diff options
| author | Sumit Bose <sbose@redhat.com> | 2015-11-18 12:31:26 +0100 |
|---|---|---|
| committer | Tomas Babej <tbabej@redhat.com> | 2015-11-23 14:45:54 +0100 |
| commit | 99cfc979d51213007569b51e48f43c99780148eb (patch) | |
| tree | f2bbe183ac66faa09fbc9358ca9cee116d65e1bb /daemons | |
| parent | 3d6fdab904319e38557080f7dec1d481be8f1469 (diff) | |
| download | freeipa-99cfc979d51213007569b51e48f43c99780148eb.tar.gz freeipa-99cfc979d51213007569b51e48f43c99780148eb.tar.xz freeipa-99cfc979d51213007569b51e48f43c99780148eb.zip | |
ipasam: use more restrictive search filter for group lookup
Since we are interested in looking up the SID of a group it makes sense
to include the objectclass which contains the SID attribute in the
search filter. This makes sure the group is not accidentally found a
second time in the compat tree.
Related to https://fedorahosted.org/freeipa/ticket/5457
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'daemons')
| -rw-r--r-- | daemons/ipa-sam/ipa_sam.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 2863ede10..27c547cd5 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -3032,9 +3032,11 @@ static int ipasam_get_sid_by_gid(struct ldapsam_privates *ldap_state, return ENOMEM; } - filter = talloc_asprintf(tmp_ctx, "(&(%s=%s)(%s=%lu))", + filter = talloc_asprintf(tmp_ctx, "(&(%s=%s)(%s=%s)(%s=%lu))", LDAP_ATTRIBUTE_OBJECTCLASS, LDAP_OBJ_POSIXGROUP, + LDAP_ATTRIBUTE_OBJECTCLASS, + LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_GIDNUMBER, (unsigned long) gid); if (filter == NULL) { |