[Samba] Ldapsearch against Samba AD returns records outside the search base

Rowland penny rpenny at samba.org
Sat Feb 1 17:22:53 UTC 2020 

On 01/02/2020 16:29, Palle Kuling via samba wrote:
>
>
> Queried against Samba 4.11.4 (query is for OU=Business but response is 
> from OU=Test):
> $ldapsearch -D username at internal.xxx.yy -w password -H 
> ldaps://192.168.1.1 -s one -b ou=business,dc=internal,dc=xxx,dc=yy 
> "(&(objectCategory=person)(objectClass=user)(sAMAccountName=testadmin))"
> # extended LDIF
> #
> # LDAPv3
> # base <ou=business,dc=internal,dc=xxx,dc=yy> with scope oneLevel
> # filter: 
> (&(objectCategory=person)(objectClass=user)(sAMAccountName=testadmin))
> # requesting: ALL
> #
>
> # Test Admin, Test, internal.xxx.yy
> dn: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> <snip>
> distinguishedName: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> Queried against Samba 4.9.4 (the response from OU=Test is not returned 
> in this case):
> ~/samba-4.9.4$ ldapsearch -D username at internal.xxx.yy -w password -H 
> ldaps://192.168.1.1 -s one -b ou=business,dc=internal,dc=xxx,dc=yy 
> "(&(objectCategory=person)(objectClass=user)(sAMAccountName=testadmin))"
> # extended LDIF
> #
> # LDAPv3
> # base <ou=business,dc=internal,dc=xxx,dc=yy> with scope oneLevel
> # filter: 
> (&(objectCategory=person)(objectClass=user)(sAMAccountName=testadmin))
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
You are searching across one level, 'OU=Test' and 'ou=business' are on 
the same level, so if a user exists with the samaccountname 'testadmin' 
in the OU 'test', of course it will be returned. Try 'sub' instead of 'one'
>
> Queried from the external system against Samba 4.11.4:
> [560] Creating LDAP context with uri=ldaps://192.168.1.1:636
> [560] Connect to LDAP server: ldaps://192.168.1.1:636, status = 
> Successful
> [560] supportedLDAPVersion: value = 2
> [560] supportedLDAPVersion: value = 3
> [560] Binding as username at internal.xxx.yy
> [560] Performing Simple authentication for username at internal.xxx.yy to 
> 192.168.1.1
> [560] LDAP Search:
>     Base DN = [ou=Business,dc=internal,dc=xxx,dc=yy]
>     Filter  = [sAMAccountName=testadmin]
>     Scope   = [ONE LEVEL]
> [560] User DN = [CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy] <--- 
> This User DN was not returned in the past
If it wasn't returned in the past, then it was a problem that has now 
been fixed.
>
> And for completeness, these are the ldbsearches against Samba 4.11.4 
> database, which honor the base:
> /usr/local/samba/private/sam.ldb.d# ldbsearch -H 
> DC=INTERNAL,DC=XXX,DC=YY.ldb -b 

Please do not search on those .ldb files, please only search on 
'sam.ldb' or use ''ldap://DCNAME'

Rowland

More information about the samba mailing list