diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2014-09-08 11:49:40 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-09-08 19:13:26 +0200 |
commit | 2284e50c801a53541016eb9a5af00d1250d36afb (patch) | |
tree | c9b5e0e6e9a914baaedfbf430cb7dce039a392c0 | |
parent | 75c465e1f9e047a981b29634b77b50dc684c4c89 (diff) | |
download | sssd-2284e50c801a53541016eb9a5af00d1250d36afb.tar.gz sssd-2284e50c801a53541016eb9a5af00d1250d36afb.tar.xz sssd-2284e50c801a53541016eb9a5af00d1250d36afb.zip |
LDAP: Skip dereferenced entries that we are not permitted to read
https://fedorahosted.org/sssd/ticket/2421
In case we dereference an entry, for which we have /some/ permissions
for reading, but we only request attributes that we can't access, the
dereference control only returns the DN.
This is also the case with the current version of 389DS for cases where
no entries at all are readable. In this case, the server should not return
the DN at all, though. This DS bug was tracked as
https://fedorahosted.org/389/ticket/47885
Reviewed-by: Michal Židek <mzidek@redhat.com>
-rw-r--r-- | src/providers/ldap/sdap.c | 7 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async.c | 8 |
2 files changed, 11 insertions, 4 deletions
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c index f2178dd0a..ff50f8b5d 100644 --- a/src/providers/ldap/sdap.c +++ b/src/providers/ldap/sdap.c @@ -580,10 +580,11 @@ errno_t sdap_parse_deref(TALLOC_CTX *mem_ctx, "Dereferenced DN: %s\n", orig_dn); if (!dref->attrVals) { - DEBUG(SSSDBG_MINOR_FAILURE, - "Dereferenced entry [%s] has no attributes\n", + DEBUG(SSSDBG_FUNC_DATA, + "Dereferenced entry [%s] has no attributes, skipping\n", orig_dn); - ret = EINVAL; + *_res = NULL; + ret = EOK; goto done; } diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c index 87c125faa..a8ea53113 100644 --- a/src/providers/ldap/sdap_async.c +++ b/src/providers/ldap/sdap_async.c @@ -1061,6 +1061,12 @@ static errno_t add_to_deref_reply(TALLOC_CTX *mem_ctx, { int i; + if (res == NULL) { + /* Nothing to add, probably ACIs prevented us from dereferencing + * the attribute */ + return EOK; + } + for (i=0; i < num_maps; i++) { if (res[i]->attrs == NULL) continue; /* Nothing in this map */ @@ -1829,7 +1835,7 @@ static errno_t sdap_x_deref_parse_entry(struct sdap_handle *sh, } ret = add_to_deref_reply(state, state->num_maps, - &state->dreply, res); + &state->dreply, res); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "add_to_deref_reply failed.\n"); goto done; |