[Samba] [samba] ldbsearch does not accept escaped parenthesis in filter

mathias dufresne infractory at gmail.com
Tue May 10 15:45:46 UTC 2016


Hi all,

A working search using ldapsearch on some object containing parenthesis in
attribute's value:
-------------------------------------------------------------------------------------------------
ldapsearch -Y GSSAPI -h dc200 -b 'DC=ad,DC=domain,DC=tld' -s sub 'CN=CID 85
\(Join\)' dn
SASL/GSSAPI authentication started
SASL username: administrator at AD.DOMAIN.TLD
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <DC=ad,DC=domain,DC=tld> with scope subtree
# filter: CN=CID 85 \(Join\)
# requesting: dn
#

# CID 85 (Join), Utilisateurs de jonction, Utilisateurs particuliers,
ad.domain.tld
dn: CN=CID 85 (Join),OU=Utilisateurs de jonction,OU=Utilisateurs
particuliers,DC=ad,DC=domain,DC=tld

# CID 85 (Join), Utilisateurs de jonction, Groupes, ad.domain.tld
dn: CN=CID 85 (Join),OU=Utilisateurs de
jonction,OU=Groupes,DC=ad,DC=domain,DC=tld

# search reference
ref: ldap://ad.domain.tld/CN=Configuration,DC=ad,DC=domain,DC=tld

# search reference
ref: ldap://ad.domain.tld/DC=DomainDnsZones,DC=ad,DC=domain,DC=tld

# search reference
ref: ldap://ad.domain.tld/DC=ForestDnsZones,DC=ad,DC=domain,DC=tld

# search result
search: 4
result: 0 Success

# numResponses: 6
# numEntries: 2
# numReferences: 3
-------------------------------------------------------------------------------------------------

Different tries about same search using ldbsearch:
-------------------------------------------------------------------------------------------------
ldbsearch -H $sam "CN=CID 85 (Join)"
# Referral
ref: ldap://ad.domain.tld/CN=Configuration,DC=ad,DC=domain,DC=tld

# Referral
ref: ldap://ad.domain.tld/DC=DomainDnsZones,DC=ad,DC=domain,DC=tld

# Referral
ref: ldap://ad.domain.tld/DC=ForestDnsZones,DC=ad,DC=domain,DC=tld

# returned 3 records
# 0 entries
# 3 referrals
-------------------------------------------------------------------------------------------------
ldbsearch -H $sam "CN=CID 85 \(Join\)"
allocating request failed: Unable to parse search expression
-------------------------------------------------------------------------------------------------
ldbsearch -H $sam "CN=CID 85 \\(Join\\)"
allocating request failed: Unable to parse search expression
-------------------------------------------------------------------------------------------------
ldbsearch -H $sam 'CN=CID 85 (Join)'
# Referral
ref: ldap://ad.domain.tld/CN=Configuration,DC=ad,DC=domain,DC=tld

# Referral
ref: ldap://ad.domain.tld/DC=DomainDnsZones,DC=ad,DC=domain,DC=tld

# Referral
ref: ldap://ad.domain.tld/DC=ForestDnsZones,DC=ad,DC=domain,DC=tld

# returned 3 records
# 0 entries
# 3 referrals
-------------------------------------------------------------------------------------------------
ldbsearch -H $sam 'CN=CID 85 \(Join\)'
allocating request failed: Unable to parse search expression
-------------------------------------------------------------------------------------------------
ldbsearch -H $sam 'CN=CID 85 \\(Join\\)'
allocating request failed: Unable to parse search expression
-------------------------------------------------------------------------------------------------

All these ldbsearch were ran on DC named dc200, the same one used for the
working ldapsearch.

I will agree with the fact using parenthesis is not the best idea we've got
and perhaps we will remove them (at least to simplify searches).

In filter "CN=CID 85 (Join)" the "(Join)" when not escaped is accepted as
another filter pattern like in "(&(pattern1)(pattern2))" and that make the
search returning nothing.

Parenthesis should be escaped as in ldapsearch example but in that case
ldbsearch hangs.

Best regards,

mathias


More information about the samba mailing list