From c05cbbe41c7512e67fd23f91ad15a9222a4954a6 Mon Sep 17 00:00:00 2001 From: Lars Müller Date: Fri, 6 Jul 2007 18:49:49 +0000 Subject: r23733: Limit LDAP lookup in lookup_usergroups_member() to security groups. Credits to Ralf Haferkamp for the discussion and help on this. (This used to be commit 5be96d09a7c457b1763d7ad482b5a5a92c02d157) --- source3/nsswitch/winbindd_ads.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c index 09289912f9..b6aa95c51e 100644 --- a/source3/nsswitch/winbindd_ads.c +++ b/source3/nsswitch/winbindd_ads.c @@ -570,7 +570,12 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, goto done; } - if (!(ldap_exp = talloc_asprintf(mem_ctx, "(&(member=%s)(objectCategory=group))", escaped_dn))) { + ldap_exp = talloc_asprintf(mem_ctx, + "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))", + escaped_dn, + ADS_LDAP_MATCHING_RULE_BIT_AND, + GROUP_TYPE_SECURITY_ENABLED); + if (!ldap_exp) { DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn)); SAFE_FREE(escaped_dn); status = NT_STATUS_NO_MEMORY; -- cgit