Fix returning groups when gidNumber attribute is not ordered

https://fedorahosted.org/sssd/ticket/951

1 files changed, 4 insertions, 2 deletions

diff --git a/src/providers/ldap/ldap_id_enum.c b/src/providers/ldap/ldap_id_enum.c
index 6899b87c..2e47722a 100644
--- a/src/providers/ldap/ldap_id_enum.c
+++ b/src/providers/ldap/ldap_id_enum.c
@@ -554,10 +554,11 @@ static struct tevent_req *enum_groups_send(TALLOC_CTX *memctx,
     if (ctx->srv_opts && ctx->srv_opts->max_group_value && !purge) {
         state->filter = talloc_asprintf(
                 state,
-                "(&(objectclass=%s)(%s=*)(%s=*)(%s>=%s)(!(%s=%s)))",
+                "(&(objectclass=%s)(%s=*)(&(%s=*)(!(%s=0)))(%s>=%s)(!(%s=%s)))",
                 ctx->opts->group_map[SDAP_OC_GROUP].name,
                 ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
                 ctx->opts->group_map[SDAP_AT_GROUP_GID].name,
+                ctx->opts->group_map[SDAP_AT_GROUP_GID].name,
                 ctx->opts->group_map[SDAP_AT_GROUP_USN].name,
                 ctx->srv_opts->max_group_value,
                 ctx->opts->group_map[SDAP_AT_GROUP_USN].name,
@@ -565,9 +566,10 @@ static struct tevent_req *enum_groups_send(TALLOC_CTX *memctx,
     } else {
         state->filter = talloc_asprintf(
                 state,
-                "(&(objectclass=%s)(%s=*)(%s=*))",
+                "(&(objectclass=%s)(%s=*)(&(%s=*)(!(%s=0))))",
                 ctx->opts->group_map[SDAP_OC_GROUP].name,
                 ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
+                ctx->opts->group_map[SDAP_AT_GROUP_GID].name,
                 ctx->opts->group_map[SDAP_AT_GROUP_GID].name);
     }
     if (!state->filter) {