diff options
author | Garming Sam <garming@catalyst.net.nz> | 2019-01-23 16:16:16 +1300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2019-02-01 03:36:17 +0100 |
commit | f00362fb3d02f01346504ebe8d1ad8eb0dd5bb47 (patch) | |
tree | 0547c9e6b44850843e3bd5c26a499a462f5028d8 | |
parent | 5bfad1b2b08031b99834c9ca39c1900d52c8eb0d (diff) | |
download | samba-f00362fb3d02f01346504ebe8d1ad8eb0dd5bb47.tar.gz |
cracknames: Change search filter to use the smaller index
In large domains with many users, '(objectClass=User)' may as well not
be specified because it's iterating over the entire database.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | source4/dsdb/samdb/cracknames.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c index 3360d9a48a5..b4bd9d8f9c9 100644 --- a/source4/dsdb/samdb/cracknames.c +++ b/source4/dsdb/samdb/cracknames.c @@ -339,7 +339,7 @@ static WERROR DsCrackNameUPN(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, } /* This may need to be extended for more userPrincipalName variations */ - result_filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(samAccountName=%s))", + result_filter = talloc_asprintf(mem_ctx, "(&(samAccountName=%s)(objectClass=user))", ldb_binary_encode_string(mem_ctx, unparsed_name_short)); domain_filter = talloc_asprintf(mem_ctx, "(distinguishedName=%s)", ldb_dn_get_linearized(domain_res->msgs[0]->dn)); @@ -706,7 +706,7 @@ WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, krb5_free_principal(smb_krb5_context->krb5_context, principal); /* The ldb_binary_encode_string() here avoid LDAP filter injection attacks */ - result_filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(userPrincipalName=%s))", + result_filter = talloc_asprintf(mem_ctx, "(&(userPrincipalName=%s)(objectClass=user))", ldb_binary_encode_string(mem_ctx, unparsed_name)); free(unparsed_name); |