[Samba] Ldapsearch against Samba AD returns records outside the search base

Andrew Bartlett abartlet at samba.org
Sat Feb 1 19:26:29 UTC 2020 

On Sat, 2020-02-01 at 17:22 +0000, Rowland penny via samba wrote:
> On 01/02/2020 16:29, Palle Kuling via samba wrote:
> > 
> > Queried against Samba 4.11.4 (query is for OU=Business but response is 
> > from OU=Test):
> > $ldapsearch -D username at internal.xxx.yy -w password -H 
> > ldaps://192.168.1.1 -s one -b ou=business,dc=internal,dc=xxx,dc=yy 
> > "(&(objectCategory=person)(objectClass=user)(sAMAccountName=testadmin))"
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <ou=business,dc=internal,dc=xxx,dc=yy> with scope oneLevel
> > # filter: 
> > (&(objectCategory=person)(objectClass=user)(sAMAccountName=testadmin))
> > # requesting: ALL
> > #
> > 
> > # Test Admin, Test, internal.xxx.yy
> > dn: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: user
> > <snip>
> > distinguishedName: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
> > 
> > # search result
> > search: 2
> > result: 0 Success
> > 
> > # numResponses: 2
> > # numEntries: 1
> > 
> You are searching across one level, 'OU=Test' and 'ou=business' are on 
> the same level, so if a user exists with the samaccountname 'testadmin' 
> in the OU 'test', of course it will be returned. Try 'sub' instead of 'one'

G'Day Rowland.

Thank you for your work so far trying to understand this issue.

On this specific point, please see:
https://tools.ietf.org/html/rfc4511#section-4.5.1.2

4.5.1.2.  SearchRequest.scope

   Specifies the scope of the Search to be performed.  The semantics
(as
   described in [X.511]) of the defined values of this field are:

      baseObject: The scope is constrained to the entry named by
      baseObject.

*      singleLevel: The scope is constrained to the immediate
*      subordinates of the entry named by baseObject.

      wholeSubtree: The scope is constrained to the entry named by
      baseObject and to all its subordinates.


singleLevel is what we call 'one'.  The OP is entitled to expect RFC
conformant behaviour in this case.  'sub' (wholeSubtree in RFC
language) might be a workaround but we need to get to the bottom of
this.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list