[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
Jonathan Hunter
jmhunter1 at gmail.com
Sun Nov 5 22:25:33 UTC 2023
I'm quite confused by this one, as I can't see how this would happen..
but after upgrading my DCs from 4.11.10 to 4.18.5, LDAP searches don't
seem to work if they use the :1.2.840.113556.1.4.1941: modifier, aka
LDAP_MATCHING_RULE_IN_CHAIN. (Yes, it was a fairly big version jump..
Yes, I should have upgraded much earlier.. Yes, I know 4.19.x is out
now as well)
Here's a search that now returns nothing after my DC upgrades; this
exact search used to work just fine:
(&
(objectCategory=Person)
(sAMAccountName=*)
(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydomain,DC=org)
)
But if I remove the matching rule specifier, it does return a number of results:
(&
(objectCategory=Person)
(sAMAccountName=*)
(memberOf=CN=somegroup,OU=someou,DC=mydomain,DC=org)
)
The data in my AD hasn't changed; I am guessing that
LDAP_MATCHING_RULE_IN_CHAIN is still supported in 4.18 and most likely
something didn't quite go perfectly to plan during the upgrade of my
DCs.
Looking at a sample user object, I can see the group listed in the
user's memberOf attribute (i.e. the user is a direct member of the
group) - so I'm not sure why a search using
LDAP_MATCHING_RULE_IN_CHAIN simply returns no results now.
Are there any indexes or internal values I could check, to see if I
can debug this any further? A 'samba-tool dbcheck --cross-ncs' didn't
reveal anything, but I'm not sure of the best way to investigate this
one further.
Thanks for any pointers,
Cheers
Jonathan
--
"If we knew what it was we were doing, it would not be called
research, would it?"
- Albert Einstein
More information about the samba
mailing list