diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2015-07-21 21:00:27 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-09-22 13:45:50 +0200 |
commit | 67625b1b4f856510bf4e169649b3fb30c2c14152 (patch) | |
tree | fcac177c3527fffe493beb424195c0cccaafeef9 /src/providers | |
parent | 2ddacb7212cbc9a250c253330eec87f67e139eb4 (diff) | |
download | sssd-67625b1b4f856510bf4e169649b3fb30c2c14152.tar.gz sssd-67625b1b4f856510bf4e169649b3fb30c2c14152.tar.xz sssd-67625b1b4f856510bf4e169649b3fb30c2c14152.zip |
LDAP: imposing sizelimit=1 for single-entry searches breaks overlapping domains
https://fedorahosted.org/sssd/ticket/2723
In case there are overlapping sdap domains, a search for a single user
might match and return multiple entries. For instance, with AD domains
represented by search bases:
DC=win,DC=trust,DC=test
DC=child,DC=win,DC=trust,DC=test
A search for user from win.trust.test would be based at:
DC=win,DC=trust,DC=test
but would match both search bases and return both users.
Instead of performing complex filtering, just save both users. The
responder would select the entry that matches the user's search.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Diffstat (limited to 'src/providers')
-rw-r--r-- | src/providers/ldap/sdap_async_groups.c | 10 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_users.c | 3 |
2 files changed, 0 insertions, 13 deletions
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index 525c6fa09..57a53af3f 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -1874,8 +1874,6 @@ static errno_t sdap_get_groups_next_base(struct tevent_req *req) switch (state->lookup_type) { case SDAP_LOOKUP_SINGLE: - sizelimit = 1; - need_paging = false; break; /* Only requests that can return multiple entries should require * the paging control @@ -1885,7 +1883,6 @@ static errno_t sdap_get_groups_next_base(struct tevent_req *req) need_paging = true; break; case SDAP_LOOKUP_ENUMERATE: - sizelimit = 0; /* unlimited */ need_paging = true; break; } @@ -1934,13 +1931,6 @@ static void sdap_get_groups_process(struct tevent_req *subreq) DEBUG(SSSDBG_TRACE_FUNC, "Search for groups, returned %zu results.\n", count); - if (state->lookup_type == SDAP_LOOKUP_SINGLE && count > 1) { - DEBUG(SSSDBG_MINOR_FAILURE, - "Individual group search returned multiple results\n"); - tevent_req_error(req, EINVAL); - return; - } - if (state->lookup_type == SDAP_LOOKUP_WILDCARD || \ state->lookup_type == SDAP_LOOKUP_ENUMERATE || \ count == 0) { diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c index a864a8b21..e38f4cd16 100644 --- a/src/providers/ldap/sdap_async_users.c +++ b/src/providers/ldap/sdap_async_users.c @@ -692,8 +692,6 @@ static errno_t sdap_search_user_next_base(struct tevent_req *req) switch (state->lookup_type) { case SDAP_LOOKUP_SINGLE: - sizelimit = 1; - need_paging = false; break; /* Only requests that can return multiple entries should require * the paging control @@ -703,7 +701,6 @@ static errno_t sdap_search_user_next_base(struct tevent_req *req) need_paging = true; break; case SDAP_LOOKUP_ENUMERATE: - sizelimit = 0; /* unlimited */ need_paging = true; break; } |