Error in creating filter with nss_ldap

I use OpenSuse 10.3 with nss_ldap 257 and try to use AD as ldap server. When
I use the following ldap.conf file:

ldap_version    3
uri     ldap://w2k3r2.win2003r2.home/
base    DC=win2003r2,DC=home
binddn  cn=ldap user,cn=users,dc=win2003r2,dc=home
bindpw  secret
scope   sub
bind_policy     soft
nss_initgroups_ignoreusers      root,ldap
nss_schema      rfc2307bis

nss_map_attribute uidnumber employeeid

nss_base_passwd
cn=users,dc=win2003r2,dc=home?sub?(&(&(objectclass=user)(uidnumber=*))(employeeid=*))
nss_base_shadow
cn=users,dc=win2003r2,dc=home?sub?(&(&(objectclass=user)(uidnumber=*))(employeeid=*))
nss_base_group
cn=users,dc=win2003r2,dc=home?sub?(&(objectclass=group)(gidnumber=*))

I don't get any valid responses (despite having valid entries in AD as I
checked with ldapsearch) . I recompiled nss_ldap with debug and some extra
output. The output is below and it looks like nss_ldap is builing an invalid
filter.

Is this a bug ?

Thank you
Markus


nss_ldap: ==> _nss_ldap_enter
nss_ldap: <== _nss_ldap_enter
nss_ldap: ==> _nss_ldap_ent_context_init_locked
nss_ldap: <== _nss_ldap_ent_context_init_locked
nss_ldap: ==> _nss_ldap_leave
nss_ldap: <== _nss_ldap_leave
nss_ldap: ==> _nss_ldap_enter
nss_ldap: <== _nss_ldap_enter
nss_ldap: ==> _nss_ldap_getent_ex
nss_ldap: ==> _nss_ldap_ent_context_init_locked
nss_ldap: <== _nss_ldap_ent_context_init_locked
nss_ldap: ==> _nss_ldap_search
nss_ldap: ==> do_init
nss_ldap: ==> do_close
nss_ldap: <== do_close
nss_ldap: ==> do_close
nss_ldap: <== do_close
nss_ldap: ==> do_atfork_setup
nss_ldap: <== do_atfork_setup
nss_ldap: ==> _nss_ldap_add_uri
nss_ldap: <== _nss_ldap_add_uri: added URI ldap://w2k3r2.win2003r2.home/
nss_ldap: <== do_init (initialized session)
nss_ldap: ==> do_filter
nss_ldap: :== do_filter:
(&(&(objectClass=posixGroup))((&(objectclass=group)(gidnumber=*))))
nss_ldap: <== do_filter
nss_ldap: ==> do_with_reconnect
nss_ldap: ==> do_open
nss_ldap: ==> do_init
nss_ldap: <== do_init (initialized session)
nss_ldap: ==> do_bind
nss_ldap: <== do_bind
nss_ldap: ==> do_set_sockopts
nss_ldap: <== do_set_sockopts
nss_ldap: <== do_open (session connected to DSA)
nss_ldap: ==> do_search
nss_ldap: <== MM Filter:
(&(&(objectClass=posixGroup))((&(objectclass=group)(gidnumber=*))))
nss_ldap: <== MM rc: -7(Bad search filter)
nss_ldap: <== do_search
nss_ldap: <== do_with_reconnect
nss_ldap: <== _nss_ldap_search
nss_ldap: <== _nss_ldap_getent_ex
nss_ldap: ==> _nss_ldap_leave
nss_ldap: <== _nss_ldap_leave
nss_ldap: ==> _nss_ldap_enter
nss_ldap: <== _nss_ldap_enter
nss_ldap: ==> _nss_ldap_ent_context_release
nss_ldap: <== _nss_ldap_ent_context_release
nss_ldap: ==> _nss_ldap_leave
nss_ldap: <== _nss_ldap_leave

On Sat, Dec 22, 2007 at 11:40:22PM -0000, Markus Moeller wrote: nss_base_passwd
dc=samad,dc=com,dc=au?sub?|(host=hufpuf.lan1.hme1.samad.com.au)(|(host=hme1.samad.com.au)(host=samad.com.au))
nss_base_shadow
dc=samad,dc=com,dc=au?sub?|(host=hufpuf.lan1.hme1.samad.com.au)(|(host=hme1.samad.com.au)(host=samad.com.au))

notice the unmatch ) at the end, I think i found this by looking through the
code

Yes it works if I remove the brackets e.g.

nss_base_passwd
cn=users,dc=win2003r2,dc=home?sub?&(&(objectclass=user)(uidnumber=*))(employeeid=*)
nss_base_shadow
cn=users,dc=win2003r2,dc=home?sub?&(&(objectclass=user)(uidnumber=*))(employeeid=*)
nss_base_group
cn=users,dc=win2003r2,dc=home?sub?&(objectclass=group)(gidnumber=*)

It would be useful to print at least an error instead of silently ignore the
search error. It should be somewhere after ldap_search in ldap-nss.c calls
like in line 2701:

  rc = ldap_search_ext (__session.ls_conn, base, scope, filter,
                        (char **) attrs, 0, pServerCtrls, NULL,
                        LDAP_NO_LIMIT, sizelimit, msgid);
  if (rc != LDAP_SUCESS)
                  syslog (LOG_INFO,  "nss_ldap: ldap search error: %s
(%d)",ldap_err2string (rc),rc);



"Alex Samad" <alex@...> wrote in message
news:20071223055538.GA12092@......