summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2011-07-15 18:01:50 +0200
committerStephen Gallagher <sgallagh@redhat.com>2011-07-27 16:40:01 -0400
commit804dc66b3a646938167ddeb34b011f3f3b6dfebc (patch)
tree03a1b92419a89609819659cdbdc528c07a0ae440
parent8ab71d67fc4702be9390c38c4b0c68b4b184c594 (diff)
downloadsssd-804dc66b3a646938167ddeb34b011f3f3b6dfebc.tar.gz
sssd-804dc66b3a646938167ddeb34b011f3f3b6dfebc.tar.xz
sssd-804dc66b3a646938167ddeb34b011f3f3b6dfebc.zip
Explicitly ignore groups with gidNumber=0
https://fedorahosted.org/sssd/ticket/916
-rw-r--r--src/providers/ldap/ldap_id.c2
-rw-r--r--src/providers/ldap/sdap_async_accounts.c27
2 files changed, 18 insertions, 11 deletions
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index a3c9c0cd4..85d4aa0e5 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -346,7 +346,7 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx,
goto fail;
}
- base_filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))",
+ base_filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)(%s>=1))",
attr_name, clean_name,
ctx->opts->group_map[SDAP_OC_GROUP].name,
ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
diff --git a/src/providers/ldap/sdap_async_accounts.c b/src/providers/ldap/sdap_async_accounts.c
index e6b1dd88f..581abc609 100644
--- a/src/providers/ldap/sdap_async_accounts.c
+++ b/src/providers/ldap/sdap_async_accounts.c
@@ -758,7 +758,7 @@ static int sdap_save_group(TALLOC_CTX *memctx,
}
/* check that the gid is valid for this domain */
- if (posix_group || gid != 0) {
+ if (posix_group) {
if (OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) {
DEBUG(2, ("Group [%s] filtered out! (id out of range)\n",
name));
@@ -2170,7 +2170,10 @@ static errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb,
ret = sysdb_attrs_get_uint32_t(ldap_groups[ai],
SYSDB_GIDNUM,
&gid);
- if (ret == ENOENT) {
+ if (ret == ENOENT || (ret == EOK && gid == 0)) {
+ DEBUG(9, ("The group %s gid was %s\n",
+ name, ret == ENOENT ? "missing" : "zero"));
+ DEBUG(8, ("Marking group %s as non-posix and setting GID=0!\n", name));
gid = 0;
posix = false;
} else if (ret) {
@@ -2354,7 +2357,7 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx,
return NULL;
}
- filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))",
+ filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)(%s>=1))",
opts->group_map[SDAP_AT_GROUP_MEMBER].name,
clean_name,
opts->group_map[SDAP_OC_GROUP].name,
@@ -3451,14 +3454,18 @@ static struct tevent_req *sdap_nested_group_process_send(
ret = sysdb_attrs_get_uint32_t(group,
opts->group_map[SDAP_AT_GROUP_GID].name,
&gid);
- if (ret == ENOENT) {
+ if (ret == ENOENT || (ret == EOK && gid == 0)) {
+ DEBUG(9, ("The group's gid was %s\n", ret == ENOENT ? "missing" : "zero"));
DEBUG(8, ("Marking group as non-posix and setting GID=0!\n"));
- ret = sysdb_attrs_add_uint32(group,
- opts->group_map[SDAP_AT_GROUP_GID].name,
- 0);
- if (ret != EOK) {
- DEBUG(1, ("Failed to add a GID to non-posix group!\n"));
- goto immediate;
+
+ if (ret == ENOENT) {
+ ret = sysdb_attrs_add_uint32(group,
+ opts->group_map[SDAP_AT_GROUP_GID].name,
+ 0);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to add a GID to non-posix group!\n"));
+ goto immediate;
+ }
}
ret = sysdb_attrs_add_bool(group, SYSDB_POSIX, false);