[Samba] [PATCH] Re: Samba 4.1.17 classic update w/LDAP - parsing error

Andrew Bartlett abartlet at samba.org
Thu Sep 24 08:38:36 UTC 2015

On Thu, 2015-09-24 at 08:46 +0100, Rowland Penny wrote:

> It would seem that by allowing ',' & '=' in the 'CN' you are also
> going 
> to allow it in the 'sAMAccountName', where according to microsoft it 
> isn't allowed.

Very interesting.  It seems we have two bugs, because those checks
belong in the samldb layer, not in upgrade.py (except as a more helpful
wrapper).  Sadly such checks are not currently preformed.  Would you
like to make a patch?

Regardless we should not put user data directly into LDB DNs or filters
without escaping, here or anywhere else (and fixing it here helps set
the pattern for code copied elsewhere in Samba, which happens a lot). 


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list