Bug 1031670

Summary: ldapsearch 2.4.35+ does not applies filters
Product: [Fedora] Fedora Reporter: Cyril Sluchanko <bugzilla.10.cyrils>
Component: openldapAssignee: Jan Synacek <jsynacek>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 19CC: jsynacek, jv+fedora, phracek, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-19 08:55:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Cyril Sluchanko 2013-11-18 13:58:33 UTC 
Description of problem: When I try to search directory (MS AD in my case) for set of entries defined by LDAP search filter in ldapsearch command line, I get all objects in directory. For example:

ldapsearch domain.com -LLL -H ldap://domain.com:389 -b dc=domain,dc=com -x -D "cn=User,ou=Some_OU,dc=domain,dc=com" -w password -a always -l 0 -t 0 '(&(objectclass=user)(!(objectclass=computer)))' dn

I expect to get set of entries without computers - however get all entries. Other filters does not work too.

I've checked the same string on Slackware with openldap 2.4.31 - all works fine. 


Version-Release number of selected component (if applicable): 2.4.35-4.fc19 and later


How reproducible: Always


Steps to Reproduce:
1. Perform LDAP search with any filter

Actual results: All directory entries in output.

Expected results: Filtered set of entries in output.


Additional info:
Comment 1 Cyril Sluchanko 2013-11-18 17:01:20 UTC 
2.4.35 on Gentoo works fine too.
Comment 2 Jan Synacek 2013-11-19 08:55:49 UTC 
Filters work fine, your ldapsearch invocation is wrong. You use '-t 0' which probably messes up the filters. The -t parameter doesn't have an additional argument.

$ ldapsearch -LLL -H ldap://localhost -x  -l 0 -t -a always -b 'cn=config' '(objectclass=olcDatabaseConfig)' dn
dn: olcDatabase={-1}frontend,cn=config

dn: olcDatabase={0}config,cn=config

dn: olcDatabase={1}monitor,cn=config

dn: olcDatabase={2}hdb,cn=config

Now with the '-t 0':

$ ldapsearch -LLL -H ldap://localhost -x  -l 0 -t 0 -a always -b 'cn=config' '(objectclass=olcDatabaseConfig)' dn
dn: cn=config

dn: cn=schema,cn=config

dn: cn={0}core,cn=schema,cn=config

dn: olcDatabase={-1}frontend,cn=config

dn: olcDatabase={0}config,cn=config

dn: olcDatabase={1}monitor,cn=config

dn: olcDatabase={2}hdb,cn=config