r23733: Limit LDAP lookup in lookup_usergroups_member() to security groups.

Credits to Ralf Haferkamp for the discussion and help on this. (This used to be commit 5be96d09a7c457b1763d7ad482b5a5a92c02d157)
author: Lars Müller <lmuelle@samba.org> 2007-07-06 18:49:49 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 12:23:50 -0500
commit: c05cbbe41c7512e67fd23f91ad15a9222a4954a6 (patch)
tree: b6965d4550d04ac5ba05a93a1ca67ed083211af2
parent: 24ebb4b1b62fbb8f9d523708da6c330068a97015 (diff)
download: samba-c05cbbe41c7512e67fd23f91ad15a9222a4954a6.tar.gz
samba-c05cbbe41c7512e67fd23f91ad15a9222a4954a6.tar.bz2
samba-c05cbbe41c7512e67fd23f91ad15a9222a4954a6.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c
index 09289912f9..b6aa95c51e 100644
--- a/source3/nsswitch/winbindd_ads.c
+++ b/source3/nsswitch/winbindd_ads.c
@@ -570,7 +570,12 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
 		goto done;
 	}
 
-	if (!(ldap_exp = talloc_asprintf(mem_ctx, "(&(member=%s)(objectCategory=group))", escaped_dn))) {
+	ldap_exp = talloc_asprintf(mem_ctx,
+		"(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
+		escaped_dn,
+		ADS_LDAP_MATCHING_RULE_BIT_AND,
+		GROUP_TYPE_SECURITY_ENABLED);
+	if (!ldap_exp) {
 		DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
 		SAFE_FREE(escaped_dn);
 		status = NT_STATUS_NO_MEMORY;
author	Lars Müller <lmuelle@samba.org>	2007-07-06 18:49:49 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 12:23:50 -0500
commit	c05cbbe41c7512e67fd23f91ad15a9222a4954a6 (patch)
tree	b6965d4550d04ac5ba05a93a1ca67ed083211af2
parent	24ebb4b1b62fbb8f9d523708da6c330068a97015 (diff)
download	samba-c05cbbe41c7512e67fd23f91ad15a9222a4954a6.tar.gz samba-c05cbbe41c7512e67fd23f91ad15a9222a4954a6.tar.bz2 samba-c05cbbe41c7512e67fd23f91ad15a9222a4954a6.zip