ldb_match - Ignore ":dn" part of extended matches for now

It's not fully clear what this ":dn" part means for us. What we know is that
older AD implementations (Windows Server 2000, 2003) need it to have extended
matches working in the expected way.

To be able to interoperate with s3's winbind and other tools I and gd decided
to transform this into a warning until we know what to do.

This should fix bug #6511.

diff --git a/source4/lib/ldb/common/ldb_match.c b/source4/lib/ldb/common/ldb_match.c
index f639effc96b17f621fca53360ce84af92e6a015d..4bd121a438a8ef02d91c878696db37a0800dc36d 100644 (file)
--- a/source4/lib/ldb/common/ldb_match.c
+++ b/source4/lib/ldb/common/ldb_match.c
@@ -316,8 +316,11 @@ static int ldb_match_extended(struct ldb_context *ldb,
        struct ldb_message_element *el;
 
        if (tree->u.extended.dnAttributes) {
-               ldb_debug(ldb, LDB_DEBUG_ERROR, "ldb: dnAttributes extended match not supported yet");
-               return -1;
+               /* FIXME: We really need to find out what this ":dn" part in
+                * an extended match means and how to handle it. For now print
+                * only a warning to have s3 winbind and other tools working
+                * against us. - Matthias */
+               ldb_debug(ldb, LDB_DEBUG_WARNING, "ldb: dnAttributes extended match not supported yet");
        }
        if (tree->u.extended.rule_id == NULL) {
                ldb_debug(ldb, LDB_DEBUG_ERROR, "ldb: no-rule extended matches not supported yet");