[Samba] [PATCH] Re: Samba 4.1.17 classic update w/LDAP - parsing error
Rowland Penny
rowlandpenny241155 at gmail.com
Thu Sep 24 08:54:37 UTC 2015
On 24/09/15 09:38, Andrew Bartlett wrote:
> On Thu, 2015-09-24 at 08:46 +0100, Rowland Penny wrote:
>
>> It would seem that by allowing ',' & '=' in the 'CN' you are also
>> going
>> to allow it in the 'sAMAccountName', where according to microsoft it
>> isn't allowed.
> Very interesting. It seems we have two bugs, because those checks
> belong in the samldb layer, not in upgrade.py (except as a more helpful
> wrapper). Sadly such checks are not currently preformed. Would you
> like to make a patch?
Well, no I wouldn't like to make a patch, because if I do make a patch
it will be to check if the group name contains any invalid characters
and any such patch would mean your patch wouldn't be needed.
I suggest that something is put on the classicupgrade wiki page to
inform users that you cannot have group names (and I believe other
object names) that contain " / \ [ ] : ; | = , + * ? <>
Rowland
>
> Regardless we should not put user data directly into LDB DNs or filters
> without escaping, here or anywhere else (and fixing it here helps set
> the pattern for code copied elsewhere in Samba, which happens a lot).
>
> Thanks,
>
> Andrew Bartlett
>
More information about the samba
mailing list