From 7ab0e8ec086d3822f267069bf9a947ac65647870 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 16 Jul 2015 17:07:31 +0300
Subject: [PATCH] slapi-nis: don't search in SSSD when memberUid has no '@'
 separator

In the case there are no groups in cn=groups map that have certain
memberUid as a member, we look at possibility that this user might
be coming from a trusted AD forest. However, all users from trusted
AD forests do have '@' separator in the name between the user name
and the domain.

In case there is no '@' separator, consider such search as not valid
for lookups in SSSD.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1243823
---
 src/back-sch-nss.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c
index f8177d7..16d4164 100644
--- a/src/back-sch-nss.c
+++ b/src/back-sch-nss.c
@@ -140,9 +140,12 @@ backend_search_filter_has_cn_uid(Slapi_Filter *filter, void *arg)
 					}
 					slapi_ch_free_string(&memberUid);
 				}
+				config->name_set = TRUE;
+				config->search_members = TRUE;
+			} else {
+				/* there is no '@' in the memberUid name, it is not a trusted AD forest's user */
+				config->wrong_search = TRUE;
 			}
-			config->name_set = TRUE;
-			config->search_members = TRUE;
 		} else if ((0 == strcasecmp(filter_type, "objectClass")) &&
 			   (0 == bvstrcasecmp(bval, "posixGroup"))) {
 			config->search_group = TRUE;
-- 
2.4.3