RootDSE search with extended-dn (bug #10949)
Stefan (metze) Metzmacher
metze at samba.org
Tue Dec 9 07:49:50 MST 2014
And the attachment...
Am 09.12.2014 um 15:48 schrieb Stefan (metze) Metzmacher:
> Hi,
>
> here's patches for https://bugzilla.samba.org/show_bug.cgi?id=10949.
>
> An anonymous client can ask for extended-dn on the RootDSE record,
> currently we fail to handle this over LDAP:
>
> root at ub1204-161:~# ldbsearch -U% -H ldap://172.31.9.161 -b '' -s base
> --extended-dn serverName
> search error - LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020:
> operations error at ../source4/dsdb/samdb/ldb_modules/rootdse.c:567> <>
>
> But it works fine locally (as system).
>
> root at ub1204-161:~# ldbsearch -U% -H /var/lib/samba/private/sam.ldb -b ''
> -s base --extended-dn serverName
> # record 1
> dn:
> serverName:
> <GUID=348c35e1-04e3-4988-a32c-32478d584551>;CN=UB1204-161,CN=Serve
> rs,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=s4xdom,DC=base
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> The trick is to do the extended-dn resolving using the AS_SYSTEM control.
>
> BTW: A FreeIPA client uses such a LDAP query...
>
> Please review and push.
>
> Thanks!
> metze
>
-------------- next part --------------
From d7f6d5d4729fbe24607922aff7798d2cc75ec3f6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 20 Nov 2014 14:21:06 +0100
Subject: [PATCH 1/2] s4:dsdb/rootdse: expand extended dn values with the
AS_SYSTEM control
Otherwise we can't find the GUID of the 'serverName' attribute
as ANONYMOUS.
This results in
root at ub1204-161:~# ldbsearch -U% -H ldap://172.31.9.161 -b '' -s base --extended-dn serverName
search error - LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: operations error at ../source4/dsdb/samdb/ldb_modules/rootdse.c:567> <>
While it works as system:
root at ub1204-161:~# ldbsearch -U% -H /var/lib/samba/private/sam.ldb -b '' -s base --extended-dn serverName
# record 1
dn:
serverName: <GUID=348c35e1-04e3-4988-a32c-32478d584551>;CN=UB1204-161,CN=Serve
rs,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=s4xdom,DC=base
# returned 1 records
# 1 entries
# 0 referrals
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10949
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/dsdb/samdb/ldb_modules/rootdse.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c
index b13dc9e..111266f 100644
--- a/source4/dsdb/samdb/ldb_modules/rootdse.c
+++ b/source4/dsdb/samdb/ldb_modules/rootdse.c
@@ -142,10 +142,8 @@ static int expand_dn_in_message(struct ldb_module *module, struct ldb_message *m
return ret;
}
-
- ret = ldb_request_add_control(req2,
- LDB_CONTROL_EXTENDED_DN_OID,
- edn_control->critical, edn);
+ ret = dsdb_request_add_controls(req2, DSDB_FLAG_AS_SYSTEM |
+ DSDB_SEARCH_SHOW_EXTENDED_DN);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ldb_error(ldb, ret, "Failed to add control");
--
1.9.1
From 18de71598619661006980bcae20969c15f956a54 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 21 Nov 2014 14:11:54 +0100
Subject: [PATCH 2/2] testprogs/test_ldb: check rootdse search with extended-dn
control
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
testprogs/blackbox/test_ldb.sh | 2 ++
1 file changed, 2 insertions(+)
diff --git a/testprogs/blackbox/test_ldb.sh b/testprogs/blackbox/test_ldb.sh
index f326672..60bad44 100755
--- a/testprogs/blackbox/test_ldb.sh
+++ b/testprogs/blackbox/test_ldb.sh
@@ -37,6 +37,8 @@ export PATH="$BINDIR:$PATH"
ldbsearch="$VALGRIND ldbsearch"
check "RootDSE" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base DUMMY=x dnsHostName highestCommittedUSN || failed=`expr $failed + 1`
+check "RootDSE (full)" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base '(objectClass=*)' || failed=`expr $failed + 1`
+check "RootDSE (extended)" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base '(objectClass=*)' --extended-dn || failed=`expr $failed + 1`
echo "Getting defaultNamingContext"
BASEDN=`$ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER -s base DUMMY=x defaultNamingContext | grep defaultNamingContext | awk '{print $2}'`
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20141209/b7431843/attachment.pgp>
More information about the samba-technical
mailing list