Fix some LDAP queries in the vendored samba code

Some of the LDAP queries, although working on simple single-domain environments, were causing problems on more complex ones (multiple domains). This refines some of the queries to properly handle both cases using the values that they should be using.
ubuntu · Jan 31, 2025 · 81549ef · 81549ef
1 parent 4546cda
commit 81549ef
Showing 1 changed file with 10 additions and 7 deletions.
diff --git a/internal/policies/certificate/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py b/internal/policies/certificate/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py
@@ -151,10 +151,11 @@ def fetch_certification_authorities(ldb):
     [MS-CAESO] 4.4.5.3.1.2
     """
     result = []
-    basedn = ldb.get_default_basedn()
+    configdn = ldb.get_config_basedn()
     # Autoenrollment MUST do an LDAP search for the CA information
     # (pKIEnrollmentService) objects under the following container:
-    dn = 'CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,%s' % basedn
+    dn = 'CN=Enrollment Services,CN=Public Key Services,CN=Services,%s' % configdn
+
     attrs = ['cACertificate', 'cn', 'dNSHostName']
     expr = '(objectClass=pKIEnrollmentService)'
     res = ldb.search(dn, SCOPE_SUBTREE, expr, attrs)
@@ -171,8 +172,8 @@ def fetch_certification_authorities(ldb):
 def fetch_template_attrs(ldb, name, attrs=None):
     if attrs is None:
         attrs = ['msPKI-Minimal-Key-Size']
-    basedn = ldb.get_default_basedn()
-    dn = 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%s' % basedn
+    configdn = ldb.get_config_basedn()
+    dn = 'CN=Certificate Templates,CN=Public Key Services,CN=Services,%s' % configdn
     expr = '(cn=%s)' % name
     res = ldb.search(dn, SCOPE_SUBTREE, expr, attrs)
     if len(res) == 1 and 'msPKI-Minimal-Key-Size' in res[0]:
@@ -495,15 +496,17 @@ def __read_cep_data(self, guid, ldb, end_point_information,
             # If the current group contains a
             # CertificateEnrollmentPolicyEndPoint instance with EndPoint.URI
             # equal to "LDAP":
-            if any([e['URL'] == 'LDAP:' for e in end_point_group]):
+            for e in end_point_group:
+                if e['URL'] != 'LDAP:':
+                    continue
                 # Perform an LDAP search to read the value of the objectGuid
                 # attribute of the root object of the forest root domain NC. If
                 # any errors are encountered, continue with the next group.
                 res = ldb.search('', SCOPE_BASE, '(objectClass=*)',
-                                 ['rootDomainNamingContext'])
+                                 ['defaultNamingContext'])
                 if len(res) != 1:
                     continue
-                res2 = ldb.search(res[0]['rootDomainNamingContext'][0],
+                res2 = ldb.search(res[0]['defaultNamingContext'][0],
                                   SCOPE_BASE, '(objectClass=*)',
                                   ['objectGUID'])
                 if len(res2) != 1: