dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0083-LDAP-imposing-sizelimit-1-for-single-entry-searches-.patch

6cf099
From 075a5e689eb6983f412724b0324cec59726ae6e9 Mon Sep 17 00:00:00 2001
6cf099
From: Jakub Hrozek <jhrozek@redhat.com>
6cf099
Date: Tue, 21 Jul 2015 21:00:27 +0200
6cf099
Subject: [PATCH 83/86] LDAP: imposing sizelimit=1 for single-entry searches
6cf099
 breaks overlapping domains
6cf099
MIME-Version: 1.0
6cf099
Content-Type: text/plain; charset=UTF-8
6cf099
Content-Transfer-Encoding: 8bit
6cf099
6cf099
https://fedorahosted.org/sssd/ticket/2723
6cf099
6cf099
In case there are overlapping sdap domains, a search for a single user
6cf099
might match and return multiple entries. For instance, with AD domains
6cf099
represented by search bases:
6cf099
    DC=win,DC=trust,DC=test
6cf099
    DC=child,DC=win,DC=trust,DC=test
6cf099
6cf099
A search for user from win.trust.test would be based at:
6cf099
    DC=win,DC=trust,DC=test
6cf099
but would match both search bases and return both users.
6cf099
6cf099
Instead of performing complex filtering, just save both users. The
6cf099
responder would select the entry that matches the user's search.
6cf099
6cf099
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
6cf099
(cherry picked from commit 67625b1b4f856510bf4e169649b3fb30c2c14152)
6cf099
---
6cf099
 src/providers/ldap/sdap_async_groups.c | 10 ----------
6cf099
 src/providers/ldap/sdap_async_users.c  |  3 ---
6cf099
 2 files changed, 13 deletions(-)
6cf099
6cf099
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
6cf099
index 525c6fa09553d8c0232ce2317751184f83632d86..57a53af3f4eb46e6f31af9ee7c4d4625239d2a54 100644
6cf099
--- a/src/providers/ldap/sdap_async_groups.c
6cf099
+++ b/src/providers/ldap/sdap_async_groups.c
6cf099
@@ -1874,8 +1874,6 @@ static errno_t sdap_get_groups_next_base(struct tevent_req *req)
6cf099
 
6cf099
     switch (state->lookup_type) {
6cf099
     case SDAP_LOOKUP_SINGLE:
6cf099
-        sizelimit = 1;
6cf099
-        need_paging = false;
6cf099
         break;
6cf099
     /* Only requests that can return multiple entries should require
6cf099
      * the paging control
6cf099
@@ -1885,7 +1883,6 @@ static errno_t sdap_get_groups_next_base(struct tevent_req *req)
6cf099
         need_paging = true;
6cf099
         break;
6cf099
     case SDAP_LOOKUP_ENUMERATE:
6cf099
-        sizelimit = 0;  /* unlimited */
6cf099
         need_paging = true;
6cf099
         break;
6cf099
     }
6cf099
@@ -1934,13 +1931,6 @@ static void sdap_get_groups_process(struct tevent_req *subreq)
6cf099
     DEBUG(SSSDBG_TRACE_FUNC,
6cf099
           "Search for groups, returned %zu results.\n", count);
6cf099
 
6cf099
-    if (state->lookup_type == SDAP_LOOKUP_SINGLE && count > 1) {
6cf099
-        DEBUG(SSSDBG_MINOR_FAILURE,
6cf099
-              "Individual group search returned multiple results\n");
6cf099
-        tevent_req_error(req, EINVAL);
6cf099
-        return;
6cf099
-    }
6cf099
-
6cf099
     if (state->lookup_type == SDAP_LOOKUP_WILDCARD || \
6cf099
             state->lookup_type == SDAP_LOOKUP_ENUMERATE || \
6cf099
         count == 0) {
6cf099
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
6cf099
index a864a8b2187de7972aa963b355856e97f7c692a9..e38f4cd1610e62aa2cf9f4add3a5f7ad5290e748 100644
6cf099
--- a/src/providers/ldap/sdap_async_users.c
6cf099
+++ b/src/providers/ldap/sdap_async_users.c
6cf099
@@ -692,8 +692,6 @@ static errno_t sdap_search_user_next_base(struct tevent_req *req)
6cf099
 
6cf099
     switch (state->lookup_type) {
6cf099
     case SDAP_LOOKUP_SINGLE:
6cf099
-        sizelimit = 1;
6cf099
-        need_paging = false;
6cf099
         break;
6cf099
     /* Only requests that can return multiple entries should require
6cf099
      * the paging control
6cf099
@@ -703,7 +701,6 @@ static errno_t sdap_search_user_next_base(struct tevent_req *req)
6cf099
         need_paging = true;
6cf099
         break;
6cf099
     case SDAP_LOOKUP_ENUMERATE:
6cf099
-        sizelimit = 0;  /* unlimited */
6cf099
         need_paging = true;
6cf099
         break;
6cf099
     }
6cf099
-- 
6cf099
2.4.3
6cf099