sudo: store rules with no sudoHost attribute

https://fedorahosted.org/sssd/ticket/1640

Normal rules requires that sudoHost attribute is present. But this
attribute is not mandatory for a special rule named cn=defaults.

This patch modifies filter so that we store even rules that doesn't
have sudoHost attribute specified. SUDO will then decide whether it
is allowed or not.

1 files changed, 7 insertions, 0 deletions

diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c
index ebbc95d14..636eae41b 100644
--- a/src/providers/ldap/sdap_sudo.c
+++ b/src/providers/ldap/sdap_sudo.c
@@ -327,6 +327,13 @@ static char *sdap_sudo_build_host_filter(TALLOC_CTX *mem_ctx,
         goto done;
     }
 
+    /* sudoHost is not specified */
+    filter = talloc_asprintf_append_buffer(filter, "(!(%s=*))",
+                                           map[SDAP_AT_SUDO_HOST].name);
+    if (filter == NULL) {
+        goto done;
+    }
+
     /* ALL */
     filter = talloc_asprintf_append_buffer(filter, "(%s=ALL)",
                                            map[SDAP_AT_SUDO_HOST].name);