Bug 10763 - LDAP search by objectSid with a lowercase 's' returns no results
Summary: LDAP search by objectSid with a lowercase 's' returns no results
Status: ASSIGNED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-07 12:46 UTC by Amon Sha
Modified: 2017-08-24 12:02 UTC (History)
4 users (show)

See Also:

Attachments
Patch ldif_comparision_objectSid_isString function to accept lower-case SIDs (443 bytes, patch)
2014-08-07 12:48 UTC, Amon Sha 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Amon Sha 2014-08-07 12:46:14 UTC 
When searching LDAP with objectSid filter, like

ldapsearch -b 'dc=example,dc=com' objectSid=s-1-5-32

there are no results (should be "cn=Builtin,dc=example,dc=com).

Attached patch fixes the bug.
Comment 1 Amon Sha 2014-08-07 12:48:05 UTC 
Created attachment 10183 [details]
Patch ldif_comparision_objectSid_isString function to accept lower-case SIDs
Comment 2 Andrew Bartlett 2017-01-03 03:08:53 UTC 
As far as I'm aware, the objectSID=S-1-5-32 style filter is a Samba extension.  Therefore I would prefer to keep it strict, for performance and consistency. 

See http://blog.schertz.name/2008/03/searching-ad-for-a-user-account-with-a-sid/ for the contortions Micorsoft makes Windows admins to to search, and please accept using an upper case S.

Thanks!
Comment 3 Amon Sha 2017-01-04 14:32:51 UTC 
Well, I cannot remember the exact scenario (hell, it's over 9000^W two years), but it was definitely a Microsoft product I was installing when I'd encountered the issue. It was some component of a Sharepoint 2013 farm.

To make sure, I've just installed a test AD on Windows Server 2012 R2 (with domain/forest functional level 2008) and tried an ldapsearch with objectSid=S-1-5-32 style filter against it. Both uppercase and lowercase filters work perfectly.

BTW, Novell DSfW (which we are using at the moment, while planning to migrate to Samba) also supports both upper- and lowercase objectSid searches.

It's not clear from the blog post mentioned, which AD version/functional level was being used. Might be that objectSid=S-1-5-32 style filters were only introduced in 2008.
Comment 4 Andrew Bartlett 2017-01-04 18:35:15 UTC 
Thanks.  Sorry for the horribly long delay in even looking at these bugs properly.  

I'll get this sorted out. 

I didn't know DSfW still existed!  I look forward to your migration to Samba.
Comment 5 Amon Sha 2017-01-04 19:40:08 UTC 
Yeah, DSfW is still alive and moving! Will be too for quite some time, until the new management at Micro Focus finds out Samba is the way to the bright future ;)

Not blaming you for taking so long to look at the bug report, cause it was not too serious.

And yes, Andrew, thank you very much for all the work you've done and keep doing!
Comment 6 Björn Jacke 2017-01-09 14:32:52 UTC 
please close the bug accordingly if you agree that this is not a bug.
Comment 7 Andrew Bartlett 2017-01-09 18:37:24 UTC 
To be clear, thanks for the patch.  Given the clarification I'm inclined to include it, or something similar.  The only thing blocking it now is a test, so we don't regress.