SDAP: Relax POSIX check

Relax the check on UID or GID just to check if at least one of them is
present but do not require them to be positive numbers.

Add requirement on objectclass attributes to be user or group to make
check more reliable.

Resolves:
https://fedorahosted.org/sssd/ticket/2800

1 files changed, 6 insertions, 4 deletions

diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index 97c9ea5df..b81431f79 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -2586,9 +2586,12 @@ sdap_posix_check_send(TALLOC_CTX *memctx, struct tevent_context *ev,
     state->attrs[2] = opts->group_map[SDAP_AT_GROUP_GID].name;
     state->attrs[3] = NULL;
 
-    state->filter = talloc_asprintf(state, "(|(%s=*)(%s=*))",
+    state->filter = talloc_asprintf(state,
+        "(|(&(%s=*)(objectclass=%s))(&(%s=*)(objectclass=%s)))",
                                     opts->user_map[SDAP_AT_USER_UID].name,
-                                    opts->group_map[SDAP_AT_GROUP_GID].name);
+                                    opts->user_map[SDAP_OC_USER].name,
+                                    opts->group_map[SDAP_AT_GROUP_GID].name,
+                                    opts->group_map[SDAP_OC_GROUP].name);
     if (state->filter == NULL) {
         ret = ENOMEM;
         goto fail;
@@ -2671,9 +2674,8 @@ static errno_t sdap_posix_check_parse(struct sdap_handle *sh,
     errno = 0;
     strtouint32(vals[0]->bv_val, &endptr, 10);
     if (errno || *endptr || (vals[0]->bv_val == endptr)) {
-        DEBUG(SSSDBG_OP_FAILURE,
+        DEBUG(SSSDBG_MINOR_FAILURE,
               "POSIX attribute is not a number: %s\n", vals[0]->bv_val);
-        goto done;
     }
 
     state->has_posix = true;