SDAP: Relax POSIX check

Relax the check on UID or GID just to check if at least one of them is
present but do not require them to be positive numbers.

Add requirement on objectclass attributes to be user or group to make
check more reliable.

Resolves:
https://fedorahosted.org/sssd/ticket/2800
(cherry picked from commit 6735c0451d4e80d7cd4b480a8c1f7dafb2b536ea)

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit cc04876ec64b338f61ca275386f70baf91ce700f)

1 files changed, 6 insertions, 4 deletions

diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index c30a4578e..006aa49e4 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -2373,9 +2373,12 @@ sdap_posix_check_send(TALLOC_CTX *memctx, struct tevent_context *ev,
     state->attrs[2] = opts->group_map[SDAP_AT_GROUP_GID].name;
     state->attrs[3] = NULL;
 
-    state->filter = talloc_asprintf(state, "(|(%s=*)(%s=*))",
+    state->filter = talloc_asprintf(state,
+        "(|(&(%s=*)(objectclass=%s))(&(%s=*)(objectclass=%s)))",
                                     opts->user_map[SDAP_AT_USER_UID].name,
-                                    opts->group_map[SDAP_AT_GROUP_GID].name);
+                                    opts->user_map[SDAP_OC_USER].name,
+                                    opts->group_map[SDAP_AT_GROUP_GID].name,
+                                    opts->group_map[SDAP_OC_GROUP].name);
     if (state->filter == NULL) {
         ret = ENOMEM;
         goto fail;
@@ -2458,9 +2461,8 @@ static errno_t sdap_posix_check_parse(struct sdap_handle *sh,
     errno = 0;
     strtouint32(vals[0]->bv_val, &endptr, 10);
     if (errno || *endptr || (vals[0]->bv_val == endptr)) {
-        DEBUG(SSSDBG_OP_FAILURE,
+        DEBUG(SSSDBG_MINOR_FAILURE,
               "POSIX attribute is not a number: %s\n", vals[0]->bv_val);
-        goto done;
     }
 
     state->has_posix = true;