diff options
author | Pavel Březina <pbrezina@redhat.com> | 2013-01-07 09:56:18 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-01-07 21:47:24 +0100 |
commit | 023ebc3d7e76978cfe7952480e0d7d88a2e1f690 (patch) | |
tree | 46257bcf116e2a17ea93c6e94b745a51d7babfff /src | |
parent | 4869633dc87dadb2b9a114444d375c39703ac863 (diff) | |
download | sssd-023ebc3d7e76978cfe7952480e0d7d88a2e1f690.tar.gz sssd-023ebc3d7e76978cfe7952480e0d7d88a2e1f690.tar.bz2 sssd-023ebc3d7e76978cfe7952480e0d7d88a2e1f690.zip |
sudo smart refresh: do not include usn in filter if no valid usn is known
https://fedorahosted.org/sssd/ticket/1736
When there are no rules during first refresh, we don't have valid
USN value. We use 0 in this case, but it turned out that OpenLDAP
takes it as invalid time format (if modifyTimestamp is used instead
of USN) and thus returns no records.
Now we don't include USN/modifyTimestamp attribute in the filter
if such situasion occurs.
Diffstat (limited to 'src')
-rw-r--r-- | src/providers/ldap/sdap_sudo.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c index 4b0d7570..e1d5a4ab 100644 --- a/src/providers/ldap/sdap_sudo.c +++ b/src/providers/ldap/sdap_sudo.c @@ -865,11 +865,18 @@ static struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx, state->sysdb = id_ctx->be->sysdb; /* Download all rules from LDAP that are newer than usn */ - usn = srv_opts->max_sudo_value == NULL ? "0" : srv_opts->max_sudo_value; - ldap_filter = talloc_asprintf(state, "(&(objectclass=%s)(%s>=%s)(!(%s=%s)))", - map[SDAP_OC_SUDORULE].name, - map[SDAP_AT_SUDO_USN].name, usn, - map[SDAP_AT_SUDO_USN].name, usn); + usn = srv_opts->max_sudo_value; + if (usn != NULL) { + ldap_filter = talloc_asprintf(state, + "(&(objectclass=%s)(%s>=%s)(!(%s=%s)))", + map[SDAP_OC_SUDORULE].name, + map[SDAP_AT_SUDO_USN].name, usn, + map[SDAP_AT_SUDO_USN].name, usn); + } else { + /* no valid USN value known */ + ldap_filter = talloc_asprintf(state, SDAP_SUDO_FILTER_CLASS, + map[SDAP_OC_SUDORULE].name); + } if (ldap_filter == NULL) { ret = ENOMEM; goto immediately; |