Bug 14585 - LDAP search filter ACL access checks are too strict
Summary: LDAP search filter ACL access checks are too strict
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.13.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-27 09:35 UTC by Stefan Metzmacher
Modified: 2020-11-27 09:35 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2020-11-27 09:35:05 UTC 
Windows seems to apply search filter after the ACL check.
If a user doesn't have the right to see an attribute, it is simply handled
as if it would not exist at all, when the search filter is applied.

E.g. if the user doesn't have the right to see the samAccountType attribute
the following filter:

'(&(objectCategory=person)(objectSid=*)(!(samAccountType:1.2.840.113556.1.4.804:=3)))'

Will effectively the same as just:

'(&(objectCategory=person)(objectSid=*))'

Samba takes a different strategy, it checks all
attribute names it finds in the search filter and if any
of these attribute is hidden from the user, the whole
object is hidden.