samba - Feb 2020 - Ldapsearch against Samba AD returns records outside the search base

On Sat, 2020-02-01 at 17:22 +0000, Rowland penny via samba
wrote:
> On 01/02/2020 16:29, Palle Kuling via samba wrote:
> > 
> > Queried against Samba 4.11.4 (query is for OU=Business but response is
> > from OU=Test):
> > $ldapsearch -D username at internal.xxx.yy -w password -H 
> > ldaps://192.168.1.1 -s one -b ou=business,dc=internal,dc=xxx,dc=yy 
> >
"(&(objectCategory=person)(objectClass=user)(sAMAccountName=testadmin))"
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <ou=business,dc=internal,dc=xxx,dc=yy> with scope
oneLevel
> > # filter: 
> >
(&(objectCategory=person)(objectClass=user)(sAMAccountName=testadmin))
> > # requesting: ALL
> > #
> > 
> > # Test Admin, Test, internal.xxx.yy
> > dn: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: user
> > <snip>
> > distinguishedName: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
> > 
> > # search result
> > search: 2
> > result: 0 Success
> > 
> > # numResponses: 2
> > # numEntries: 1
> > 
> You are searching across one level, 'OU=Test' and
'ou=business' are on
> the same level, so if a user exists with the samaccountname
'testadmin'
> in the OU 'test', of course it will be returned. Try 'sub'
instead of 'one'
G'Day Rowland.

Thank you for your work so far trying to understand this issue.

On this specific point, please see:
https://tools.ietf.org/html/rfc4511#section-4.5.1.2

4.5.1.2.  SearchRequest.scope

   Specifies the scope of the Search to be performed.  The semantics
(as
   described in [X.511]) of the defined values of this field are:

      baseObject: The scope is constrained to the entry named by
      baseObject.

*      singleLevel: The scope is constrained to the immediate
*      subordinates of the entry named by baseObject.

      wholeSubtree: The scope is constrained to the entry named by
      baseObject and to all its subordinates.


singleLevel is what we call 'one'.  The OP is entitled to expect RFC
conformant behaviour in this case.  'sub' (wholeSubtree in RFC
language) might be a workaround but we need to get to the bottom of
this.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Hello all,
I just tried this on our setup and it ist the same there. I get results
from other OUs. Using sub instead of one I get the "right" results.


Regards

Christian


Am 01.02.20 um 20:26 schrieb Andrew Bartlett via samba:
> On Sat, 2020-02-01 at 17:22 +0000, Rowland penny via samba wrote:
>> On 01/02/2020 16:29, Palle Kuling via samba wrote:
>>>
>>> Queried against Samba 4.11.4 (query is for OU=Business but response
is
>>> from OU=Test):
>>> $ldapsearch -D username at internal.xxx.yy -w password -H 
>>> ldaps://192.168.1.1 -s one -b ou=business,dc=internal,dc=xxx,dc=yy 
>>>
"(&(objectCategory=person)(objectClass=user)(sAMAccountName=testadmin))"
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <ou=business,dc=internal,dc=xxx,dc=yy> with scope
oneLevel
>>> # filter: 
>>>
(&(objectCategory=person)(objectClass=user)(sAMAccountName=testadmin))
>>> # requesting: ALL
>>> #
>>>
>>> # Test Admin, Test, internal.xxx.yy
>>> dn: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> <snip>
>>> distinguishedName: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 2
>>> # numEntries: 1
>>>
>> You are searching across one level, 'OU=Test' and
'ou=business' are on
>> the same level, so if a user exists with the samaccountname
'testadmin'
>> in the OU 'test', of course it will be returned. Try
'sub' instead of 'one'
> 
> G'Day Rowland.
> 
> Thank you for your work so far trying to understand this issue.
> 
> On this specific point, please see:
> https://tools.ietf.org/html/rfc4511#section-4.5.1.2
> 
> 4.5.1.2.  SearchRequest.scope
> 
>    Specifies the scope of the Search to be performed.  The semantics
> (as
>    described in [X.511]) of the defined values of this field are:
> 
>       baseObject: The scope is constrained to the entry named by
>       baseObject.
> 
> *      singleLevel: The scope is constrained to the immediate
> *      subordinates of the entry named by baseObject.
> 
>       wholeSubtree: The scope is constrained to the entry named by
>       baseObject and to all its subordinates.
> 
> 
> singleLevel is what we call 'one'.  The OP is entitled to expect
RFC
> conformant behaviour in this case.  'sub' (wholeSubtree in RFC
> language) might be a workaround but we need to get to the bottom of
> this.
> 
> Thanks,
> 
> Andrew Bartlett
> 
-- 
Dr. Christian Naumer
Unit Head Bioprocess Development
B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Manfred Bender,
Ludger Roedder
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

On 02/02/2020 14:39, Christian Naumer via samba wrote:
> Hello all,
> I just tried this on our setup and it ist the same there. I get results
> from other OUs. Using sub instead of one I get the "right"
results.
>
>
Problem is, I have tried the OP's search command against Samba 4.7.12, 
4.10.6 and 4.11.6

Created two OU's: OU=testou1 and OU=testou2

Created a user 'OUser1' in OU=testou1

I did this on all three versions of Samba and then ran the OP's 
ldapsearch command (modified for the dns domain) and depending on which 
OU I searched in (using -s one) I either got no result or the expected 
result, I even tried a non existing user and got nothing.

Or to put it another way, I cannot get the same result as the OP.

Time for a few questions:

What OS is the user using ?

Is the OP using distro packages, packages from somewhere else, or a self 
compiled Samba ?

If self compiled, how was it compiled ?

What is in smb.conf ?

Rowland