1 files changed, 72 insertions, 9 deletions
diff --git a/src/back-sch.c b/src/back-sch.c
index 27d5101..27ac24f 100644
--- a/src/back-sch.c
+++ b/src/back-sch.c
@@ -1166,6 +1166,44 @@ backend_search_set_cb(const char *group, const char *set, bool_t flag,
 	return TRUE;
 }
 
+/* Routines to search if a target DN is within any of the sets we handle */
+static bool_t
+backend_search_find_set_dn_in_group_cb(const char *group, const char *set, bool_t flag,
+					 void *backend_data, void *cb_data)
+{
+	struct backend_search_cbdata *cbdata;
+	struct backend_set_data *set_data;
+
+	cbdata = cb_data;
+	set_data = backend_data;
+
+	if (slapi_sdn_scope_test(cbdata->target_dn,
+				 set_data->container_sdn,
+				 cbdata->scope) == 1) {
+		cbdata->answer = TRUE;
+	}
+
+	if (slapi_sdn_compare(set_data->container_sdn,
+			      cbdata->target_dn) == 0) {
+		cbdata->answer = TRUE;
+	}
+
+	return TRUE;
+
+}
+
+static bool_t
+backend_search_find_set_dn_cb(const char *group, void *cb_data)
+{
+	struct backend_search_cbdata *cbdata;
+
+	cbdata = cb_data;
+	map_data_foreach_map(cbdata->state, group,
+			     backend_search_find_set_dn_in_group_cb, cb_data);
+	return TRUE;
+}
+
+/* Routines to find out the set that has the same group as requested */
 static bool_t
 backend_search_find_set_data_in_group_cb(const char *group, const char *set, bool_t flag,
 					 void *backend_data, void *cb_data)
@@ -1340,9 +1378,6 @@ backend_search_cb(Slapi_PBlock *pb)
 			"searching from \"%s\" for \"%s\" with scope %d%s\n",
 			cbdata.target, cbdata.strfilter, cbdata.scope,
 			backend_sch_scope_as_string(cbdata.scope));
-#ifdef USE_IPA_IDVIEWS
-	idview_replace_target_dn(&cbdata.target, &cbdata.idview);
-#endif
 	cbdata.target_dn = slapi_sdn_new_dn_byval(cbdata.target);
 	/* Check if there's a backend handling this search. */
 	if (!slapi_be_exist(cbdata.target_dn)) {
@@ -1351,19 +1386,47 @@ backend_search_cb(Slapi_PBlock *pb)
 				"slapi_be_exists(\"%s\") = 0, "
 				"ignoring search\n", cbdata.target);
 		slapi_sdn_free(&cbdata.target_dn);
+		return 0;
+	}
+
+#ifdef USE_IPA_IDVIEWS
+	/* We may have multiple disjoint trees in the sets, search if the target matches any of them
+	 * as in general there don't have to be a single subtree (cn=compat,$SUFFIX) for all trees to easily
+	 * detect the ID view use. Unless the ID view is within the set we control, don't consider the override */
+	map_data_foreach_domain(cbdata.state, backend_search_find_set_dn_cb, &cbdata);
+	if (cbdata.answer == FALSE) {
+		idview_replace_target_dn(&cbdata.target, &cbdata.idview);
 		if (cbdata.idview != NULL) {
-			slapi_ch_free_string(&cbdata.target);
+			slapi_sdn_free(&cbdata.target_dn);
+			/* Perform another check, now for rewritten DN */
+			cbdata.target_dn = slapi_sdn_new_dn_byval(cbdata.target);
+			map_data_foreach_domain(cbdata.state, backend_search_find_set_dn_cb, &cbdata);
+			/* Rewritten DN might still be outside of our trees */
+			if (cbdata.answer == TRUE) {
+				slapi_log_error(SLAPI_LOG_PLUGIN, cbdata.state->plugin_desc->spd_id,
+						"Use of ID view '%s' is detected, searching from \"%s\" "
+						"for \"%s\" with scope %d%s. Filter may get overridden later.\n",
+						cbdata.idview, cbdata.target, cbdata.strfilter, cbdata.scope,
+						backend_sch_scope_as_string(cbdata.scope));
+			} else {
+				slapi_sdn_free(&cbdata.target_dn);
+				slapi_ch_free_string(&cbdata.target);
+				slapi_ch_free_string(&cbdata.idview);
+				slapi_log_error(SLAPI_LOG_PLUGIN,
+						cbdata.state->plugin_desc->spd_id,
+						"The search base didn't match any of the containers, "
+						"ignoring search\n");
+				return 0;
+			}
 		}
-		slapi_ch_free_string(&cbdata.idview);
-#ifdef USE_IPA_IDVIEWS
-		idview_free_overrides(&cbdata);
-#endif
-		return 0;
 	}
+	cbdata.answer = FALSE;
+#endif
 
 	/* Walk the list of groups. */
 	wrap_inc_call_level();
 #ifdef USE_IPA_IDVIEWS
+	/* Filter replacement requires increased call level as we may fetch overrides and thus come back here */
 	idview_replace_filter(&cbdata);
 #endif
 	if (map_rdlock() == 0) {