lib:ldb-samba:ildap: fix empty attribute list handling

An LDB request interprets an empty attribute list as a request for no
attributes, but LDAP interprets an empty list as a request for all attributes,
and ["1.1"] as a request for no attributes, as per
RFC4511:4.5.1.8(SearchRequest.attributes).  We need to convert [] to ["1.1"]
in the ildap module before the request goes out.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13852

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Jan 21 03:29:23 UTC 2026 on atb-devel-224

diff --git a/lib/ldb-samba/ldb_ildap.c b/lib/ldb-samba/ldb_ildap.c
index 8ddb0ae9b8d725356423cfb6fe9399a17e89cf2a..ab2ceb0229378db6b92e69ef00c52e631ab3a652 100644 (file)
--- a/lib/ldb-samba/ldb_ildap.c
+++ b/lib/ldb-samba/ldb_ildap.c
@@ -558,8 +558,21 @@ static int ildb_search(struct ildb_context *ac)
        msg->r.SearchRequest.tree = discard_const(req->op.search.tree);
 
        for (n = 0; req->op.search.attrs && req->op.search.attrs[n]; n++) /* noop */ ;
+
+       /*
+        * In LDB, an empty attribute list indicates a request for no
+        * attributes, but in LDAP no attributes is requested with an
+        * attribute list of ["1.1"] according to RFC4511:4.5.1.8.
+        */
+       if (req->op.search.attrs && n == 0) {
+               static const char * attrs[] = {"1.1", NULL};
+               msg->r.SearchRequest.attributes = attrs;
+               n = 1;
+       } else {
+               msg->r.SearchRequest.attributes = req->op.search.attrs;
+       }
+
        msg->r.SearchRequest.num_attributes = n;
-       msg->r.SearchRequest.attributes = req->op.search.attrs;
        msg->controls = req->controls;
 
        return ildb_request_send(ac, msg);

diff --git a/python/samba/tests/samba_tool/contact.py b/python/samba/tests/samba_tool/contact.py
index 39e962316923fc290d304dc7eef93f1354d1d539..4978261ad7a22c69fbde4032b5ca6741476f0f8c 100644 (file)
--- a/python/samba/tests/samba_tool/contact.py
+++ b/python/samba/tests/samba_tool/contact.py
@@ -461,7 +461,7 @@ class ContactCmdTestCase(SambaToolCmdTest):
         contactlist = self.samdb.search(base=self.samdb.domain_dn(),
                                         scope=ldb.SCOPE_SUBTREE,
                                         expression=search_filter,
-                                        attrs=[])
+                                        attrs=["*"])
         if contactlist:
             return contactlist[0]
         else:

diff --git a/selftest/knownfail.d/ldap b/selftest/knownfail.d/ldap
index 0331d3687d41a6e27f52505aca16d3edf1da7305..f1abcf2aca01971068d4de4ac5c49ec50ae6769a 100644 (file)
--- a/selftest/knownfail.d/ldap
+++ b/selftest/knownfail.d/ldap
@@ -1,3 +1,2 @@
 # the attributes too long test returns the wrong error
 ^samba4.ldap.python.+test_attribute_ranges_too_long
-samba4.ldap.python\(ad_dc_default\).*__main__.BasicTests.test_ldapSearchNoAttributes

diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py
index 54219ee50033a71633c9c30f3d2fd2c0b75c8bd8..bc5fb45d9be69291023a1f879916a953359a111c 100755 (executable)
--- a/source4/dsdb/tests/python/ldap.py
+++ b/source4/dsdb/tests/python/ldap.py
@@ -3200,6 +3200,40 @@ nTSecurityDescriptor:: """ + desc_base64
         self.assertEqual(len(res), 1)
         self.assertEqual(len(res[0]), 0)
 
+    def test_ldapSearchExplicitNoAttributesOid(self):
+        """Testing ldap search with the no attributes OID 1.1 specified"""
+
+        user_name = "testnoattributesoiduser"
+        user_dn = "CN=%s,%s" % (user_name, self.base_dn)
+        delete_force(self.ldb, user_dn)
+
+        self.ldb.add({"dn": user_dn,
+                      "objectClass": "user",
+                      "sAMAccountName": user_name})
+
+        res = self.ldb.search(user_dn, scope=SCOPE_BASE, attrs=["1.1"])
+        delete_force(self.ldb, user_dn)
+
+        self.assertEqual(len(res), 1)
+        self.assertEqual(len(res[0]), 0)
+
+    def test_ldapSearchAllAttributes(self):
+        """Testing ldap search with all attributes"""
+
+        user_name = "testallattributesuser"
+        user_dn = "CN=%s,%s" % (user_name, self.base_dn)
+        delete_force(self.ldb, user_dn)
+
+        self.ldb.add({"dn": user_dn,
+                      "objectClass": "user",
+                      "sAMAccountName": user_name})
+
+        res = self.ldb.search(user_dn, scope=SCOPE_BASE, attrs=["*"])
+        delete_force(self.ldb, user_dn)
+
+        self.assertEqual(len(res), 1)
+        self.assertTrue(len(res[0]) > 3)
+
 
 class BaseDnTests(samba.tests.TestCase):