From 6735c0451d4e80d7cd4b480a8c1f7dafb2b536ea Mon Sep 17 00:00:00 2001 From: Pavel Reichl Date: Tue, 22 Sep 2015 04:41:18 -0400 Subject: SDAP: Relax POSIX check Relax the check on UID or GID just to check if at least one of them is present but do not require them to be positive numbers. Add requirement on objectclass attributes to be user or group to make check more reliable. Resolves: https://fedorahosted.org/sssd/ticket/2800 --- src/providers/ldap/sdap_async.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c index 97c9ea5d..b81431f7 100644 --- a/src/providers/ldap/sdap_async.c +++ b/src/providers/ldap/sdap_async.c @@ -2586,9 +2586,12 @@ sdap_posix_check_send(TALLOC_CTX *memctx, struct tevent_context *ev, state->attrs[2] = opts->group_map[SDAP_AT_GROUP_GID].name; state->attrs[3] = NULL; - state->filter = talloc_asprintf(state, "(|(%s=*)(%s=*))", + state->filter = talloc_asprintf(state, + "(|(&(%s=*)(objectclass=%s))(&(%s=*)(objectclass=%s)))", opts->user_map[SDAP_AT_USER_UID].name, - opts->group_map[SDAP_AT_GROUP_GID].name); + opts->user_map[SDAP_OC_USER].name, + opts->group_map[SDAP_AT_GROUP_GID].name, + opts->group_map[SDAP_OC_GROUP].name); if (state->filter == NULL) { ret = ENOMEM; goto fail; @@ -2671,9 +2674,8 @@ static errno_t sdap_posix_check_parse(struct sdap_handle *sh, errno = 0; strtouint32(vals[0]->bv_val, &endptr, 10); if (errno || *endptr || (vals[0]->bv_val == endptr)) { - DEBUG(SSSDBG_OP_FAILURE, + DEBUG(SSSDBG_MINOR_FAILURE, "POSIX attribute is not a number: %s\n", vals[0]->bv_val); - goto done; } state->has_posix = true; -- cgit