Andrew Bartlett
2023-Nov-06 19:30 UTC
[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
On Mon, 2023-11-06 at 15:32 +0100, Kees van Vloten via samba wrote:> Op 06-11-2023 om 14:58 schreef Jonathan Hunter: > > > Thank you Kees. > > On Mon, 6 Nov 2023 at 09:37, Kees van Vloten via samba > > < > > samba at lists.samba.org > > > wrote: > > > I am currently running at 4.19.2 but I have run 4.18.6 and > > > 4.18.5. I did > > > not experience any issues with nested group lookups, which many > > > of the > > > filters rely on. > > Interestingly, I've now found that (on my current DCs, running > > 4.18.5), ldbsearch *does* seem to return the expected result, but > > the > > same query via ldapsearch does not.Just to narrow this down, can you look into ldbsearch -H ldap:// vs ldapsearch -H ldap:// This will eliminate some protocol issues between the codebases. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
Jonathan Hunter
2023-Nov-09 23:29 UTC
[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
Hi Andrew, Sorry for the couple of days silence; I've been creating a bash script to use with 'git bisect' (it's been a little slow in my testing, as the script compiles each version before testing the query with ldapsearch, and it takes a little while to re-run when I have been debugging it) On Mon, 6 Nov 2023 at 19:30, Andrew Bartlett <abartlet at samba.org> wrote:> > Op 06-11-2023 om 14:58 schreef Jonathan Hunter: > > > Interestingly, I've now found that (on my current DCs, running > > > 4.18.5), ldbsearch *does* seem to return the expected result, but > > > the > > > same query via ldapsearch does not. > > Just to narrow this down, can you look into ldbsearch -H ldap:// vs > ldapsearch -H ldap:// > > This will eliminate some protocol issues between the codebases.Of course. As of 4.18.5: - ldbsearch -H ldap:// - FAIL - ldbsearch -H sam.ldb - PASS - ldapsearch -H ldap:// - FAIL I'm trying my 'git bisect' script overnight but I'm not certain I have it 100% right yet. If that does fail I can always manually pick a couple of tags/commits to try individually - you suggested I pick out the CVE changes from the log, which I'll then do if I can't get 'git bisect' working in the next couple of days. Thank you, Jonathan