[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?

Andrew Bartlett abartlet at samba.org
Fri Nov 10 02:57:14 UTC 2023 

On Thu, 2023-11-09 at 23:29 +0000, Jonathan Hunter via samba wrote:
> Hi Andrew,
> 
> Sorry for the couple of days silence; I've been creating a bash
> script
> to use with 'git bisect' (it's been a little slow in my testing, as
> the script compiles each version before testing the query with
> ldapsearch, and it takes a little while to re-run when I have been
> debugging it)

No worries!  Most folks just run away when I suggest it, but is a good
way to get a lead on a problem that doesn't involve deep diagnostics on
my side, so is an efficient way that I can get users to help, without stretching me too thin.

> On Mon, 6 Nov 2023 at 19:30, Andrew Bartlett <
> abartlet at samba.org
> > wrote:
> > > Op 06-11-2023 om 14:58 schreef Jonathan Hunter:
> > > > Interestingly, I've now found that (on my current DCs, running
> > > > 4.18.5), ldbsearch *does* seem to return the expected result,
> > > > but
> > > > the
> > > > same query via ldapsearch does not.
> > 
> > Just to narrow this down, can you look into ldbsearch -H ldap:// vs
> > ldapsearch -H ldap://
> > 
> > This will eliminate some protocol issues between the codebases.
> 
> Of course.
> 
> As of 4.18.5:
> - ldbsearch -H ldap:// - FAIL
> - ldbsearch -H sam.ldb - PASS
> - ldapsearch -H ldap:// - FAIL

OK, so it most likely the permissions handling. 

If your automated bisect becomes a pain, or you want to debug in the
traditional way, look into permissions and ensure your connecting user
can see all the way down the chain, and check if specifying the matched
attribute helps.

> I'm trying my 'git bisect' script overnight but I'm not certain I
> have
> it 100% right yet. If that does fail I can always manually pick a
> couple of tags/commits to try individually - you suggested I pick out
> the CVE changes from the log, which I'll then do if I can't get 'git
> bisect' working in the next couple of days.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list