LDAP: Add a new error code for malformed access control filter

https://fedorahosted.org/sssd/ticket/2164

The patch adds a new error code and special cases the new code so that
access is denied and a nicer log message is shown.

1 files changed, 7 insertions, 1 deletions

diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index 91a180764..e361cc33e 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -854,9 +854,15 @@ static void sdap_access_filter_get_access_done(struct tevent_req *subreq)
             }
         } else if (dp_error == DP_ERR_OFFLINE) {
             ret = sdap_access_filter_decide_offline(req);
+        } else if (ret == ERR_INVALID_FILTER) {
+            sss_log(SSS_LOG_ERR,
+                    "Malformed access control filter [%s]\n", state->filter);
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                ("Malformed access control filter [%s]\n", state->filter));
+            ret = ERR_ACCESS_DENIED;
         } else {
             DEBUG(1, ("sdap_get_generic_send() returned error [%d][%s]\n",
-                      ret, strerror(ret)));
+                      ret, sss_strerror(ret)));
         }
 
         goto done;