AD: process non-posix nested groups w/o tokenGroups

When initgr is performed for AD not supporting tokenGroups, do not
filter out groups without gid attribute or with gid equal to zero.

Resolves:
https://fedorahosted.org/sssd/ticket/2343

Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 981bf55532fbec91a106f82d7daf32094c76dfe0)

1 files changed, 1 insertions, 5 deletions

diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index 22b94ca03..92bc9e2b8 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -1587,11 +1587,7 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send(
                                         "(%s=*))",
                                         opts->group_map[SDAP_AT_GROUP_OBJECTSID].name);
     } else {
-        /* When not ID-mapping, make sure there is a non-NULL UID */
-        state->base_filter = talloc_asprintf_append(state->base_filter,
-                                        "(&(%s=*)(!(%s=0))))",
-                                        opts->group_map[SDAP_AT_GROUP_GID].name,
-                                        opts->group_map[SDAP_AT_GROUP_GID].name);
+        state->base_filter = talloc_asprintf_append(state->base_filter, ")");
     }
     if (!state->base_filter) {
         talloc_zfree(req);