mathias dufresne
2016-May-10 15:45 UTC
[Samba] [samba] ldbsearch does not accept escaped parenthesis in filter
Hi all, A working search using ldapsearch on some object containing parenthesis in attribute's value: ------------------------------------------------------------------------------------------------- ldapsearch -Y GSSAPI -h dc200 -b 'DC=ad,DC=domain,DC=tld' -s sub 'CN=CID 85 \(Join\)' dn SASL/GSSAPI authentication started SASL username: administrator at AD.DOMAIN.TLD SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <DC=ad,DC=domain,DC=tld> with scope subtree # filter: CN=CID 85 \(Join\) # requesting: dn # # CID 85 (Join), Utilisateurs de jonction, Utilisateurs particuliers, ad.domain.tld dn: CN=CID 85 (Join),OU=Utilisateurs de jonction,OU=Utilisateurs particuliers,DC=ad,DC=domain,DC=tld # CID 85 (Join), Utilisateurs de jonction, Groupes, ad.domain.tld dn: CN=CID 85 (Join),OU=Utilisateurs de jonction,OU=Groupes,DC=ad,DC=domain,DC=tld # search reference ref: ldap://ad.domain.tld/CN=Configuration,DC=ad,DC=domain,DC=tld # search reference ref: ldap://ad.domain.tld/DC=DomainDnsZones,DC=ad,DC=domain,DC=tld # search reference ref: ldap://ad.domain.tld/DC=ForestDnsZones,DC=ad,DC=domain,DC=tld # search result search: 4 result: 0 Success # numResponses: 6 # numEntries: 2 # numReferences: 3 ------------------------------------------------------------------------------------------------- Different tries about same search using ldbsearch: ------------------------------------------------------------------------------------------------- ldbsearch -H $sam "CN=CID 85 (Join)" # Referral ref: ldap://ad.domain.tld/CN=Configuration,DC=ad,DC=domain,DC=tld # Referral ref: ldap://ad.domain.tld/DC=DomainDnsZones,DC=ad,DC=domain,DC=tld # Referral ref: ldap://ad.domain.tld/DC=ForestDnsZones,DC=ad,DC=domain,DC=tld # returned 3 records # 0 entries # 3 referrals ------------------------------------------------------------------------------------------------- ldbsearch -H $sam "CN=CID 85 \(Join\)" allocating request failed: Unable to parse search expression ------------------------------------------------------------------------------------------------- ldbsearch -H $sam "CN=CID 85 \\(Join\\)" allocating request failed: Unable to parse search expression ------------------------------------------------------------------------------------------------- ldbsearch -H $sam 'CN=CID 85 (Join)' # Referral ref: ldap://ad.domain.tld/CN=Configuration,DC=ad,DC=domain,DC=tld # Referral ref: ldap://ad.domain.tld/DC=DomainDnsZones,DC=ad,DC=domain,DC=tld # Referral ref: ldap://ad.domain.tld/DC=ForestDnsZones,DC=ad,DC=domain,DC=tld # returned 3 records # 0 entries # 3 referrals ------------------------------------------------------------------------------------------------- ldbsearch -H $sam 'CN=CID 85 \(Join\)' allocating request failed: Unable to parse search expression ------------------------------------------------------------------------------------------------- ldbsearch -H $sam 'CN=CID 85 \\(Join\\)' allocating request failed: Unable to parse search expression ------------------------------------------------------------------------------------------------- All these ldbsearch were ran on DC named dc200, the same one used for the working ldapsearch. I will agree with the fact using parenthesis is not the best idea we've got and perhaps we will remove them (at least to simplify searches). In filter "CN=CID 85 (Join)" the "(Join)" when not escaped is accepted as another filter pattern like in "(&(pattern1)(pattern2))" and that make the search returning nothing. Parenthesis should be escaped as in ldapsearch example but in that case ldbsearch hangs. Best regards, mathias
mathias dufresne
2016-May-10 15:53 UTC
[Samba] [samba] ldbsearch does not accept escaped parenthesis in filter
