summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorPavel Březina <pbrezina@redhat.com>2013-01-07 09:56:18 +0100
committerJakub Hrozek <jhrozek@redhat.com>2013-01-07 21:47:24 +0100
commit023ebc3d7e76978cfe7952480e0d7d88a2e1f690 (patch)
tree46257bcf116e2a17ea93c6e94b745a51d7babfff /src
parent4869633dc87dadb2b9a114444d375c39703ac863 (diff)
downloadsssd-023ebc3d7e76978cfe7952480e0d7d88a2e1f690.tar.gz
sssd-023ebc3d7e76978cfe7952480e0d7d88a2e1f690.tar.bz2
sssd-023ebc3d7e76978cfe7952480e0d7d88a2e1f690.zip
sudo smart refresh: do not include usn in filter if no valid usn is known
https://fedorahosted.org/sssd/ticket/1736 When there are no rules during first refresh, we don't have valid USN value. We use 0 in this case, but it turned out that OpenLDAP takes it as invalid time format (if modifyTimestamp is used instead of USN) and thus returns no records. Now we don't include USN/modifyTimestamp attribute in the filter if such situasion occurs.
Diffstat (limited to 'src')
-rw-r--r--src/providers/ldap/sdap_sudo.c17
1 files changed, 12 insertions, 5 deletions
diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c
index 4b0d7570..e1d5a4ab 100644
--- a/src/providers/ldap/sdap_sudo.c
+++ b/src/providers/ldap/sdap_sudo.c
@@ -865,11 +865,18 @@ static struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx,
state->sysdb = id_ctx->be->sysdb;
/* Download all rules from LDAP that are newer than usn */
- usn = srv_opts->max_sudo_value == NULL ? "0" : srv_opts->max_sudo_value;
- ldap_filter = talloc_asprintf(state, "(&(objectclass=%s)(%s>=%s)(!(%s=%s)))",
- map[SDAP_OC_SUDORULE].name,
- map[SDAP_AT_SUDO_USN].name, usn,
- map[SDAP_AT_SUDO_USN].name, usn);
+ usn = srv_opts->max_sudo_value;
+ if (usn != NULL) {
+ ldap_filter = talloc_asprintf(state,
+ "(&(objectclass=%s)(%s>=%s)(!(%s=%s)))",
+ map[SDAP_OC_SUDORULE].name,
+ map[SDAP_AT_SUDO_USN].name, usn,
+ map[SDAP_AT_SUDO_USN].name, usn);
+ } else {
+ /* no valid USN value known */
+ ldap_filter = talloc_asprintf(state, SDAP_SUDO_FILTER_CLASS,
+ map[SDAP_OC_SUDORULE].name);
+ }
if (ldap_filter == NULL) {
ret = ENOMEM;
goto immediately;