From: Gary Lockyer Date: Thu, 15 Jan 2026 23:48:38 +0000 (+1300) Subject: lib:ldb-samba:ildap: fix empty attribute list handling X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2a5135fe15e9391a2c9a6b7292fa8094e7754966;p=thirdparty%2Fsamba.git lib:ldb-samba:ildap: fix empty attribute list handling An LDB request interprets an empty attribute list as a request for no attributes, but LDAP interprets an empty list as a request for all attributes, and ["1.1"] as a request for no attributes, as per RFC4511:4.5.1.8(SearchRequest.attributes). We need to convert [] to ["1.1"] in the ildap module before the request goes out. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13852 Signed-off-by: Aaron Haslett Signed-off-by: Gary Lockyer Reviewed-by: Douglas Bagnall Autobuild-User(master): Douglas Bagnall Autobuild-Date(master): Wed Jan 21 03:29:23 UTC 2026 on atb-devel-224 --- diff --git a/lib/ldb-samba/ldb_ildap.c b/lib/ldb-samba/ldb_ildap.c index 8ddb0ae9b8d..ab2ceb02293 100644 --- a/lib/ldb-samba/ldb_ildap.c +++ b/lib/ldb-samba/ldb_ildap.c @@ -558,8 +558,21 @@ static int ildb_search(struct ildb_context *ac) msg->r.SearchRequest.tree = discard_const(req->op.search.tree); for (n = 0; req->op.search.attrs && req->op.search.attrs[n]; n++) /* noop */ ; + + /* + * In LDB, an empty attribute list indicates a request for no + * attributes, but in LDAP no attributes is requested with an + * attribute list of ["1.1"] according to RFC4511:4.5.1.8. + */ + if (req->op.search.attrs && n == 0) { + static const char * attrs[] = {"1.1", NULL}; + msg->r.SearchRequest.attributes = attrs; + n = 1; + } else { + msg->r.SearchRequest.attributes = req->op.search.attrs; + } + msg->r.SearchRequest.num_attributes = n; - msg->r.SearchRequest.attributes = req->op.search.attrs; msg->controls = req->controls; return ildb_request_send(ac, msg); diff --git a/python/samba/tests/samba_tool/contact.py b/python/samba/tests/samba_tool/contact.py index 39e96231692..4978261ad7a 100644 --- a/python/samba/tests/samba_tool/contact.py +++ b/python/samba/tests/samba_tool/contact.py @@ -461,7 +461,7 @@ class ContactCmdTestCase(SambaToolCmdTest): contactlist = self.samdb.search(base=self.samdb.domain_dn(), scope=ldb.SCOPE_SUBTREE, expression=search_filter, - attrs=[]) + attrs=["*"]) if contactlist: return contactlist[0] else: diff --git a/selftest/knownfail.d/ldap b/selftest/knownfail.d/ldap index 0331d3687d4..f1abcf2aca0 100644 --- a/selftest/knownfail.d/ldap +++ b/selftest/knownfail.d/ldap @@ -1,3 +1,2 @@ # the attributes too long test returns the wrong error ^samba4.ldap.python.+test_attribute_ranges_too_long -samba4.ldap.python\(ad_dc_default\).*__main__.BasicTests.test_ldapSearchNoAttributes diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py index 54219ee5003..bc5fb45d9be 100755 --- a/source4/dsdb/tests/python/ldap.py +++ b/source4/dsdb/tests/python/ldap.py @@ -3200,6 +3200,40 @@ nTSecurityDescriptor:: """ + desc_base64 self.assertEqual(len(res), 1) self.assertEqual(len(res[0]), 0) + def test_ldapSearchExplicitNoAttributesOid(self): + """Testing ldap search with the no attributes OID 1.1 specified""" + + user_name = "testnoattributesoiduser" + user_dn = "CN=%s,%s" % (user_name, self.base_dn) + delete_force(self.ldb, user_dn) + + self.ldb.add({"dn": user_dn, + "objectClass": "user", + "sAMAccountName": user_name}) + + res = self.ldb.search(user_dn, scope=SCOPE_BASE, attrs=["1.1"]) + delete_force(self.ldb, user_dn) + + self.assertEqual(len(res), 1) + self.assertEqual(len(res[0]), 0) + + def test_ldapSearchAllAttributes(self): + """Testing ldap search with all attributes""" + + user_name = "testallattributesuser" + user_dn = "CN=%s,%s" % (user_name, self.base_dn) + delete_force(self.ldb, user_dn) + + self.ldb.add({"dn": user_dn, + "objectClass": "user", + "sAMAccountName": user_name}) + + res = self.ldb.search(user_dn, scope=SCOPE_BASE, attrs=["*"]) + delete_force(self.ldb, user_dn) + + self.assertEqual(len(res), 1) + self.assertTrue(len(res[0]) > 3) + class BaseDnTests(samba.tests.TestCase):