Bug 6715 - pdb_ldap group membership searches in possibly wrong DN
pdb_ldap group membership searches in possibly wrong DN
Product: Samba 3.2
Classification: Unclassified
Component: User & Group Accounts
All Linux
: P3 normal
: ---
Assigned To: Samba Bugzilla Account
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2009-09-12 08:40 UTC by Jan Engelhardt
Modified: 2009-09-12 11:51 UTC (History)
0 users

See Also:

Patch that works around the issue for us (808 bytes, text/plain)
2009-09-12 08:41 UTC, Jan Engelhardt
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Engelhardt 2009-09-12 08:40:51 UTC
We noticed

[2009/09/12 12:57:46,  1] passdb/pdb_ldap.c:ldapsam_enum_group_memberships(2865)
  found more than one account with the same user name ?!

in our logs, and upon deeper source code inspection found that this function searches in the — what believe — wrong subtree DN.

In particular, we have a referral:

dn: ou=users,ou=somethingelse,ou=config,o=ourorg
ref: ldap://,o=ourorg

And since smbd searches from o=ourorg instead of ou=users,o=ourorg, it sees posixAccounts in ou=users twice.

A proposed patch is below.
Comment 1 Jan Engelhardt 2009-09-12 08:41:35 UTC
Created attachment 4686 [details]
Patch that works around the issue for us
Comment 2 Volker Lendecke 2009-09-12 11:51:35 UTC
Sorry, but this is deliberate. All searches need to be under the normal ldap suffix. There have been too many problems because we did not search the whole tree, so we decided to make all searches do that. The ldap user suffix & friends are only for creation now.