From 65953c3a20f497c318919c18198da9c57fd7b5be Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Wed, 25 Aug 2021 17:10:29 +0200

Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT if domains differ

If a client sends a request to lookup an object from a given trusted

domain by UID or GID and an object with matching ID is only found in a

different domain the extdom should return LDAP_NO_SUCH_OBJECT to

indicate to the client that the requested ID does not exists in the

given domain.

Resolves: https://pagure.io/freeipa/issue/8965

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

 .../ipa-extdom-extop/ipa_extdom_common.c                  | 8 ++++++--

 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c

index 1e96c495ab1b893d963bcf0efde91d46adfd91ba..7c61099ccf2f67a5ea404c4c5e9747104a44a601 100644

--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c

+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c

@@ -542,7 +542,9 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,

         if (strcasecmp(locat+1, domain_name) == 0  ) {

             locat[0] = '\0';

         } else {

-            ret = LDAP_INVALID_SYNTAX;

+            /* The found object is from a different domain than requested,

+             * that means it does not exist in the requested domain */

+            ret = LDAP_NO_SUCH_OBJECT;

             goto done;

         }

     }

@@ -655,7 +657,9 @@ int pack_ber_group(enum response_types response_type,

         if (strcasecmp(locat+1, domain_name) == 0  ) {

             locat[0] = '\0';

         } else {

-            ret = LDAP_INVALID_SYNTAX;

+            /* The found object is from a different domain than requested,

+             * that means it does not exist in the requested domain */

+            ret = LDAP_NO_SUCH_OBJECT;

             goto done;

         }

     }

-- 

2.31.1