[Samba] Ldapsearch against Samba AD returns records outside the search base
Rowland penny
rpenny at samba.org
Sat Feb 1 17:22:53 UTC 2020
On 01/02/2020 16:29, Palle Kuling via samba wrote:
>
>
> Queried against Samba 4.11.4 (query is for OU=Business but response is
> from OU=Test):
> $ldapsearch -D username at internal.xxx.yy -w password -H
> ldaps://192.168.1.1 -s one -b ou=business,dc=internal,dc=xxx,dc=yy
> "(&(objectCategory=person)(objectClass=user)(sAMAccountName=testadmin))"
> # extended LDIF
> #
> # LDAPv3
> # base <ou=business,dc=internal,dc=xxx,dc=yy> with scope oneLevel
> # filter:
> (&(objectCategory=person)(objectClass=user)(sAMAccountName=testadmin))
> # requesting: ALL
> #
>
> # Test Admin, Test, internal.xxx.yy
> dn: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> <snip>
> distinguishedName: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> Queried against Samba 4.9.4 (the response from OU=Test is not returned
> in this case):
> ~/samba-4.9.4$ ldapsearch -D username at internal.xxx.yy -w password -H
> ldaps://192.168.1.1 -s one -b ou=business,dc=internal,dc=xxx,dc=yy
> "(&(objectCategory=person)(objectClass=user)(sAMAccountName=testadmin))"
> # extended LDIF
> #
> # LDAPv3
> # base <ou=business,dc=internal,dc=xxx,dc=yy> with scope oneLevel
> # filter:
> (&(objectCategory=person)(objectClass=user)(sAMAccountName=testadmin))
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
You are searching across one level, 'OU=Test' and 'ou=business' are on
the same level, so if a user exists with the samaccountname 'testadmin'
in the OU 'test', of course it will be returned. Try 'sub' instead of 'one'
>
> Queried from the external system against Samba 4.11.4:
> [560] Creating LDAP context with uri=ldaps://192.168.1.1:636
> [560] Connect to LDAP server: ldaps://192.168.1.1:636, status =
> Successful
> [560] supportedLDAPVersion: value = 2
> [560] supportedLDAPVersion: value = 3
> [560] Binding as username at internal.xxx.yy
> [560] Performing Simple authentication for username at internal.xxx.yy to
> 192.168.1.1
> [560] LDAP Search:
> Base DN = [ou=Business,dc=internal,dc=xxx,dc=yy]
> Filter = [sAMAccountName=testadmin]
> Scope = [ONE LEVEL]
> [560] User DN = [CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy] <---
> This User DN was not returned in the past
If it wasn't returned in the past, then it was a problem that has now
been fixed.
>
> And for completeness, these are the ldbsearches against Samba 4.11.4
> database, which honor the base:
> /usr/local/samba/private/sam.ldb.d# ldbsearch -H
> DC=INTERNAL,DC=XXX,DC=YY.ldb -b
Please do not search on those .ldb files, please only search on
'sam.ldb' or use ''ldap://DCNAME'
Rowland
More information about the samba
mailing list