Sorry, I forget something rather important: Samba version 4.4.3 2016-05-10 17:45 GMT+02:00 mathias dufresne <infractory at gmail.com>:> Hi all, > > A working search using ldapsearch on some object containing parenthesis in > attribute's value: > > ------------------------------------------------------------------------------------------------- > ldapsearch -Y GSSAPI -h dc200 -b 'DC=ad,DC=domain,DC=tld' -s sub 'CN=CID > 85 \(Join\)' dn > SASL/GSSAPI authentication started > SASL username: administrator at AD.DOMAIN.TLD > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base <DC=ad,DC=domain,DC=tld> with scope subtree > # filter: CN=CID 85 \(Join\) > # requesting: dn > # > > # CID 85 (Join), Utilisateurs de jonction, Utilisateurs particuliers, > ad.domain.tld > dn: CN=CID 85 (Join),OU=Utilisateurs de jonction,OU=Utilisateurs > particuliers,DC=ad,DC=domain,DC=tld > > # CID 85 (Join), Utilisateurs de jonction, Groupes, ad.domain.tld > dn: CN=CID 85 (Join),OU=Utilisateurs de > jonction,OU=Groupes,DC=ad,DC=domain,DC=tld > > # search reference > ref: ldap://ad.domain.tld/CN=Configuration,DC=ad,DC=domain,DC=tld > > # search reference > ref: ldap://ad.domain.tld/DC=DomainDnsZones,DC=ad,DC=domain,DC=tld > > # search reference > ref: ldap://ad.domain.tld/DC=ForestDnsZones,DC=ad,DC=domain,DC=tld > > # search result > search: 4 > result: 0 Success > > # numResponses: 6 > # numEntries: 2 > # numReferences: 3 > > ------------------------------------------------------------------------------------------------- > > Different tries about same search using ldbsearch: > > ------------------------------------------------------------------------------------------------- > ldbsearch -H $sam "CN=CID 85 (Join)" > # Referral > ref: ldap://ad.domain.tld/CN=Configuration,DC=ad,DC=domain,DC=tld > > # Referral > ref: ldap://ad.domain.tld/DC=DomainDnsZones,DC=ad,DC=domain,DC=tld > > # Referral > ref: ldap://ad.domain.tld/DC=ForestDnsZones,DC=ad,DC=domain,DC=tld > > # returned 3 records > # 0 entries > # 3 referrals > > ------------------------------------------------------------------------------------------------- > ldbsearch -H $sam "CN=CID 85 \(Join\)" > allocating request failed: Unable to parse search expression > > ------------------------------------------------------------------------------------------------- > ldbsearch -H $sam "CN=CID 85 \\(Join\\)" > allocating request failed: Unable to parse search expression > > ------------------------------------------------------------------------------------------------- > ldbsearch -H $sam 'CN=CID 85 (Join)' > # Referral > ref: ldap://ad.domain.tld/CN=Configuration,DC=ad,DC=domain,DC=tld > > # Referral > ref: ldap://ad.domain.tld/DC=DomainDnsZones,DC=ad,DC=domain,DC=tld > > # Referral > ref: ldap://ad.domain.tld/DC=ForestDnsZones,DC=ad,DC=domain,DC=tld > > # returned 3 records > # 0 entries > # 3 referrals > > ------------------------------------------------------------------------------------------------- > ldbsearch -H $sam 'CN=CID 85 \(Join\)' > allocating request failed: Unable to parse search expression > > ------------------------------------------------------------------------------------------------- > ldbsearch -H $sam 'CN=CID 85 \\(Join\\)' > allocating request failed: Unable to parse search expression > > ------------------------------------------------------------------------------------------------- > > All these ldbsearch were ran on DC named dc200, the same one used for the > working ldapsearch. > > I will agree with the fact using parenthesis is not the best idea we've > got and perhaps we will remove them (at least to simplify searches). > > In filter "CN=CID 85 (Join)" the "(Join)" when not escaped is accepted as > another filter pattern like in "(&(pattern1)(pattern2))" and that make the > search returning nothing. > > Parenthesis should be escaped as in ldapsearch example but in that case > ldbsearch hangs. > > Best regards, > > mathias >