The Samba-Bugzilla – Attachment 18801 Details for
Bug 13852
Empty attributes list across LDAP
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch version 2
fix-13852-v2.patch (text/plain), 4.54 KB, created by
Gary Lockyer
on 2026-01-20 22:06:16 UTC
(
hide
)
Description:
Patch version 2
Filename:
MIME Type:
Creator:
Gary Lockyer
Created:
2026-01-20 22:06:16 UTC
Size:
4.54 KB
patch
obsolete
>From 63b9c224de3a50ceed9fad4bc1de144a8768fb7c Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Fri, 16 Jan 2026 12:48:38 +1300 >Subject: [PATCH] lib:ldb-samba:ildap: fix empty attribute list handling > >An LDB request interprets an empty attribute list as a request for no >attributes, but LDAP interprets an empty list as a request for all attributes, >and ["1.1"] as a request for no attributes, as per >RFC4511:4.5.1.8(SearchRequest.attributes). We need to convert [] to ["1.1"] >in the ildap module before the request goes out. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13852 > >Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz> >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >--- > lib/ldb-samba/ldb_ildap.c | 15 ++++++++++- > python/samba/tests/samba_tool/contact.py | 2 +- > selftest/knownfail.d/ldap | 1 - > source4/dsdb/tests/python/ldap.py | 34 ++++++++++++++++++++++++ > 4 files changed, 49 insertions(+), 3 deletions(-) > >diff --git a/lib/ldb-samba/ldb_ildap.c b/lib/ldb-samba/ldb_ildap.c >index 8ddb0ae9b8d..ab2ceb02293 100644 >--- a/lib/ldb-samba/ldb_ildap.c >+++ b/lib/ldb-samba/ldb_ildap.c >@@ -558,8 +558,21 @@ static int ildb_search(struct ildb_context *ac) > msg->r.SearchRequest.tree = discard_const(req->op.search.tree); > > for (n = 0; req->op.search.attrs && req->op.search.attrs[n]; n++) /* noop */ ; >+ >+ /* >+ * In LDB, an empty attribute list indicates a request for no >+ * attributes, but in LDAP no attributes is requested with an >+ * attribute list of ["1.1"] according to RFC4511:4.5.1.8. >+ */ >+ if (req->op.search.attrs && n == 0) { >+ static const char * attrs[] = {"1.1", NULL}; >+ msg->r.SearchRequest.attributes = attrs; >+ n = 1; >+ } else { >+ msg->r.SearchRequest.attributes = req->op.search.attrs; >+ } >+ > msg->r.SearchRequest.num_attributes = n; >- msg->r.SearchRequest.attributes = req->op.search.attrs; > msg->controls = req->controls; > > return ildb_request_send(ac, msg); >diff --git a/python/samba/tests/samba_tool/contact.py b/python/samba/tests/samba_tool/contact.py >index 39e96231692..4978261ad7a 100644 >--- a/python/samba/tests/samba_tool/contact.py >+++ b/python/samba/tests/samba_tool/contact.py >@@ -461,7 +461,7 @@ class ContactCmdTestCase(SambaToolCmdTest): > contactlist = self.samdb.search(base=self.samdb.domain_dn(), > scope=ldb.SCOPE_SUBTREE, > expression=search_filter, >- attrs=[]) >+ attrs=["*"]) > if contactlist: > return contactlist[0] > else: >diff --git a/selftest/knownfail.d/ldap b/selftest/knownfail.d/ldap >index 0331d3687d4..f1abcf2aca0 100644 >--- a/selftest/knownfail.d/ldap >+++ b/selftest/knownfail.d/ldap >@@ -1,3 +1,2 @@ > # the attributes too long test returns the wrong error > ^samba4.ldap.python.+test_attribute_ranges_too_long >-samba4.ldap.python\(ad_dc_default\).*__main__.BasicTests.test_ldapSearchNoAttributes >diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py >index 54219ee5003..bc5fb45d9be 100755 >--- a/source4/dsdb/tests/python/ldap.py >+++ b/source4/dsdb/tests/python/ldap.py >@@ -3200,6 +3200,40 @@ nTSecurityDescriptor:: """ + desc_base64 > self.assertEqual(len(res), 1) > self.assertEqual(len(res[0]), 0) > >+ def test_ldapSearchExplicitNoAttributesOid(self): >+ """Testing ldap search with the no attributes OID 1.1 specified""" >+ >+ user_name = "testnoattributesoiduser" >+ user_dn = "CN=%s,%s" % (user_name, self.base_dn) >+ delete_force(self.ldb, user_dn) >+ >+ self.ldb.add({"dn": user_dn, >+ "objectClass": "user", >+ "sAMAccountName": user_name}) >+ >+ res = self.ldb.search(user_dn, scope=SCOPE_BASE, attrs=["1.1"]) >+ delete_force(self.ldb, user_dn) >+ >+ self.assertEqual(len(res), 1) >+ self.assertEqual(len(res[0]), 0) >+ >+ def test_ldapSearchAllAttributes(self): >+ """Testing ldap search with all attributes""" >+ >+ user_name = "testallattributesuser" >+ user_dn = "CN=%s,%s" % (user_name, self.base_dn) >+ delete_force(self.ldb, user_dn) >+ >+ self.ldb.add({"dn": user_dn, >+ "objectClass": "user", >+ "sAMAccountName": user_name}) >+ >+ res = self.ldb.search(user_dn, scope=SCOPE_BASE, attrs=["*"]) >+ delete_force(self.ldb, user_dn) >+ >+ self.assertEqual(len(res), 1) >+ self.assertTrue(len(res[0]) > 3) >+ > > class BaseDnTests(samba.tests.TestCase): > >-- >2.43.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18801">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 13852
:
15014
|
18801
|
18802