Bug 11664 - LDAP/LDB: Escaped characters in DN names break LDAP group membership lookups
LDAP/LDB: Escaped characters in DN names break LDAP group membership lookups
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
All All
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2016-01-07 09:42 UTC by Roel van Meer
Modified: 2016-01-07 12:27 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Roel van Meer 2016-01-07 09:42:25 UTC
There seems to be a problem with LDAP filters and entries that contain escaped characters in their DN. Say I have a user "test" with cn "Us Er+".

ldbsearch returns this:

  root@dev:~# ldbsearch -H /var/lib/samba/private/sam.ldb uid=test dn cn
  dn: CN=Us Er\+,CN=Users,DC=exam,DC=corp
  cn: Us Er+

ldapsearch return this:

  root@dev:~# ldapsearch -x uid=test dn cn
  dn: cn=Us Er\2B,cn=Users,dc=exam,dc=corp
  cn: Us Er+

Notice the "\2B" in the returned DN?

Now if that user is a member of a group, the group looks like this:

  root@dev:~# ldbsearch -H /var/lib/samba/private/sam.ldb cn=testgroup cn dn member
  dn: CN=testgroup,CN=Users,DC=exam,DC=corp
  cn: testgroup
  member: CN=Us Er\+,CN=Users,DC=exam,DC=corp

  root@dev:~# ldapsearch -x cn=testgroup dn cn member
  dn: cn=testgroup,cn=Users,dc=exam,dc=corp
  cn: testgroup
  member: cn=Us Er\2B,cn=Users,dc=exam,dc=corp

But, you cannot get that group by searching on the member attribute:

  root@dev:~# ldbsearch -H /var/lib/samba/private/sam.ldb member="cn=Us Er\2B,cn=Users,dc=exam,dc=corp"
  (no results)

  root@dev:~# ldbsearch -H /var/lib/samba/private/sam.ldb member="cn=Us Er\+,cn=Users,dc=exam,dc=corp"
  allocating request failed: Unable to parse search expression

  root@dev:~# ldbsearch -H /var/lib/samba/private/sam.ldb member="cn=Us Er+,cn=Users,dc=exam,dc=corp"
  (no results)

  root@dev:~# ldapsearch -x 'member=cn=Us Er\2B,cn=Users,dc=exam,dc=corp'
  (no results)

  root@dev:~# ldapsearch -x 'member=cn=Us Er\+,cn=Users,dc=exam,dc=corp'
  ldap_search_ext: Bad search filter (-7)

  root@dev:~# ldapsearch -x 'member=cn=Us Er+,cn=Users,dc=exam,dc=corp'
  (No results)

The problem with this is that it is not possible in external applications to verify group membership for users with this kind of DN. They do a search with the DN of the entry (cn=Us Er\2B,...) and that search will never return any groups.
Binding to the LDAP server with a DN in that form works, so authentication is not a problem.

As far as I can see, this happens any time the DN of an entry contains an escaped character, like a '+' or an escaped space at the end of the rdn.
Comment 1 Roel van Meer 2016-01-07 10:28:37 UTC
I also tested 4.2.7 and ldb 1.1.24 - same behaviour.

If you need any other info, please let me know!