Andrew Bartlett
2020-Feb-01 19:26 UTC
[Samba] Ldapsearch against Samba AD returns records outside the search base
On Sat, 2020-02-01 at 17:22 +0000, Rowland penny via samba wrote:> On 01/02/2020 16:29, Palle Kuling via samba wrote: > > > > Queried against Samba 4.11.4 (query is for OU=Business but response is > > from OU=Test): > > $ldapsearch -D username at internal.xxx.yy -w password -H > > ldaps://192.168.1.1 -s one -b ou=business,dc=internal,dc=xxx,dc=yy > > "(&(objectCategory=person)(objectClass=user)(sAMAccountName=testadmin))" > > # extended LDIF > > # > > # LDAPv3 > > # base <ou=business,dc=internal,dc=xxx,dc=yy> with scope oneLevel > > # filter: > > (&(objectCategory=person)(objectClass=user)(sAMAccountName=testadmin)) > > # requesting: ALL > > # > > > > # Test Admin, Test, internal.xxx.yy > > dn: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy > > objectClass: top > > objectClass: person > > objectClass: organizationalPerson > > objectClass: user > > <snip> > > distinguishedName: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy > > > > # search result > > search: 2 > > result: 0 Success > > > > # numResponses: 2 > > # numEntries: 1 > > > You are searching across one level, 'OU=Test' and 'ou=business' are on > the same level, so if a user exists with the samaccountname 'testadmin' > in the OU 'test', of course it will be returned. Try 'sub' instead of 'one'G'Day Rowland. Thank you for your work so far trying to understand this issue. On this specific point, please see: https://tools.ietf.org/html/rfc4511#section-4.5.1.2 4.5.1.2. SearchRequest.scope Specifies the scope of the Search to be performed. The semantics (as described in [X.511]) of the defined values of this field are: baseObject: The scope is constrained to the entry named by baseObject. * singleLevel: The scope is constrained to the immediate * subordinates of the entry named by baseObject. wholeSubtree: The scope is constrained to the entry named by baseObject and to all its subordinates. singleLevel is what we call 'one'. The OP is entitled to expect RFC conformant behaviour in this case. 'sub' (wholeSubtree in RFC language) might be a workaround but we need to get to the bottom of this. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Christian Naumer
2020-Feb-02 14:39 UTC
[Samba] Ldapsearch against Samba AD returns records outside the search base
Hello all, I just tried this on our setup and it ist the same there. I get results from other OUs. Using sub instead of one I get the "right" results. Regards Christian Am 01.02.20 um 20:26 schrieb Andrew Bartlett via samba:> On Sat, 2020-02-01 at 17:22 +0000, Rowland penny via samba wrote: >> On 01/02/2020 16:29, Palle Kuling via samba wrote: >>> >>> Queried against Samba 4.11.4 (query is for OU=Business but response is >>> from OU=Test): >>> $ldapsearch -D username at internal.xxx.yy -w password -H >>> ldaps://192.168.1.1 -s one -b ou=business,dc=internal,dc=xxx,dc=yy >>> "(&(objectCategory=person)(objectClass=user)(sAMAccountName=testadmin))" >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <ou=business,dc=internal,dc=xxx,dc=yy> with scope oneLevel >>> # filter: >>> (&(objectCategory=person)(objectClass=user)(sAMAccountName=testadmin)) >>> # requesting: ALL >>> # >>> >>> # Test Admin, Test, internal.xxx.yy >>> dn: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy >>> objectClass: top >>> objectClass: person >>> objectClass: organizationalPerson >>> objectClass: user >>> <snip> >>> distinguishedName: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 2 >>> # numEntries: 1 >>> >> You are searching across one level, 'OU=Test' and 'ou=business' are on >> the same level, so if a user exists with the samaccountname 'testadmin' >> in the OU 'test', of course it will be returned. Try 'sub' instead of 'one' > > G'Day Rowland. > > Thank you for your work so far trying to understand this issue. > > On this specific point, please see: > https://tools.ietf.org/html/rfc4511#section-4.5.1.2 > > 4.5.1.2. SearchRequest.scope > > Specifies the scope of the Search to be performed. The semantics > (as > described in [X.511]) of the defined values of this field are: > > baseObject: The scope is constrained to the entry named by > baseObject. > > * singleLevel: The scope is constrained to the immediate > * subordinates of the entry named by baseObject. > > wholeSubtree: The scope is constrained to the entry named by > baseObject and to all its subordinates. > > > singleLevel is what we call 'one'. The OP is entitled to expect RFC > conformant behaviour in this case. 'sub' (wholeSubtree in RFC > language) might be a workaround but we need to get to the bottom of > this. > > Thanks, > > Andrew Bartlett >-- Dr. Christian Naumer Unit Head Bioprocess Development B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Manfred Bender, Ludger Roedder Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
Rowland penny
2020-Feb-02 16:51 UTC
[Samba] Ldapsearch against Samba AD returns records outside the search base
On 02/02/2020 14:39, Christian Naumer via samba wrote:> Hello all, > I just tried this on our setup and it ist the same there. I get results > from other OUs. Using sub instead of one I get the "right" results. > >Problem is, I have tried the OP's search command against Samba 4.7.12, 4.10.6 and 4.11.6 Created two OU's: OU=testou1 and OU=testou2 Created a user 'OUser1' in OU=testou1 I did this on all three versions of Samba and then ran the OP's ldapsearch command (modified for the dns domain) and depending on which OU I searched in (using -s one) I either got no result or the expected result, I even tried a non existing user and got nothing. Or to put it another way, I cannot get the same result as the OP. Time for a few questions: What OS is the user using ? Is the OP using distro packages, packages from somewhere else, or a self compiled Samba ? If self compiled, how was it compiled ? What is in smb.conf ? Rowland
Maybe Matching Threads
- Ldapsearch against Samba AD returns records outside the search base
- Ldapsearch against Samba AD returns records outside the search base
- Ldapsearch against Samba AD returns records outside the search base
- Ldapsearch against Samba AD returns records outside the search base
- Ldapsearch against Samba AD returns records outside the search base