diff options
-rw-r--r-- | src/providers/ldap/ldap_init.c | 22 | ||||
-rw-r--r-- | src/providers/ldap/sdap_access.c | 2 |
2 files changed, 21 insertions, 3 deletions
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c index 3a9b12d2..7059905c 100644 --- a/src/providers/ldap/ldap_init.c +++ b/src/providers/ldap/ldap_init.c @@ -208,6 +208,7 @@ int sssm_ldap_access_init(struct be_ctx *bectx, { int ret; struct sdap_access_ctx *access_ctx; + const char *filter; access_ctx = talloc_zero(bectx, struct sdap_access_ctx); if(access_ctx == NULL) { @@ -221,9 +222,9 @@ int sssm_ldap_access_init(struct be_ctx *bectx, goto done; } - access_ctx->filter = dp_opt_get_cstring(access_ctx->id_ctx->opts->basic, + filter = dp_opt_get_cstring(access_ctx->id_ctx->opts->basic, SDAP_ACCESS_FILTER); - if (access_ctx->filter == NULL) { + if (filter == NULL) { /* It's okay if this is NULL. In that case we will simply act * like the 'deny' provider. */ @@ -232,9 +233,26 @@ int sssm_ldap_access_init(struct be_ctx *bectx, "All domain users will be denied access.\n")); } + if (filter[0] == '(') { + /* This filter is wrapped in parentheses. + * Pass it as-is to the openldap libraries. + */ + access_ctx->filter = filter; + } + else { + /* Add parentheses around the filter */ + access_ctx->filter = talloc_asprintf(access_ctx, "(%s)", filter); + if (access_ctx->filter == NULL) { + ret = ENOMEM; + goto done; + } + } + *ops = &sdap_access_ops; *pvt_data = access_ctx; + ret = EOK; + done: if (ret != EOK) { talloc_free(access_ctx); diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c index fd3deb78..8a156bc3 100644 --- a/src/providers/ldap/sdap_access.c +++ b/src/providers/ldap/sdap_access.c @@ -214,7 +214,7 @@ static struct tevent_req *sdap_access_send(TALLOC_CTX *mem_ctx, /* Construct the filter */ state->filter = talloc_asprintf( state, - "(&(%s=%s)(objectclass=%s)(%s))", + "(&(%s=%s)(objectclass=%s)%s)", state->sdap_ctx->opts->user_map[SDAP_AT_USER_NAME].name, state->username, state->sdap_ctx->opts->user_map[SDAP_OC_USER].name, |