samba - Nov 2023 - LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?

Hi Andrew,

Sorry for the couple of days silence; I've been creating a bash script
to use with 'git bisect' (it's been a little slow in my testing, as
the script compiles each version before testing the query with
ldapsearch, and it takes a little while to re-run when I have been
debugging it)

On Mon, 6 Nov 2023 at 19:30, Andrew Bartlett <abartlet at samba.org>
wrote:
> > Op 06-11-2023 om 14:58 schreef Jonathan Hunter:
> > > Interestingly, I've now found that (on my current DCs,
running
> > > 4.18.5), ldbsearch *does* seem to return the expected result, but
> > > the
> > > same query via ldapsearch does not.
>
> Just to narrow this down, can you look into ldbsearch -H ldap:// vs
> ldapsearch -H ldap://
>
> This will eliminate some protocol issues between the codebases.
Of course.

As of 4.18.5:
- ldbsearch -H ldap:// - FAIL
- ldbsearch -H sam.ldb - PASS
- ldapsearch -H ldap:// - FAIL

I'm trying my 'git bisect' script overnight but I'm not certain
I have
it 100% right yet. If that does fail I can always manually pick a
couple of tags/commits to try individually - you suggested I pick out
the CVE changes from the log, which I'll then do if I can't get 'git
bisect' working in the next couple of days.

Thank you,

Jonathan

On Thu, 2023-11-09 at 23:29 +0000, Jonathan Hunter via samba
wrote:
> Hi Andrew,
> 
> Sorry for the couple of days silence; I've been creating a bash
> script
> to use with 'git bisect' (it's been a little slow in my
testing, as
> the script compiles each version before testing the query with
> ldapsearch, and it takes a little while to re-run when I have been
> debugging it)
No worries!  Most folks just run away when I suggest it, but is a good
way to get a lead on a problem that doesn't involve deep diagnostics on
my side, so is an efficient way that I can get users to help, without stretching
me too thin.
> On Mon, 6 Nov 2023 at 19:30, Andrew Bartlett <
> abartlet at samba.org
> > wrote:
> > > Op 06-11-2023 om 14:58 schreef Jonathan Hunter:
> > > > Interestingly, I've now found that (on my current DCs,
running
> > > > 4.18.5), ldbsearch *does* seem to return the expected
result,
> > > > but
> > > > the
> > > > same query via ldapsearch does not.
> > 
> > Just to narrow this down, can you look into ldbsearch -H ldap:// vs
> > ldapsearch -H ldap://
> > 
> > This will eliminate some protocol issues between the codebases.
> 
> Of course.
> 
> As of 4.18.5:
> - ldbsearch -H ldap:// - FAIL
> - ldbsearch -H sam.ldb - PASS
> - ldapsearch -H ldap:// - FAIL
OK, so it most likely the permissions handling. 

If your automated bisect becomes a pain, or you want to debug in the
traditional way, look into permissions and ensure your connecting user
can see all the way down the chain, and check if specifying the matched
attribute helps.
> I'm trying my 'git bisect' script overnight but I'm not
certain I
> have
> it 100% right yet. If that does fail I can always manually pick a
> couple of tags/commits to try individually - you suggested I pick out
> the CVE changes from the log, which I'll then do if I can't get
'git
> bisect' working in the next couple of days.
Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions