Searching with scope "sub" does not include baseDN on Samba 4.7.6

Hi, we’ve found an issue (on current branch next) with subtree-scoped searches against Samba 4.7.6 LDAP not returning the base DN when they should.

Assuming baseDN = 'CN=Users,DC=ad,DC=example,DC=org' and a DIT with only the Users container (no objects underneath it):

• ldapsearch -b "cn=Users,dc=ad,dc=example,dc=org" -s sub '(objectClass=container)' ✔️ works - returns exactly 1 entry (the Users container)
• client.search(baseDN, { scope: 'base', filter: new EqualityFilter({ attribute: 'objectClass', value: 'container' }) }) ✔️ works - returns exactly 1 entry
• client.search(baseDN, { scope: 'sub', filter: new EqualityFilter({ attribute: 'objectClass', value: 'container' }) }) ❌ does not work - returns exactly 0 entries - this should be impossible!

What is more concerning is that it seems that it behaves differently on Samba 4.11 (not sure why, but probably because of some opaque internal LDB handling changes).

We initially thought it was caused by #602, but even after fixing the race condition and using our fork of the library, the issue remained. The queries looked legit, but we decided to compare the generated BER on the wire with the actual messages sent by ldapsearch.

There’s only 1 difference: whitespace in DNs:

• ldapsearch sends the DNs as-is, without processing: CN=Users,DC=ad,DC=example,DC=org
• ldapjs re-formats DNs like this: cn=Users, dc=ad, dc=example, dc=org - with spaces as separators!

What’s strange is that RFC 4514 (String Representation of Distinguished Names) does not seem to imply spaces are valid RDN separators. In fact, the only separator it defines is , (comma, or U+002C).

Why it works with scope: 'base' is beyond me, but when we tested ldapsearch with a re-formatted baseDN with spaces inserted with scope sub, we got the same results as with ldapjs (0 results). This means the spaces really are extraneous.

This looks related to #151 and the defaults it established. I’m really surprised it hasn’t caused a bigger number of issues till now.

I wonder about @mcavage’s comments in #80 on “old LDAP clients” - this implies that “new LDAP clients” (what about servers?) should handle spaces in DNs gracefully, right? It seems non-obvious to me since I can’t find an explanation for this special handling of spaces in the RFCs, though human users could of course imply that whitespaces are insignificant (which they are apparently not, to this Samba instance).

For now, I’ll get a fix ready that changes the DN serialization in SearchRequest messages to not use spaces. More generally, it seems like a long-standing mistake to add spaces by default if RFC 4514 does not define them as separators. At this point, a change to the default value produced by DN.toString() will likely break people’s systems, though, so this “precision” fix that only targets SearchRequest seems like a more viable option.