From 99cfc979d51213007569b51e48f43c99780148eb Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 18 Nov 2015 12:31:26 +0100
Subject: ipasam: use more restrictive search filter for group lookup

Since we are interested in looking up the SID of a group it makes sense
to include the objectclass which contains the SID attribute in the
search filter. This makes sure the group is not accidentally found a
second time in the compat tree.

Related to https://fedorahosted.org/freeipa/ticket/5457

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 daemons/ipa-sam/ipa_sam.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 2863ede10..27c547cd5 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -3032,9 +3032,11 @@ static int ipasam_get_sid_by_gid(struct ldapsam_privates *ldap_state,
 		return ENOMEM;
 	}
 
-	filter = talloc_asprintf(tmp_ctx, "(&(%s=%s)(%s=%lu))",
+	filter = talloc_asprintf(tmp_ctx, "(&(%s=%s)(%s=%s)(%s=%lu))",
 					  LDAP_ATTRIBUTE_OBJECTCLASS,
 					  LDAP_OBJ_POSIXGROUP,
+					  LDAP_ATTRIBUTE_OBJECTCLASS,
+					  LDAP_OBJ_GROUPMAP,
 					  LDAP_ATTRIBUTE_GIDNUMBER,
 					  (unsigned long) gid);
 	if (filter == NULL) {
-- 
cgit