From 075a5e689eb6983f412724b0324cec59726ae6e9 Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Tue, 21 Jul 2015 21:00:27 +0200

Subject: [PATCH 83/86] LDAP: imposing sizelimit=1 for single-entry searches

 breaks overlapping domains

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

https://fedorahosted.org/sssd/ticket/2723

In case there are overlapping sdap domains, a search for a single user

might match and return multiple entries. For instance, with AD domains

represented by search bases:

    DC=win,DC=trust,DC=test

    DC=child,DC=win,DC=trust,DC=test

A search for user from win.trust.test would be based at:

    DC=win,DC=trust,DC=test

but would match both search bases and return both users.

Instead of performing complex filtering, just save both users. The

responder would select the entry that matches the user's search.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

(cherry picked from commit 67625b1b4f856510bf4e169649b3fb30c2c14152)

---

 src/providers/ldap/sdap_async_groups.c | 10 ----------

 src/providers/ldap/sdap_async_users.c  |  3 ---

 2 files changed, 13 deletions(-)

diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c

index 525c6fa09553d8c0232ce2317751184f83632d86..57a53af3f4eb46e6f31af9ee7c4d4625239d2a54 100644

--- a/src/providers/ldap/sdap_async_groups.c

+++ b/src/providers/ldap/sdap_async_groups.c

@@ -1874,8 +1874,6 @@ static errno_t sdap_get_groups_next_base(struct tevent_req *req)

     switch (state->lookup_type) {

     case SDAP_LOOKUP_SINGLE:

-        sizelimit = 1;

-        need_paging = false;

         break;

     /* Only requests that can return multiple entries should require

      * the paging control

@@ -1885,7 +1883,6 @@ static errno_t sdap_get_groups_next_base(struct tevent_req *req)

         need_paging = true;

         break;

     case SDAP_LOOKUP_ENUMERATE:

-        sizelimit = 0;  /* unlimited */

         need_paging = true;

         break;

     }

@@ -1934,13 +1931,6 @@ static void sdap_get_groups_process(struct tevent_req *subreq)

     DEBUG(SSSDBG_TRACE_FUNC,

           "Search for groups, returned %zu results.\n", count);

-    if (state->lookup_type == SDAP_LOOKUP_SINGLE && count > 1) {

-        DEBUG(SSSDBG_MINOR_FAILURE,

-              "Individual group search returned multiple results\n");

-        tevent_req_error(req, EINVAL);

-        return;

-    }

-

     if (state->lookup_type == SDAP_LOOKUP_WILDCARD || \

             state->lookup_type == SDAP_LOOKUP_ENUMERATE || \

         count == 0) {

diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c

index a864a8b2187de7972aa963b355856e97f7c692a9..e38f4cd1610e62aa2cf9f4add3a5f7ad5290e748 100644

--- a/src/providers/ldap/sdap_async_users.c

+++ b/src/providers/ldap/sdap_async_users.c

@@ -692,8 +692,6 @@ static errno_t sdap_search_user_next_base(struct tevent_req *req)

     switch (state->lookup_type) {

     case SDAP_LOOKUP_SINGLE:

-        sizelimit = 1;

-        need_paging = false;

         break;

     /* Only requests that can return multiple entries should require

      * the paging control

@@ -703,7 +701,6 @@ static errno_t sdap_search_user_next_base(struct tevent_req *req)

         need_paging = true;

         break;

     case SDAP_LOOKUP_ENUMERATE:

-        sizelimit = 0;  /* unlimited */

         need_paging = true;

         break;

     }

-- 

2.4.3