Bug 11664 - LDAP/LDB: Escaped characters in DN names break LDAP group membership lookups
Summary: LDAP/LDB: Escaped characters in DN names break LDAP group membership lookups
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.2.7
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2016-01-07 09:42 UTC by Roel van Meer
Modified: 2017-12-14 14:56 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Roel van Meer 2016-01-07 09:42:25 UTC
There seems to be a problem with LDAP filters and entries that contain escaped characters in their DN. Say I have a user "test" with cn "Us Er+".

ldbsearch returns this:

  root@dev:~# ldbsearch -H /var/lib/samba/private/sam.ldb uid=test dn cn
  dn: CN=Us Er\+,CN=Users,DC=exam,DC=corp
  cn: Us Er+

ldapsearch return this:

  root@dev:~# ldapsearch -x uid=test dn cn
  dn: cn=Us Er\2B,cn=Users,dc=exam,dc=corp
  cn: Us Er+

Notice the "\2B" in the returned DN?

Now if that user is a member of a group, the group looks like this:

  root@dev:~# ldbsearch -H /var/lib/samba/private/sam.ldb cn=testgroup cn dn member
  dn: CN=testgroup,CN=Users,DC=exam,DC=corp
  cn: testgroup
  member: CN=Us Er\+,CN=Users,DC=exam,DC=corp

  root@dev:~# ldapsearch -x cn=testgroup dn cn member
  dn: cn=testgroup,cn=Users,dc=exam,dc=corp
  cn: testgroup
  member: cn=Us Er\2B,cn=Users,dc=exam,dc=corp

But, you cannot get that group by searching on the member attribute:

  root@dev:~# ldbsearch -H /var/lib/samba/private/sam.ldb member="cn=Us Er\2B,cn=Users,dc=exam,dc=corp"
  (no results)

  root@dev:~# ldbsearch -H /var/lib/samba/private/sam.ldb member="cn=Us Er\+,cn=Users,dc=exam,dc=corp"
  allocating request failed: Unable to parse search expression

  root@dev:~# ldbsearch -H /var/lib/samba/private/sam.ldb member="cn=Us Er+,cn=Users,dc=exam,dc=corp"
  (no results)

  root@dev:~# ldapsearch -x 'member=cn=Us Er\2B,cn=Users,dc=exam,dc=corp'
  (no results)

  root@dev:~# ldapsearch -x 'member=cn=Us Er\+,cn=Users,dc=exam,dc=corp'
  ldap_search_ext: Bad search filter (-7)

  root@dev:~# ldapsearch -x 'member=cn=Us Er+,cn=Users,dc=exam,dc=corp'
  (No results)

The problem with this is that it is not possible in external applications to verify group membership for users with this kind of DN. They do a search with the DN of the entry (cn=Us Er\2B,...) and that search will never return any groups.
Binding to the LDAP server with a DN in that form works, so authentication is not a problem.

As far as I can see, this happens any time the DN of an entry contains an escaped character, like a '+' or an escaped space at the end of the rdn.
Comment 1 Roel van Meer 2016-01-07 10:28:37 UTC
I also tested 4.2.7 and ldb 1.1.24 - same behaviour.

If you need any other info, please let me know!
Comment 2 Björn Jacke 2017-12-14 14:56:04 UTC
sorry, for the late response. I just tested, that this one works the same way agains MS AD as also on Samba 4.7 AD:

ldapsearch -x -h ip-of-ad-dc -D AD\\administrator -w secret  -b "CN=Users,DC=ad,DC=test,DC=intern" 'member=CN=bjacke\\+,CN=Users,DC=ad,DC=test,DC=intern'