[Samba] Ldapsearch against Samba AD returns records outside the search base

Christian Naumer cn at brain-biotech.de
Sun Feb 2 14:39:44 UTC 2020 

Hello all,
I just tried this on our setup and it ist the same there. I get results
from other OUs. Using sub instead of one I get the "right" results.


Regards

Christian


Am 01.02.20 um 20:26 schrieb Andrew Bartlett via samba:
> On Sat, 2020-02-01 at 17:22 +0000, Rowland penny via samba wrote:
>> On 01/02/2020 16:29, Palle Kuling via samba wrote:
>>>
>>> Queried against Samba 4.11.4 (query is for OU=Business but response is 
>>> from OU=Test):
>>> $ldapsearch -D username at internal.xxx.yy -w password -H 
>>> ldaps://192.168.1.1 -s one -b ou=business,dc=internal,dc=xxx,dc=yy 
>>> "(&(objectCategory=person)(objectClass=user)(sAMAccountName=testadmin))"
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <ou=business,dc=internal,dc=xxx,dc=yy> with scope oneLevel
>>> # filter: 
>>> (&(objectCategory=person)(objectClass=user)(sAMAccountName=testadmin))
>>> # requesting: ALL
>>> #
>>>
>>> # Test Admin, Test, internal.xxx.yy
>>> dn: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> <snip>
>>> distinguishedName: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 2
>>> # numEntries: 1
>>>
>> You are searching across one level, 'OU=Test' and 'ou=business' are on 
>> the same level, so if a user exists with the samaccountname 'testadmin' 
>> in the OU 'test', of course it will be returned. Try 'sub' instead of 'one'
> 
> G'Day Rowland.
> 
> Thank you for your work so far trying to understand this issue.
> 
> On this specific point, please see:
> https://tools.ietf.org/html/rfc4511#section-4.5.1.2
> 
> 4.5.1.2.  SearchRequest.scope
> 
>    Specifies the scope of the Search to be performed.  The semantics
> (as
>    described in [X.511]) of the defined values of this field are:
> 
>       baseObject: The scope is constrained to the entry named by
>       baseObject.
> 
> *      singleLevel: The scope is constrained to the immediate
> *      subordinates of the entry named by baseObject.
> 
>       wholeSubtree: The scope is constrained to the entry named by
>       baseObject and to all its subordinates.
> 
> 
> singleLevel is what we call 'one'.  The OP is entitled to expect RFC
> conformant behaviour in this case.  'sub' (wholeSubtree in RFC
> language) might be a workaround but we need to get to the bottom of
> this.
> 
> Thanks,
> 
> Andrew Bartlett
> 

-- 
Dr. Christian Naumer
Unit Head Bioprocess Development
B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Manfred Bender,
Ludger Roedder
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

More information about the samba mailing list