search for: ldap_matching_rule_in_chain

I'm quite confused by this one, as I can't see how this would happen.. but after upgrading my DCs from 4.11.10 to 4.18.5, LDAP searches don't seem to work if they use the :1.2.840.113556.1.4.1941: modifier, aka LDAP_MATCHING_RULE_IN_CHAIN. (Yes, it was a fairly big version jump.. Yes, I should have upgraded much earlier.. Yes, I know 4.19.x is out now as well) Here's a search that now returns nothing after my DC upgrades; this exact search used to work just fine: (& (objectCategory=Person) (sAMAccountName=*) (me...

...22:25 +0000, Jonathan Hunter via samba wrote: > I'm quite confused by this one, as I can't see how this would > happen.. > but after upgrading my DCs from 4.11.10 to 4.18.5, LDAP searches > don't > seem to work if they use the :1.2.840.113556.1.4.1941: modifier, aka > LDAP_MATCHING_RULE_IN_CHAIN. (Yes, it was a fairly big version jump.. > Yes, I should have upgraded much earlier.. Yes, I know 4.19.x is out > now as well) > > Here's a search that now returns nothing after my DC upgrades; this > exact search used to work just fine: > (& > (objectCategory=Per...

I'm guessing that this is just not implemented yet: http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx Specifically, the LDAP_MATCHING_RULE_IN_CHAIN search modifier. I'm trying to do a group membership search via LDAP that traverses subgroups. Against Windows AD I'd use: (memberof:1.2.840.113556.1.4.1941:=(cn=Group1,OU=groupsOU,DC=x)) But that doesn't work against samba4 (sernet 4.1.4-7). Is there a different way to do this that...

...via samba wrote: > > I'm quite confused by this one, as I can't see how this would > > happen.. > > but after upgrading my DCs from 4.11.10 to 4.18.5, LDAP searches > > don't > > seem to work if they use the :1.2.840.113556.1.4.1941: modifier, aka > > LDAP_MATCHING_RULE_IN_CHAIN. (Yes, it was a fairly big version jump.. > > Yes, I should have upgraded much earlier.. Yes, I know 4.19.x is out > > now as well) > > > > Here's a search that now returns nothing after my DC upgrades; this > > exact search used to work just fine: > > (&...

...p 05-11-2023 om 23:25 schreef Jonathan Hunter via samba: > I'm quite confused by this one, as I can't see how this would happen.. > but after upgrading my DCs from 4.11.10 to 4.18.5, LDAP searches don't > seem to work if they use the :1.2.840.113556.1.4.1941: modifier, aka > LDAP_MATCHING_RULE_IN_CHAIN. (Yes, it was a fairly big version jump.. > Yes, I should have upgraded much earlier.. Yes, I know 4.19.x is out > now as well) > > Here's a search that now returns nothing after my DC upgrades; this > exact search used to work just fine: > (& > (objectCategory=Per...

Hi Jonathan and Andrew, > Reminder of my original LDAP query: > (& > (objectCategory=Person) > (sAMAccountName=*) > (memberOf:1.2.840.113556.1.4.1941:=CN=mygroup,OU=myou,DC=mydomain,DC=org) > ) I came across the same/similar issue yesterday and found the origin that triggered the issue (at least in my case). I've added a response to your bugzilla entry

On Mon, 6 Nov 2023 at 14:32, Kees van Vloten <keesvanvloten at gmail.com> wrote: > > > Op 06-11-2023 om 14:58 schreef Jonathan Hunter: > > Interestingly, I've now found that (on my current DCs, running > > 4.18.5), ldbsearch *does* seem to return the expected result, but the > > same query via ldapsearch does not. > > What if you try to use starttls

Op 06-11-2023 om 15:40 schreef Jonathan Hunter: > On Mon, 6 Nov 2023 at 14:32, Kees van Vloten <keesvanvloten at gmail.com> wrote: >> >> Op 06-11-2023 om 14:58 schreef Jonathan Hunter: >>> Interestingly, I've now found that (on my current DCs, running >>> 4.18.5), ldbsearch *does* seem to return the expected result, but the >>> same query via

Thank you Andrew and Rowland. (Rowland - I tried 'samba-tool dsacl get', thank you! but found the output hard to decipher so I used ldp.exe on Windows instead in the end) On Wed, 22 Nov 2023 at 20:22, Andrew Bartlett <abartlet at samba.org> wrote: > > On Wed, 2023-11-22 at 17:33 +0000, Jonathan Hunter wrote: > > Are permissions checked in a hiearchical fashion, i.e. if

On Wed, 2023-11-22 at 17:33 +0000, Jonathan Hunter wrote: > On Wed, 22 Nov 2023 at 01:03, Andrew Bartlett < > abartlet at samba.org > > wrote: > > Are you sure that the ACLs on all the items in the chain should > > allow reading? > > It's an excellent question, thank you - I'd like to just say "Yes" > but > I will certainly check, as

