cracknames: Change search filter to use the smaller index

In large domains with many users, '(objectClass=User)' may as well not
be specified because it's iterating over the entire database.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c
index 3360d9a48a54a66dd41841c51e548d7ddb4216de..b4bd9d8f9c9a11e9b943185027c3ad129ffaf7e9 100644 (file)
--- a/source4/dsdb/samdb/cracknames.c
+++ b/source4/dsdb/samdb/cracknames.c
@@ -339,7 +339,7 @@ static WERROR DsCrackNameUPN(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
        }
 
        /* This may need to be extended for more userPrincipalName variations */
-       result_filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(samAccountName=%s))", 
+       result_filter = talloc_asprintf(mem_ctx, "(&(samAccountName=%s)(objectClass=user))",
                                        ldb_binary_encode_string(mem_ctx, unparsed_name_short));
 
        domain_filter = talloc_asprintf(mem_ctx, "(distinguishedName=%s)", ldb_dn_get_linearized(domain_res->msgs[0]->dn));
@@ -706,7 +706,7 @@ WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
                krb5_free_principal(smb_krb5_context->krb5_context, principal);
 
                /* The ldb_binary_encode_string() here avoid LDAP filter injection attacks */
-               result_filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(userPrincipalName=%s))", 
+               result_filter = talloc_asprintf(mem_ctx, "(&(userPrincipalName=%s)(objectClass=user))",
                                                ldb_binary_encode_string(mem_ctx, unparsed_name));
 
                free(unparsed_name);