diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2013-09-25 18:33:11 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-09-27 15:52:13 +0200 |
commit | d3e1d88ce7de3216a862b9fe78dc5aa94dcbc14b (patch) | |
tree | 02e9af84a72e6a1f32d1a35b1c567935e3415ce4 /src/providers/ldap/ldap_id.c | |
parent | e2f37d4488c45921e87f07d8a911ac7dd5b94f53 (diff) | |
download | sssd-d3e1d88ce7de3216a862b9fe78dc5aa94dcbc14b.tar.gz sssd-d3e1d88ce7de3216a862b9fe78dc5aa94dcbc14b.tar.xz sssd-d3e1d88ce7de3216a862b9fe78dc5aa94dcbc14b.zip |
LDAP: Require ID numbers when ID mapping is off
Related: https://fedorahosted.org/sssd/ticket/2070
When searching for users and groups without the use of ID mapping, make
sure the UIDs and GIDs are included in the search. This will make the
SSSD seemigly "miss" entries when searching in Global Catalog in the
scenario where the POSIX attributes are not replicated to the GC.
Diffstat (limited to 'src/providers/ldap/ldap_id.c')
-rw-r--r-- | src/providers/ldap/ldap_id.c | 25 |
1 files changed, 22 insertions, 3 deletions
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index 5fd05ebbd..162d987b6 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -169,9 +169,28 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx, goto fail; } - state->filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", - attr_name, clean_name, - ctx->opts->user_map[SDAP_OC_USER].name); + if (use_id_mapping || filter_type == BE_FILTER_SECID) { + /* When mapping IDs or looking for SIDs, we don't want to limit + * ourselves to users with a UID value. But there must be a SID to map + * from. + */ + state->filter = talloc_asprintf(state, + "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))", + attr_name, clean_name, + ctx->opts->user_map[SDAP_OC_USER].name, + ctx->opts->user_map[SDAP_AT_USER_NAME].name, + ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name); + } else { + /* When not ID-mapping, make sure there is a non-NULL UID */ + state->filter = talloc_asprintf(state, + "(&(%s=%s)(objectclass=%s)(%s=*)(&(%s=*)(!(%s=0))))", + attr_name, clean_name, + ctx->opts->user_map[SDAP_OC_USER].name, + ctx->opts->user_map[SDAP_AT_USER_NAME].name, + ctx->opts->user_map[SDAP_AT_USER_UID].name, + ctx->opts->user_map[SDAP_AT_USER_UID].name); + } + talloc_zfree(clean_name); if (!state->filter) { DEBUG(2, ("Failed to build the base filter\n")); |