|
 |
e630a8 |
From 7ab0e8ec086d3822f267069bf9a947ac65647870 Mon Sep 17 00:00:00 2001
|
|
|
e630a8 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
e630a8 |
Date: Thu, 16 Jul 2015 17:07:31 +0300
|
|
|
e630a8 |
Subject: [PATCH] slapi-nis: don't search in SSSD when memberUid has no '@'
|
|
|
e630a8 |
separator
|
|
|
e630a8 |
|
|
|
e630a8 |
In the case there are no groups in cn=groups map that have certain
|
|
|
e630a8 |
memberUid as a member, we look at possibility that this user might
|
|
|
e630a8 |
be coming from a trusted AD forest. However, all users from trusted
|
|
|
e630a8 |
AD forests do have '@' separator in the name between the user name
|
|
|
e630a8 |
and the domain.
|
|
|
e630a8 |
|
|
|
e630a8 |
In case there is no '@' separator, consider such search as not valid
|
|
|
e630a8 |
for lookups in SSSD.
|
|
|
e630a8 |
|
|
|
e630a8 |
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1243823
|
|
|
e630a8 |
---
|
|
|
e630a8 |
src/back-sch-nss.c | 7 +++++--
|
|
|
e630a8 |
1 file changed, 5 insertions(+), 2 deletions(-)
|
|
|
e630a8 |
|
|
|
e630a8 |
diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c
|
|
|
e630a8 |
index f8177d7..16d4164 100644
|
|
|
e630a8 |
--- a/src/back-sch-nss.c
|
|
|
e630a8 |
+++ b/src/back-sch-nss.c
|
|
|
e630a8 |
@@ -140,9 +140,12 @@ backend_search_filter_has_cn_uid(Slapi_Filter *filter, void *arg)
|
|
|
e630a8 |
}
|
|
|
e630a8 |
slapi_ch_free_string(&memberUid);
|
|
|
e630a8 |
}
|
|
|
e630a8 |
+ config->name_set = TRUE;
|
|
|
e630a8 |
+ config->search_members = TRUE;
|
|
|
e630a8 |
+ } else {
|
|
|
e630a8 |
+ /* there is no '@' in the memberUid name, it is not a trusted AD forest's user */
|
|
|
e630a8 |
+ config->wrong_search = TRUE;
|
|
|
e630a8 |
}
|
|
|
e630a8 |
- config->name_set = TRUE;
|
|
|
e630a8 |
- config->search_members = TRUE;
|
|
|
e630a8 |
} else if ((0 == strcasecmp(filter_type, "objectClass")) &&
|
|
|
e630a8 |
(0 == bvstrcasecmp(bval, "posixGroup"))) {
|
|
|
e630a8 |
config->search_group = TRUE;
|
|
|
e630a8 |
--
|
|
|
e630a8 |
2.4.3
|
|
|
e630a8 |
|