From 7ab0e8ec086d3822f267069bf9a947ac65647870 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 16 Jul 2015 17:07:31 +0300
Subject: [PATCH] slapi-nis: don't search in SSSD when memberUid has no '@'
separator
In the case there are no groups in cn=groups map that have certain
memberUid as a member, we look at possibility that this user might
be coming from a trusted AD forest. However, all users from trusted
AD forests do have '@' separator in the name between the user name
and the domain.
In case there is no '@' separator, consider such search as not valid
for lookups in SSSD.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1243823
---
src/back-sch-nss.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c
index f8177d7..16d4164 100644
--- a/src/back-sch-nss.c
+++ b/src/back-sch-nss.c
@@ -140,9 +140,12 @@ backend_search_filter_has_cn_uid(Slapi_Filter *filter, void *arg)
}
slapi_ch_free_string(&memberUid);
}
+ config->name_set = TRUE;
+ config->search_members = TRUE;
+ } else {
+ /* there is no '@' in the memberUid name, it is not a trusted AD forest's user */
+ config->wrong_search = TRUE;
}
- config->name_set = TRUE;
- config->search_members = TRUE;
} else if ((0 == strcasecmp(filter_type, "objectClass")) &&
(0 == bvstrcasecmp(bval, "posixGroup"))) {
config->search_group = TRUE;
--
2.4.3