Op 06-11-2023 om 14:58 schreef Jonathan Hunter: > Thank you Kees. > > On Mon, 6 Nov 2023 at 09:37, Kees van Vloten via samba > <samba at lists.samba.org> wrote: >> I am currently running at 4.19.2 but I have run 4.18.6 and 4.18.5. I did >> not experience any issues with nested group lookups, which many of the >> filters rely on. > Interestingly, I've now

Thank you Kees. On Mon, 6 Nov 2023 at 09:37, Kees van Vloten via samba <samba at lists.samba.org> wrote: > I am currently running at 4.19.2 but I have run 4.18.6 and 4.18.5. I did > not experience any issues with nested group lookups, which many of the > filters rely on. Interestingly, I've now found that (on my current DCs, running 4.18.5), ldbsearch *does* seem to return the

Op 29-12-2024 om 20:29 schreef Stefan Kania via samba: > > > Am 13.12.24 um 14:38 schrieb Kees van Vloten via samba: >> There is one limitation I forgot to mention: in my config there is a >> module "mr_passthru", it is required if you want to do Microsoft >> LDAP_MATCHING_RULE_IN_CHAIN queries, e.g. for nested group membership >> lookups: "(memberof:1.2.840.113556.1.4.1941:=CN=...) ". >> >> Openldap does not support these by default. > > OpenLDAP supports nested groups via acl set ;-), without any aditional > overlay > Did you manage to g...

...ects from my custom schema via ADSIEdit. This worked fine under 4.3.x as well - the last such object I successfully created was just over two months ago, at which point I was running some variant of 4.3.x (probably 4.3.5). However, last week I upgraded all my DCs to 4.4.0 (to take advantage of the LDAP_MATCHING_RULE_IN_CHAIN fix / bug 10493) and now I have found that can no longer create my custom objects in AD. ADSIEdit reports that "A constraint violation occurred"; I get the same error from Apache Directory Studio, too - details are as follows: Error while creating entry - [LDAP: error code 19 - 0000202F...

...ally helpful and I > guess a good fit for our situation. I was worried that it?d been > complicated as I have never played around with OpenLDAP. There is one limitation I forgot to mention: in my config there is a module "mr_passthru", it is required if you want to do Microsoft LDAP_MATCHING_RULE_IN_CHAIN queries, e.g. for nested group membership lookups: "(memberof:1.2.840.113556.1.4.1941:=CN=...) ". Openldap does not support these by default. If you don't need it: simply disable the module "mr_passthru" in slapd.conf. If you do, it gets a little more complicated. You n...

On 16/09/2020 17:34, Marco Shmerykowsky via samba wrote: > I followed the instructions on the OpenVPN site for creating > the bind user: > > https://openvpn.net/vpn-server-resources/openvpn-access-server-on-active-directory-via-ldap/#Create_and_configure_a_bind_user > OK after reading the supplied link, I think I see where the miss-understanding is coming from. Under the heading

...This > worked fine under 4.3.x as well - the last such object I successfully > created was just over two months ago, at which point I was running > some > variant of 4.3.x (probably 4.3.5). > > However, last week I upgraded all my DCs to 4.4.0 (to take advantage > of > the LDAP_MATCHING_RULE_IN_CHAIN fix / bug 10493) and now I have found > that > can no longer create my custom objects in AD. ADSIEdit reports that > "A > constraint violation occurred"; I get the same error from Apache > Directory > Studio, too - details are as follows: > > Error while creating...

...a ADSIEdit. This > worked fine under 4.3.x as well - the last such object I successfully > created was just over two months ago, at which point I was running some > variant of 4.3.x (probably 4.3.5). > > However, last week I upgraded all my DCs to 4.4.0 (to take advantage of > the LDAP_MATCHING_RULE_IN_CHAIN fix / bug 10493) and now I have found that > can no longer create my custom objects in AD. ADSIEdit reports that "A > constraint violation occurred"; I get the same error from Apache Directory > Studio, too - details are as follows: > > Error while creating entry > - [...

...as well - the last such object I successfully > > created was just over two months ago, at which point I was running > > some > > variant of 4.3.x (probably 4.3.5). > > > > However, last week I upgraded all my DCs to 4.4.0 (to take advantage > > of > > the LDAP_MATCHING_RULE_IN_CHAIN fix / bug 10493) and now I have found > > that > > can no longer create my custom objects in AD. ADSIEdit reports that > > "A > > constraint violation occurred"; I get the same error from Apache > > Directory > > Studio, too - details are as follows: &g...

...ect I successfully >> > created was just over two months ago, at which point I was running >> > some >> > variant of 4.3.x (probably 4.3.5). >> > >> > However, last week I upgraded all my DCs to 4.4.0 (to take advantage >> > of >> > the LDAP_MATCHING_RULE_IN_CHAIN fix / bug 10493) and now I have found >> > that >> > can no longer create my custom objects in AD. ADSIEdit reports that >> > "A >> > constraint violation occurred"; I get the same error from Apache >> > Directory >> > Studio, too - de...