diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2014-09-08 11:49:40 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-09-08 19:13:26 +0200 |
commit | 2284e50c801a53541016eb9a5af00d1250d36afb (patch) | |
tree | c9b5e0e6e9a914baaedfbf430cb7dce039a392c0 /src/providers/ldap/sdap.c | |
parent | 75c465e1f9e047a981b29634b77b50dc684c4c89 (diff) | |
download | sssd-2284e50c801a53541016eb9a5af00d1250d36afb.tar.gz sssd-2284e50c801a53541016eb9a5af00d1250d36afb.tar.xz sssd-2284e50c801a53541016eb9a5af00d1250d36afb.zip |
LDAP: Skip dereferenced entries that we are not permitted to read
https://fedorahosted.org/sssd/ticket/2421
In case we dereference an entry, for which we have /some/ permissions
for reading, but we only request attributes that we can't access, the
dereference control only returns the DN.
This is also the case with the current version of 389DS for cases where
no entries at all are readable. In this case, the server should not return
the DN at all, though. This DS bug was tracked as
https://fedorahosted.org/389/ticket/47885
Reviewed-by: Michal Židek <mzidek@redhat.com>
Diffstat (limited to 'src/providers/ldap/sdap.c')
-rw-r--r-- | src/providers/ldap/sdap.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c index f2178dd0a..ff50f8b5d 100644 --- a/src/providers/ldap/sdap.c +++ b/src/providers/ldap/sdap.c @@ -580,10 +580,11 @@ errno_t sdap_parse_deref(TALLOC_CTX *mem_ctx, "Dereferenced DN: %s\n", orig_dn); if (!dref->attrVals) { - DEBUG(SSSDBG_MINOR_FAILURE, - "Dereferenced entry [%s] has no attributes\n", + DEBUG(SSSDBG_FUNC_DATA, + "Dereferenced entry [%s] has no attributes, skipping\n", orig_dn); - ret = EINVAL; + *_res = NULL; + ret = EOK; goto done; } |