From 7ab0e8ec086d3822f267069bf9a947ac65647870 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 16 Jul 2015 17:07:31 +0300 Subject: [PATCH] slapi-nis: don't search in SSSD when memberUid has no '@' separator In the case there are no groups in cn=groups map that have certain memberUid as a member, we look at possibility that this user might be coming from a trusted AD forest. However, all users from trusted AD forests do have '@' separator in the name between the user name and the domain. In case there is no '@' separator, consider such search as not valid for lookups in SSSD. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1243823 --- src/back-sch-nss.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c index f8177d7..16d4164 100644 --- a/src/back-sch-nss.c +++ b/src/back-sch-nss.c @@ -140,9 +140,12 @@ backend_search_filter_has_cn_uid(Slapi_Filter *filter, void *arg) } slapi_ch_free_string(&memberUid); } + config->name_set = TRUE; + config->search_members = TRUE; + } else { + /* there is no '@' in the memberUid name, it is not a trusted AD forest's user */ + config->wrong_search = TRUE; } - config->name_set = TRUE; - config->search_members = TRUE; } else if ((0 == strcasecmp(filter_type, "objectClass")) && (0 == bvstrcasecmp(bval, "posixGroup"))) { config->search_group = TRUE; -- 2.4.3