From 075a5e689eb6983f412724b0324cec59726ae6e9 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 21 Jul 2015 21:00:27 +0200
Subject: [PATCH 83/86] LDAP: imposing sizelimit=1 for single-entry searches
breaks overlapping domains
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
https://fedorahosted.org/sssd/ticket/2723
In case there are overlapping sdap domains, a search for a single user
might match and return multiple entries. For instance, with AD domains
represented by search bases:
DC=win,DC=trust,DC=test
DC=child,DC=win,DC=trust,DC=test
A search for user from win.trust.test would be based at:
DC=win,DC=trust,DC=test
but would match both search bases and return both users.
Instead of performing complex filtering, just save both users. The
responder would select the entry that matches the user's search.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 67625b1b4f856510bf4e169649b3fb30c2c14152)
---
src/providers/ldap/sdap_async_groups.c | 10 ----------
src/providers/ldap/sdap_async_users.c | 3 ---
2 files changed, 13 deletions(-)
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index 525c6fa09553d8c0232ce2317751184f83632d86..57a53af3f4eb46e6f31af9ee7c4d4625239d2a54 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -1874,8 +1874,6 @@ static errno_t sdap_get_groups_next_base(struct tevent_req *req)
switch (state->lookup_type) {
case SDAP_LOOKUP_SINGLE:
- sizelimit = 1;
- need_paging = false;
break;
/* Only requests that can return multiple entries should require
* the paging control
@@ -1885,7 +1883,6 @@ static errno_t sdap_get_groups_next_base(struct tevent_req *req)
need_paging = true;
break;
case SDAP_LOOKUP_ENUMERATE:
- sizelimit = 0; /* unlimited */
need_paging = true;
break;
}
@@ -1934,13 +1931,6 @@ static void sdap_get_groups_process(struct tevent_req *subreq)
DEBUG(SSSDBG_TRACE_FUNC,
"Search for groups, returned %zu results.\n", count);
- if (state->lookup_type == SDAP_LOOKUP_SINGLE && count > 1) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Individual group search returned multiple results\n");
- tevent_req_error(req, EINVAL);
- return;
- }
-
if (state->lookup_type == SDAP_LOOKUP_WILDCARD || \
state->lookup_type == SDAP_LOOKUP_ENUMERATE || \
count == 0) {
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
index a864a8b2187de7972aa963b355856e97f7c692a9..e38f4cd1610e62aa2cf9f4add3a5f7ad5290e748 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -692,8 +692,6 @@ static errno_t sdap_search_user_next_base(struct tevent_req *req)
switch (state->lookup_type) {
case SDAP_LOOKUP_SINGLE:
- sizelimit = 1;
- need_paging = false;
break;
/* Only requests that can return multiple entries should require
* the paging control
@@ -703,7 +701,6 @@ static errno_t sdap_search_user_next_base(struct tevent_req *req)
need_paging = true;
break;
case SDAP_LOOKUP_ENUMERATE:
- sizelimit = 0; /* unlimited */
need_paging = true;
break;
}
--
2.4.3