When searching LDAP with objectSid filter, like ldapsearch -b 'dc=example,dc=com' objectSid=s-1-5-32 there are no results (should be "cn=Builtin,dc=example,dc=com). Attached patch fixes the bug.
Created attachment 10183 [details] Patch ldif_comparision_objectSid_isString function to accept lower-case SIDs
As far as I'm aware, the objectSID=S-1-5-32 style filter is a Samba extension. Therefore I would prefer to keep it strict, for performance and consistency. See http://blog.schertz.name/2008/03/searching-ad-for-a-user-account-with-a-sid/ for the contortions Micorsoft makes Windows admins to to search, and please accept using an upper case S. Thanks!
Well, I cannot remember the exact scenario (hell, it's over 9000^W two years), but it was definitely a Microsoft product I was installing when I'd encountered the issue. It was some component of a Sharepoint 2013 farm. To make sure, I've just installed a test AD on Windows Server 2012 R2 (with domain/forest functional level 2008) and tried an ldapsearch with objectSid=S-1-5-32 style filter against it. Both uppercase and lowercase filters work perfectly. BTW, Novell DSfW (which we are using at the moment, while planning to migrate to Samba) also supports both upper- and lowercase objectSid searches. It's not clear from the blog post mentioned, which AD version/functional level was being used. Might be that objectSid=S-1-5-32 style filters were only introduced in 2008.
Thanks. Sorry for the horribly long delay in even looking at these bugs properly. I'll get this sorted out. I didn't know DSfW still existed! I look forward to your migration to Samba.
Yeah, DSfW is still alive and moving! Will be too for quite some time, until the new management at Micro Focus finds out Samba is the way to the bright future ;) Not blaming you for taking so long to look at the bug report, cause it was not too serious. And yes, Andrew, thank you very much for all the work you've done and keep doing!
please close the bug accordingly if you agree that this is not a bug.
To be clear, thanks for the patch. Given the clarification I'm inclined to include it, or something similar. The only thing blocking it now is a test, so we don't regress.
This bug was referenced in samba master: ae4f095586e50d765f404cd85e9aacf21e84892d fb724c61107b76d32b500802f960aa8e049ccbd8 473502d170190b6bfe8da29708d347b16e0a2f7f edf9b282ba6e3fc089ab2d8a4db122b300b95fe4 d801ed8b11125527b0b8193c8d0e430b5fb2c3a7 be5fd9a3a1b91dbd41e2bd0b025e3d3ffb598463 c6c7cb8d4ba0e115034f4f0f7ff4a9943e54d914 8c702735641aaad58c317843c547249c6bd1c716 3e899ef5bfa67a12e8eb18cbebc06367f37a8376 bf4af1a28a3580223fcc3a861c7fdd1b43f234d1
Fixed in master (4.21). If anyone wants to backport, shout out. Otherwise I will either close this in a few weeks, or forget and someone can close it when all supported versions are >= 4.21.