diff options
author | Pavel Březina <pbrezina@redhat.com> | 2013-01-07 09:56:18 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-01-07 21:47:24 +0100 |
commit | 023ebc3d7e76978cfe7952480e0d7d88a2e1f690 (patch) | |
tree | 46257bcf116e2a17ea93c6e94b745a51d7babfff /src/providers | |
parent | 4869633dc87dadb2b9a114444d375c39703ac863 (diff) | |
download | sssd-023ebc3d7e76978cfe7952480e0d7d88a2e1f690.tar.gz sssd-023ebc3d7e76978cfe7952480e0d7d88a2e1f690.tar.xz sssd-023ebc3d7e76978cfe7952480e0d7d88a2e1f690.zip |
sudo smart refresh: do not include usn in filter if no valid usn is known
https://fedorahosted.org/sssd/ticket/1736
When there are no rules during first refresh, we don't have valid
USN value. We use 0 in this case, but it turned out that OpenLDAP
takes it as invalid time format (if modifyTimestamp is used instead
of USN) and thus returns no records.
Now we don't include USN/modifyTimestamp attribute in the filter
if such situasion occurs.
Diffstat (limited to 'src/providers')
-rw-r--r-- | src/providers/ldap/sdap_sudo.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c index 4b0d75700..e1d5a4ab7 100644 --- a/src/providers/ldap/sdap_sudo.c +++ b/src/providers/ldap/sdap_sudo.c @@ -865,11 +865,18 @@ static struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx, state->sysdb = id_ctx->be->sysdb; /* Download all rules from LDAP that are newer than usn */ - usn = srv_opts->max_sudo_value == NULL ? "0" : srv_opts->max_sudo_value; - ldap_filter = talloc_asprintf(state, "(&(objectclass=%s)(%s>=%s)(!(%s=%s)))", - map[SDAP_OC_SUDORULE].name, - map[SDAP_AT_SUDO_USN].name, usn, - map[SDAP_AT_SUDO_USN].name, usn); + usn = srv_opts->max_sudo_value; + if (usn != NULL) { + ldap_filter = talloc_asprintf(state, + "(&(objectclass=%s)(%s>=%s)(!(%s=%s)))", + map[SDAP_OC_SUDORULE].name, + map[SDAP_AT_SUDO_USN].name, usn, + map[SDAP_AT_SUDO_USN].name, usn); + } else { + /* no valid USN value known */ + ldap_filter = talloc_asprintf(state, SDAP_SUDO_FILTER_CLASS, + map[SDAP_OC_SUDORULE].name); + } if (ldap_filter == NULL) { ret = ENOMEM; goto immediately; |