sudo smart refresh: do not include usn in filter if no valid usn is known

https://fedorahosted.org/sssd/ticket/1736

When there are no rules during first refresh, we don't have valid
USN value. We use 0 in this case, but it turned out that OpenLDAP
takes it as invalid time format (if modifyTimestamp is used instead
of USN) and thus returns no records.

Now we don't include USN/modifyTimestamp attribute in the filter
if such situasion occurs.

1 files changed, 12 insertions, 5 deletions

diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c
index 4b0d7570..e1d5a4ab 100644
--- a/src/providers/ldap/sdap_sudo.c
+++ b/src/providers/ldap/sdap_sudo.c
@@ -865,11 +865,18 @@ static struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx,
     state->sysdb = id_ctx->be->sysdb;
 
     /* Download all rules from LDAP that are newer than usn */
-    usn = srv_opts->max_sudo_value == NULL ? "0" : srv_opts->max_sudo_value;
-    ldap_filter = talloc_asprintf(state, "(&(objectclass=%s)(%s>=%s)(!(%s=%s)))",
-                                  map[SDAP_OC_SUDORULE].name,
-                                  map[SDAP_AT_SUDO_USN].name, usn,
-                                  map[SDAP_AT_SUDO_USN].name, usn);
+    usn = srv_opts->max_sudo_value;
+    if (usn != NULL) {
+        ldap_filter = talloc_asprintf(state,
+                                      "(&(objectclass=%s)(%s>=%s)(!(%s=%s)))",
+                                      map[SDAP_OC_SUDORULE].name,
+                                      map[SDAP_AT_SUDO_USN].name, usn,
+                                      map[SDAP_AT_SUDO_USN].name, usn);
+    } else {
+        /* no valid USN value known */
+        ldap_filter = talloc_asprintf(state, SDAP_SUDO_FILTER_CLASS,
+                                      map[SDAP_OC_SUDORULE].name);
+    }
     if (ldap_filter == NULL) {
         ret = ENOMEM;
         goto immediately;