diff options
Diffstat (limited to 'src/providers/ldap/ldap_id.c')
-rw-r--r-- | src/providers/ldap/ldap_id.c | 25 |
1 files changed, 22 insertions, 3 deletions
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index 5fd05ebb..162d987b 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -169,9 +169,28 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx, goto fail; } - state->filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", - attr_name, clean_name, - ctx->opts->user_map[SDAP_OC_USER].name); + if (use_id_mapping || filter_type == BE_FILTER_SECID) { + /* When mapping IDs or looking for SIDs, we don't want to limit + * ourselves to users with a UID value. But there must be a SID to map + * from. + */ + state->filter = talloc_asprintf(state, + "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))", + attr_name, clean_name, + ctx->opts->user_map[SDAP_OC_USER].name, + ctx->opts->user_map[SDAP_AT_USER_NAME].name, + ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name); + } else { + /* When not ID-mapping, make sure there is a non-NULL UID */ + state->filter = talloc_asprintf(state, + "(&(%s=%s)(objectclass=%s)(%s=*)(&(%s=*)(!(%s=0))))", + attr_name, clean_name, + ctx->opts->user_map[SDAP_OC_USER].name, + ctx->opts->user_map[SDAP_AT_USER_NAME].name, + ctx->opts->user_map[SDAP_AT_USER_UID].name, + ctx->opts->user_map[SDAP_AT_USER_UID].name); + } + talloc_zfree(clean_name); if (!state->filter) { DEBUG(2, ("Failed to build the base filter\n")); |