diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2014-10-09 13:52:38 +0300 |
|---|---|---|
| committer | Alexander Bokovoy <abokovoy@redhat.com> | 2014-10-10 11:58:35 +0300 |
| commit | c407d5a83e505ee0f1b606c801ededf3a38f6145 (patch) | |
| tree | 21d08fe24abb2be11054fb37f2bf6b1dd1679773 | |
| parent | 08b596b5040af4df34bc2d8dfab8283d5938c448 (diff) | |
| download | slapi-nis-c407d5a83e505ee0f1b606c801ededf3a38f6145.tar.gz slapi-nis-c407d5a83e505ee0f1b606c801ededf3a38f6145.tar.xz slapi-nis-c407d5a83e505ee0f1b606c801ededf3a38f6145.zip | |
slapi-nis: normalize memberUid search filter when searching AD users
memberUid attribute uses IA5 String comparison which is case-sensitive.
At the same time, uid attribute uses case-insensitive comparison.
When memberUid is constructed for groups from AD, SSSD normalizes names
to a lower case. slapi-nis records these entries as they produced by SSSD.
However, the search filter is not modified, thus case-sensitive comparison
of memberUid attribute may fail match of the original term.
Workaround the issue by low-casing memberUid term in the search filter
if it includes '@' sign, meaning we are searching on fully-qualified user
name provided by SSSD.
https://bugzilla.redhat.com/show_bug.cgi?id=1130131
| -rw-r--r-- | src/back-sch-nss.c | 35 |
1 files changed, 32 insertions, 3 deletions
diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c index 26d4b8c..12ae589 100644 --- a/src/back-sch-nss.c +++ b/src/back-sch-nss.c @@ -60,7 +60,7 @@ bvstrprefix(const struct berval *bval, const char *s) len = strlen(s); if (len < bval->bv_len) { - return strncasecmp(bval->bv_val, s, len) != 0; + return slapi_utf8ncasecmp((unsigned char *) bval->bv_val, (unsigned char *) s, len) != 0; } return 1; @@ -75,9 +75,9 @@ bvstrcasecmp(const struct berval *bval, const char *s) len = strlen(s); if (len == bval->bv_len) { - return strncasecmp(bval->bv_val, s, len); + return slapi_utf8ncasecmp((unsigned char *) bval->bv_val, (unsigned char *) s, len); } - c = strncasecmp(bval->bv_val, s, MIN(bval->bv_len, len)); + c = slapi_utf8ncasecmp((unsigned char *) bval->bv_val, (unsigned char *) s, MIN(bval->bv_len, len)); if (c != 0) { return c; } @@ -111,6 +111,35 @@ backend_search_filter_has_cn_uid(Slapi_Filter *filter, void *arg) } else if (0 == strcasecmp(filter_type, "cn")) { config->name_set = TRUE; } else if (0 == strcasecmp(filter_type, "memberUid")) { + /* memberUid is case-sensitive in RFC 2307 but uid is case-insensitive + * When memberUid is generated for SSSD-provided entries, it is low-cased, + * we need to low case the filter value to actually match it. + * However, we will do it only for fully qualified names as they are coming from SSSD. */ + char *memberUid = NULL; + char *lwMemberUid = NULL; + unsigned int i = 0; + + for (i=0; i < bval->bv_len ; i++) { + if (bval->bv_val[i] == '@') + break; + } + + if (i < bval->bv_len) { + memberUid = slapi_ch_malloc(bval->bv_len + 1); + if (memberUid != NULL) { + memcpy(memberUid, bval->bv_val, bval->bv_len); + memberUid[bval->bv_len] = '\0'; + lwMemberUid = (char *) slapi_utf8StrToLower((unsigned char*) memberUid); + if (lwMemberUid != NULL) { + struct berval bval_lw = {0, NULL}; + bval_lw.bv_len = strlen((const char *) lwMemberUid); + bval_lw.bv_val = lwMemberUid; + slapi_ber_bvdone(bval); + slapi_ber_bvcpy(bval, &bval_lw); + } + slapi_ch_free_string(&memberUid); + } + } config->name_set = TRUE; config->search_members = TRUE; } else if ((0 == strcasecmp(filter_type, "objectClass")) && |