Bug 6715 - pdb_ldap group membership searches in possibly wrong DN
Summary: pdb_ldap group membership searches in possibly wrong DN
Alias: None
Product: Samba 3.2
Classification: Unclassified
Component: User & Group Accounts (show other bugs)
Version: 3.2.7
Hardware: All Linux
: P3 normal
Target Milestone: ---
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
Depends on:
Reported: 2009-09-12 08:40 UTC by Jan Engelhardt
Modified: 2009-09-12 11:51 UTC (History)
0 users

See Also:

Patch that works around the issue for us (808 bytes, text/plain)
2009-09-12 08:41 UTC, Jan Engelhardt
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Engelhardt 2009-09-12 08:40:51 UTC
We noticed

[2009/09/12 12:57:46,  1] passdb/pdb_ldap.c:ldapsam_enum_group_memberships(2865)
  found more than one account with the same user name ?!

in our logs, and upon deeper source code inspection found that this function searches in the — what believe — wrong subtree DN.

In particular, we have a referral:

dn: ou=users,ou=somethingelse,ou=config,o=ourorg
ref: ldap://,o=ourorg

And since smbd searches from o=ourorg instead of ou=users,o=ourorg, it sees posixAccounts in ou=users twice.

A proposed patch is below.
Comment 1 Jan Engelhardt 2009-09-12 08:41:35 UTC
Created attachment 4686 [details]
Patch that works around the issue for us
Comment 2 Volker Lendecke 2009-09-12 11:51:35 UTC
Sorry, but this is deliberate. All searches need to be under the normal ldap suffix. There have been too many problems because we did not search the whole tree, so we decided to make all searches do that. The ldap user suffix & friends are only for creation now.