[Samba] [samba] ldbsearch does not accept escaped parenthesis in filter

Tue May 10 15:53:58 UTC 2016

Sorry, I forget something rather important: Samba version 4.4.3


2016-05-10 17:45 GMT+02:00 mathias dufresne <infractory at gmail.com>:

> Hi all,
>
> A working search using ldapsearch on some object containing parenthesis in
> attribute's value:
>
> -------------------------------------------------------------------------------------------------
> ldapsearch -Y GSSAPI -h dc200 -b 'DC=ad,DC=domain,DC=tld' -s sub 'CN=CID
> 85 \(Join\)' dn
> SASL/GSSAPI authentication started
> SASL username: administrator at AD.DOMAIN.TLD
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <DC=ad,DC=domain,DC=tld> with scope subtree
> # filter: CN=CID 85 \(Join\)
> # requesting: dn
> #
>
> # CID 85 (Join), Utilisateurs de jonction, Utilisateurs particuliers,
> ad.domain.tld
> dn: CN=CID 85 (Join),OU=Utilisateurs de jonction,OU=Utilisateurs
> particuliers,DC=ad,DC=domain,DC=tld
>
> # CID 85 (Join), Utilisateurs de jonction, Groupes, ad.domain.tld
> dn: CN=CID 85 (Join),OU=Utilisateurs de
> jonction,OU=Groupes,DC=ad,DC=domain,DC=tld
>
> # search reference
> ref: ldap://ad.domain.tld/CN=Configuration,DC=ad,DC=domain,DC=tld
>
> # search reference
> ref: ldap://ad.domain.tld/DC=DomainDnsZones,DC=ad,DC=domain,DC=tld
>
> # search reference
> ref: ldap://ad.domain.tld/DC=ForestDnsZones,DC=ad,DC=domain,DC=tld
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 6
> # numEntries: 2
> # numReferences: 3
>
> -------------------------------------------------------------------------------------------------
>
> Different tries about same search using ldbsearch:
>
> -------------------------------------------------------------------------------------------------
> ldbsearch -H $sam "CN=CID 85 (Join)"
> # Referral
> ref: ldap://ad.domain.tld/CN=Configuration,DC=ad,DC=domain,DC=tld
>
> # Referral
> ref: ldap://ad.domain.tld/DC=DomainDnsZones,DC=ad,DC=domain,DC=tld
>
> # Referral
> ref: ldap://ad.domain.tld/DC=ForestDnsZones,DC=ad,DC=domain,DC=tld
>
> # returned 3 records
> # 0 entries
> # 3 referrals
>
> -------------------------------------------------------------------------------------------------
> ldbsearch -H $sam "CN=CID 85 \(Join\)"
> allocating request failed: Unable to parse search expression
>
> -------------------------------------------------------------------------------------------------
> ldbsearch -H $sam "CN=CID 85 \\(Join\\)"
> allocating request failed: Unable to parse search expression
>
> -------------------------------------------------------------------------------------------------
> ldbsearch -H $sam 'CN=CID 85 (Join)'
> # Referral
> ref: ldap://ad.domain.tld/CN=Configuration,DC=ad,DC=domain,DC=tld
>
> # Referral
> ref: ldap://ad.domain.tld/DC=DomainDnsZones,DC=ad,DC=domain,DC=tld
>
> # Referral
> ref: ldap://ad.domain.tld/DC=ForestDnsZones,DC=ad,DC=domain,DC=tld
>
> # returned 3 records
> # 0 entries
> # 3 referrals
>
> -------------------------------------------------------------------------------------------------
> ldbsearch -H $sam 'CN=CID 85 \(Join\)'
> allocating request failed: Unable to parse search expression
>
> -------------------------------------------------------------------------------------------------
> ldbsearch -H $sam 'CN=CID 85 \\(Join\\)'
> allocating request failed: Unable to parse search expression
>
> -------------------------------------------------------------------------------------------------
>
> All these ldbsearch were ran on DC named dc200, the same one used for the
> working ldapsearch.
>
> I will agree with the fact using parenthesis is not the best idea we've
> got and perhaps we will remove them (at least to simplify searches).
>
> In filter "CN=CID 85 (Join)" the "(Join)" when not escaped is accepted as
> another filter pattern like in "(&(pattern1)(pattern2))" and that make the
> search returning nothing.
>
> Parenthesis should be escaped as in ldapsearch example but in that case
> ldbsearch hangs.
>
> Best regards,
>
> mathias
>