From 2efc26d6e54b68a079e8f11fa24d04867d432476 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Mon, 23 Jun 2014 18:10:25 +0200 Subject: LDAP: Fix retrieving a group with no members sysdb_attrs_get_el() cannot return ENOENT. Even if the requested member doesn't exist, an empty element is created instead. This patch changes the code to use sysdb_attrs_get_el_ext() which returns ENOENT. The code only ever worked because we forgot to check the return value of sdap_nested_group_split_members(). When the empty attribute reached sdap_nested_group_split_members(), the function returned ENOMEM and count == 0. The caller used to only check the value of count, not the retval. Reviewed-by: Pavel Reichl --- src/providers/ldap/sdap_async_nested_groups.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'src/providers/ldap') diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c index bc3250248..c521e0874 100644 --- a/src/providers/ldap/sdap_async_nested_groups.c +++ b/src/providers/ldap/sdap_async_nested_groups.c @@ -865,8 +865,8 @@ sdap_nested_group_process_send(TALLOC_CTX *mem_ctx, DEBUG(SSSDBG_TRACE_INTERNAL, "About to process group [%s]\n", orig_dn); /* get member list */ - ret = sysdb_attrs_get_el(group, group_map[SDAP_AT_GROUP_MEMBER].sys_name, - &members); + ret = sysdb_attrs_get_el_ext(group, group_map[SDAP_AT_GROUP_MEMBER].sys_name, + false, &members); if (ret == ENOENT) { ret = EOK; /* no members */ goto immediately; @@ -882,6 +882,11 @@ sdap_nested_group_process_send(TALLOC_CTX *mem_ctx, &state->missing, &state->num_missing_total, &state->num_missing_groups); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to split member list " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto immediately; + } DEBUG(SSSDBG_TRACE_INTERNAL, "Looking up %d/%d members of group [%s]\n", state->num_missing_total, members->num_values, orig_dn); -- cgit