Use the alternative objectclass in group maps.

Use the alternative group objectclass in queries.

Fixes:
https://fedorahosted.org/sssd/ticket/2436

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 7ba70236daccb48432350147d0560b3302518cee)
(cherry picked from commit 9e99c000a4e2647328e71b4db272b4b73a7189c5)

1 files changed, 9 insertions, 2 deletions

diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c
index 3dc2a9fd3..065eb1218 100644
--- a/src/providers/ldap/sdap_async_nested_groups.c
+++ b/src/providers/ldap/sdap_async_nested_groups.c
@@ -1688,6 +1688,7 @@ sdap_nested_group_lookup_group_send(TALLOC_CTX *mem_ctx,
      const char **attrs = NULL;
      const char *base_filter = NULL;
      const char *filter = NULL;
+     char *oc_list;
      errno_t ret;
 
      req = tevent_req_create(mem_ctx, &state,
@@ -1704,8 +1705,14 @@ sdap_nested_group_lookup_group_send(TALLOC_CTX *mem_ctx,
      }
 
      /* create filter */
-     base_filter = talloc_asprintf(attrs, "(&(objectclass=%s)(%s=*))",
-                                   map[SDAP_OC_GROUP].name,
+     oc_list = sdap_make_oc_list(state, map);
+     if (oc_list == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create objectClass list.\n");
+        ret = ENOMEM;
+        goto immediately;
+     }
+
+     base_filter = talloc_asprintf(attrs, "(&(%s)(%s=*))", oc_list,
                                    map[SDAP_AT_GROUP_NAME].name);
      if (base_filter == NULL) {
          ret = ENOMEM;