16026 – msDS-TokenGroup query should be restricted to scope=base

Bug 16026 - msDS-TokenGroup query should be restricted to scope=base

Summary: msDS-TokenGroup query should be restricted to scope=base

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.24.0rc*
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2026-03-11 10:34 UTC by Denis Cardon
Modified:	2026-03-11 21:23 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Denis Cardon 2026-03-11 10:34:07 UTC

msDS-TokenGroup attribute is implemented in Samba-AD, but it is not restricted to scope=base.

msDS-TokenGroup attribute calculation can be cpu intensive, so on Microsoft AD, in order to avoid DoS querying this attribute is required to have scope=base such LDAP query (and refuses to answer if scope=sub).

Samba-AD should behave the same and refuse to answer the LDAP query if scope!=base.