The Samba-Bugzilla – Bug 6715
pdb_ldap group membership searches in possibly wrong DN
Last modified: 2009-09-12 11:51:35 UTC
[2009/09/12 12:57:46, 1] passdb/pdb_ldap.c:ldapsam_enum_group_memberships(2865)
found more than one account with the same user name ?!
in our logs, and upon deeper source code inspection found that this function searches in the — what believe — wrong subtree DN.
In particular, we have a referral:
And since smbd searches from o=ourorg instead of ou=users,o=ourorg, it sees posixAccounts in ou=users twice.
A proposed patch is below.
Created attachment 4686 [details]
Patch that works around the issue for us
Sorry, but this is deliberate. All searches need to be under the normal ldap suffix. There have been too many problems because we did not search the whole tree, so we decided to make all searches do that. The ldap user suffix & friends are only for creation now.