''
> -s base --extended-dn serverName
> # record 1
> dn:
> serverName:
> <GUID=348c35e1-04e3-4988-a32c-32478d584551>;CN=UB1204-161,CN=Serve
>  rs,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=s4xdom,DC=base
> 
> # returned 1 records
> # 1 entries
> # 0 referrals
> 
> The trick is to do the extended-dn resolving using the AS_SYSTEM control.
> 
> BTW: A FreeIPA client uses such a LDAP query...
> 
> Please review and push.
> 
> Thanks!
> metze
> 
-------------- next part --------------
From d7f6d5d4729fbe24607922aff7798d2cc75ec3f6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 20 Nov 2014 14:21:06 +0100
Subject: [PATCH 1/2] s4:dsdb/rootdse: expand extended dn values with the
 AS_SYSTEM control

Otherwise we can't find the GUID of the 'serverName' attribute
as ANONYMOUS.

This results in

  root at ub1204-161:~# ldbsearch -U% -H ldap://172.31.9.161 -b '' -s base --extended-dn serverName
  search error - LDAP error 1 LDAP_OPERATIONS_ERROR -  <00002020: operations error at ../source4/dsdb/samdb/ldb_modules/rootdse.c:567> <>

While it works as system:

  root at ub1204-161:~# ldbsearch -U% -H /var/lib/samba/private/sam.ldb -b '' -s base --extended-dn serverName
  # record 1
  dn:
  serverName: <GUID=348c35e1-04e3-4988-a32c-32478d584551>;CN=UB1204-161,CN=Serve
   rs,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=s4xdom,DC=base

  # returned 1 records
  # 1 entries
  # 0 referrals

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10949

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source4/dsdb/samdb/ldb_modules/rootdse.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c
index b13dc9e..111266f 100644
--- a/source4/dsdb/samdb/ldb_modules/rootdse.c
+++ b/source4/dsdb/samdb/ldb_modules/rootdse.c
@@ -142,10 +142,8 @@ static int expand_dn_in_message(struct ldb_module *module, struct ldb_message *m
 			return ret;
 		}
 
-
-		ret = ldb_request_add_control(req2,
-					LDB_CONTROL_EXTENDED_DN_OID,
-					edn_control->critical, edn);
+		ret = dsdb_request_add_controls(req2, DSDB_FLAG_AS_SYSTEM |
+						DSDB_SEARCH_SHOW_EXTENDED_DN);
 		if (ret != LDB_SUCCESS) {
 			talloc_free(tmp_ctx);
 			return ldb_error(ldb, ret, "Failed to add control");
-- 
1.9.1


From 18de71598619661006980bcae20969c15f956a54 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 21 Nov 2014 14:11:54 +0100
Subject: [PATCH 2/2] testprogs/test_ldb: check rootdse search with extended-dn
 control

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 testprogs/blackbox/test_ldb.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/testprogs/blackbox/test_ldb.sh b/testprogs/blackbox/test_ldb.sh
index f326672..60bad44 100755
--- a/testprogs/blackbox/test_ldb.sh
+++ b/testprogs/blackbox/test_ldb.sh
@@ -37,6 +37,8 @@ export PATH="$BINDIR:$PATH"
 ldbsearch="$VALGRIND ldbsearch"
 
 check "RootDSE" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base DUMMY=x dnsHostName highestCommittedUSN || failed=`expr $failed + 1`
+check "RootDSE (full)" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base '(objectClass=*)' || failed=`expr $failed + 1`
+check "RootDSE (extended)" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base '(objectClass=*)' --extended-dn || failed=`expr $failed + 1`
 
 echo "Getting defaultNamingContext"
 BASEDN=`$ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base DUMMY=x defaultNamingContext | grep defaultNamingContext | awk '{print $2}'`
-- 
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20141209/b7431843/attachment.pgp>

More information about the samba-technical mailing list