r23733: Limit LDAP lookup in lookup_usergroups_member() to security groups.

Credits to Ralf Haferkamp for the discussion and help on this.
author: Lars Müller <lmuelle@samba.org> 2007-07-06 18:49:49 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 12:23:50 -0500
commit: 5be96d09a7c457b1763d7ad482b5a5a92c02d157 (patch)
tree: b6df1f12301f75efc510b1aecd755a3ab351e092 /source/nsswitch
parent: 4c04059f7dfa0096c9f3249b55269f7335137f48 (diff)
download: samba-5be96d09a7c457b1763d7ad482b5a5a92c02d157.tar.gz
samba-5be96d09a7c457b1763d7ad482b5a5a92c02d157.tar.xz
samba-5be96d09a7c457b1763d7ad482b5a5a92c02d157.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/source/nsswitch/winbindd_ads.c b/source/nsswitch/winbindd_ads.c
index 09289912f99..b6aa95c51ea 100644
--- a/source/nsswitch/winbindd_ads.c
+++ b/source/nsswitch/winbindd_ads.c
@@ -570,7 +570,12 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
 		goto done;
 	}
 
-	if (!(ldap_exp = talloc_asprintf(mem_ctx, "(&(member=%s)(objectCategory=group))", escaped_dn))) {
+	ldap_exp = talloc_asprintf(mem_ctx,
+		"(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
+		escaped_dn,
+		ADS_LDAP_MATCHING_RULE_BIT_AND,
+		GROUP_TYPE_SECURITY_ENABLED);
+	if (!ldap_exp) {
 		DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
 		SAFE_FREE(escaped_dn);
 		status = NT_STATUS_NO_MEMORY;
author	Lars Müller <lmuelle@samba.org>	2007-07-06 18:49:49 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 12:23:50 -0500
commit	5be96d09a7c457b1763d7ad482b5a5a92c02d157 (patch)
tree	b6df1f12301f75efc510b1aecd755a3ab351e092 /source/nsswitch
parent	4c04059f7dfa0096c9f3249b55269f7335137f48 (diff)
download	samba-5be96d09a7c457b1763d7ad482b5a5a92c02d157.tar.gz samba-5be96d09a7c457b1763d7ad482b5a5a92c02d157.tar.xz samba-5be96d09a7c457b1763d7ad482b5a5a92c02d157.zip