[Samba] Strange behaviour with LDAP searches
Heiko Wundram
modelnine at modelnine.org
Tue Aug 25 21:25:12 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hey,
I stumbled across strange behaviour with LDAP searches against a Samba
4 AD today, where queries for (&(objectClass=x)(|(...)(...)))" won't
deliver any result, whereas queries (|(...)(...)) will function
correctly. To illustrate:
- ---
modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b
"dc=id,dc=modelnine,dc=org" -W -D "cn=Machine
Account,cn=Users,dc=id,dc=modelnine,dc=org"
"(|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org))"
...
# LDAPv3
# base <dc=id,dc=modelnine,dc=org> with scope subtree
# filter:
(|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org))
# requesting: ALL
#
# Guests, Builtin, id.modelnine.org
dn: CN=Guests,CN=Builtin,DC=id,DC=modelnine,DC=org
objectClass: top
objectClass: group
cn: Guests
...
# Users, Builtin, id.modelnine.org
dn: CN=Users,CN=Builtin,DC=id,DC=modelnine,DC=org
objectClass: top
objectClass: group
cn: Users
...
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 2
# numReferences: 3
- ---
vs.
- ---
modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b
"dc=id,dc=modelnine,dc=org" -W -D "cn=Machine
Account,cn=Users,dc=id,dc=modelnine,dc=org"
"(&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org)))"
...
# LDAPv3
# base <dc=id,dc=modelnine,dc=org> with scope subtree
# filter:
(&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org)))
# requesting: ALL
#
...
# search result
search: 2
result: 0 Success
# numResponses: 4
# numReferences: 3
- ---
Searching with (objectClass=...) but only one (distinguishedName=...)
specifier yields the correct result:
- ---
modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b
"dc=id,dc=modelnine,dc=org" -W -D "cn=Machine
Account,cn=Users,dc=id,dc=modelnine,dc=org"
"(&(objectClass=group)(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org))"
...
# LDAPv3
# base <dc=id,dc=modelnine,dc=org> with scope subtree
# filter:
(&(objectClass=group)(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org))
# requesting: ALL
#
# Users, Builtin, id.modelnine.org
dn: CN=Users,CN=Builtin,DC=id,DC=modelnine,DC=org
objectClass: top
objectClass: group
cn: Users
...
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
- ---
Is this expected behaviour (I don't think so, at least I wouldn't
understand why)? Anyway, the above seems to be happening with Samba 4
starting from somewhere around 4.1.17 and tdb 1.3.6, as I can
reproduce it with an installation of 4.1.19 and a current 4.2.3
(sernet packages on Debian), whereas the above queries must have
functioned correctly on a vanilla Debian Jessie installation
beforehand (as there is software such as Redmine plugins which rely on
being able to search for (objectClass=...)(|(dn=...)(dn=...))).
Thanks for any heads up, and I'll gladly make a bug report out of this!
- --
Heiko Wundram.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJV3N04AAoJEJ/eyTFUqXhd7esP/jYMSZI0Th9ApdhA2tWwch5v
b79QeN/HricCSLKIm1/VMr5EzQ3GJZxKqeTfBlmj1C7yrw2ovsCkHcSHypGyrmsx
E2PP5vSr/lMYPpLWLso6eqJnu5b5D+A3ZW5aNYCN9h8OLTO31KqxHsJwoIIqILMX
gIc3GMu7HjtzWR61mBCxQ+RyB/sLLQJELWNIICp2VLqLdc5HRJDXIvu5+3S3Wt3Y
9l1W/c/78cQ3kn7mL6sdt85HAQLuIAJmA7twM97Lc96BLVjwRRDXJMabPv1gO7lh
Q0/eX2/SQVol4OU8AbtEbXgLpRxljxoqNZLZF3YgS4dg9V3W7+QL42XCJA67/R8H
L0xIyzCN74dUEs+ngytDNkyc8K8bg0QKpfzK+X/WkNj624wD/Tpssm1GdkBiSZgR
GgIN91AFI7y2UysEJ+R7PLs2O27+7PAFhRie3Cbx95/RYKT3PpecTl3Zh2wAuZJL
iqGfsA6Dbj3TGW4+HuF61kYyeQQM9dP5M2wRK/wq39zSZRkzHDU2HSJ76/FYPgUB
D9O1AZPIB9OD+qvzN7eadpp54XPEsXQxEl7j3eKYQ9vXa2+hQFXnucSad80hDoCH
KNUDaV4ZI/uTZho7pCoOrlHw6SYIaD8vF7dIb/dLtIsDbieZ4wYqMrlbv/WPbjPE
HyU6wA04nYzCVRjpYOt9
=vTTB
-----END PGP SIGNATURE-----
More information about the samba
mailing list