From 2c97299c19a71aa41eef3f3155c24347cf392615 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Fri, 11 Mar 2011 05:06:48 -0500
Subject: [PATCH 1/2] Require existence of GID number and name in group searches
https://fedorahosted.org/sssd/ticket/824
---
src/providers/ldap/ldap_id.c | 9 ++++++---
src/providers/ldap/ldap_id_enum.c | 28 ++++++++++++++++------------
src/providers/ldap/sdap_async_accounts.c | 30 ++++++++++++++++++++----------
3 files changed, 42 insertions(+), 25 deletions(-)
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index 9a234280082f7396eda4307e9e4bb4bd63b5615c..776df1ac2d9e983a792fbba0f6773c082898708d 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -335,9 +335,12 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx,
goto fail;
}
- state->filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))",
- attr_name, clean_name,
- ctx->opts->group_map[SDAP_OC_GROUP].name);
+ state->filter =
+ talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))",
+ attr_name, clean_name,
+ ctx->opts->group_map[SDAP_OC_GROUP].name,
+ ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
+ ctx->opts->group_map[SDAP_AT_GROUP_GID].name);
if (!state->filter) {
DEBUG(2, ("Failed to build filter\n"));
ret = ENOMEM;
diff --git a/src/providers/ldap/ldap_id_enum.c b/src/providers/ldap/ldap_id_enum.c
index f47ee9fbe170bae0058a682a3a051df21cfbc0d6..42c2911926602bfc2e3a33a0af837d6e809ee68b 100644
--- a/src/providers/ldap/ldap_id_enum.c
+++ b/src/providers/ldap/ldap_id_enum.c
@@ -546,19 +546,23 @@ static struct tevent_req *enum_groups_send(TALLOC_CTX *memctx,
state->op = op;
if (ctx->srv_opts && ctx->srv_opts->max_group_value && !purge) {
- state->filter = talloc_asprintf(state,
- "(&(%s=*)(objectclass=%s)(%s>=%s)(!(%s=%s)))",
- ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
- ctx->opts->group_map[SDAP_OC_GROUP].name,
- ctx->opts->group_map[SDAP_AT_GROUP_USN].name,
- ctx->srv_opts->max_group_value,
- ctx->opts->group_map[SDAP_AT_GROUP_USN].name,
- ctx->srv_opts->max_group_value);
+ state->filter = talloc_asprintf(
+ state,
+ "(&(objectclass=%s)(%s=*)(%s=*)(%s>=%s)(!(%s=%s)))",
+ ctx->opts->group_map[SDAP_OC_GROUP].name,
+ ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
+ ctx->opts->group_map[SDAP_AT_GROUP_GID].name,
+ ctx->opts->group_map[SDAP_AT_GROUP_USN].name,
+ ctx->srv_opts->max_group_value,
+ ctx->opts->group_map[SDAP_AT_GROUP_USN].name,
+ ctx->srv_opts->max_group_value);
} else {
- state->filter = talloc_asprintf(state,
- "(&(%s=*)(objectclass=%s))",
- ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
- ctx->opts->group_map[SDAP_OC_GROUP].name);
+ state->filter = talloc_asprintf(
+ state,
+ "(&(objectclass=%s)(%s=*)(%s=*))",
+ ctx->opts->group_map[SDAP_OC_GROUP].name,
+ ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
+ ctx->opts->group_map[SDAP_AT_GROUP_GID].name);
}
if (!state->filter) {
DEBUG(2, ("Failed to build filter\n"));
diff --git a/src/providers/ldap/sdap_async_accounts.c b/src/providers/ldap/sdap_async_accounts.c
index 8e459598674d589c0cdfcece125c183f7c95bb4d..3fedf07da7fbdc9409f5360ba8301158a65014cd 100644
--- a/src/providers/ldap/sdap_async_accounts.c
+++ b/src/providers/ldap/sdap_async_accounts.c
@@ -2007,10 +2007,12 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx,
return NULL;
}
- filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))",
+ filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))",
opts->group_map[SDAP_AT_GROUP_MEMBER].name,
clean_name,
- opts->group_map[SDAP_OC_GROUP].name);
+ opts->group_map[SDAP_OC_GROUP].name,
+ opts->group_map[SDAP_AT_GROUP_NAME].name,
+ opts->group_map[SDAP_AT_GROUP_GID].name);
if (!filter) {
talloc_zfree(req);
return NULL;
@@ -2211,8 +2213,10 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
return NULL;
}
- state->filter = talloc_asprintf(state, "(objectclass=%s)",
- opts->group_map[SDAP_OC_GROUP].name);
+ state->filter = talloc_asprintf(state, "(&(objectclass=%s)(%s=*)(%s=*))",
+ opts->group_map[SDAP_OC_GROUP].name,
+ opts->group_map[SDAP_AT_GROUP_NAME].name,
+ opts->group_map[SDAP_AT_GROUP_GID].name);
if (!state->filter) {
talloc_zfree(req);
return NULL;
@@ -3103,8 +3107,10 @@ static errno_t sdap_nested_group_lookup_group(struct tevent_req *req)
}
filter = talloc_asprintf(
- sdap_attrs, "(objectclass=%s)",
- state->opts->group_map[SDAP_OC_GROUP].name);
+ sdap_attrs, "(&(objectclass=%s)(%s=*)(%s=*))",
+ state->opts->group_map[SDAP_OC_GROUP].name,
+ state->opts->group_map[SDAP_AT_GROUP_NAME].name,
+ state->opts->group_map[SDAP_AT_GROUP_GID].name);
if (!filter) {
talloc_free(sdap_attrs);
return ENOMEM;
@@ -3435,10 +3441,12 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send(
return NULL;
}
- filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))",
+ filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))",
opts->group_map[SDAP_AT_GROUP_MEMBER].name,
clean_orig_dn,
- opts->group_map[SDAP_OC_GROUP].name);
+ opts->group_map[SDAP_OC_GROUP].name,
+ opts->group_map[SDAP_AT_GROUP_NAME].name,
+ opts->group_map[SDAP_AT_GROUP_GID].name);
if (!filter) {
talloc_zfree(req);
return NULL;
@@ -3839,10 +3847,12 @@ static errno_t rfc2307bis_nested_groups_step(struct tevent_req *req)
}
filter = talloc_asprintf(
- tmp_ctx, "(&(%s=%s)(objectclass=%s))",
+ tmp_ctx, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))",
state->opts->group_map[SDAP_AT_GROUP_MEMBER].name,
clean_orig_dn,
- state->opts->group_map[SDAP_OC_GROUP].name);
+ state->opts->group_map[SDAP_OC_GROUP].name,
+ state->opts->group_map[SDAP_AT_GROUP_NAME].name,
+ state->opts->group_map[SDAP_AT_GROUP_GID].name);
if (!filter) {
ret = ENOMEM;
goto error;
--
1.7.4