From d3e1d88ce7de3216a862b9fe78dc5aa94dcbc14b Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 25 Sep 2013 18:33:11 +0200 Subject: LDAP: Require ID numbers when ID mapping is off Related: https://fedorahosted.org/sssd/ticket/2070 When searching for users and groups without the use of ID mapping, make sure the UIDs and GIDs are included in the search. This will make the SSSD seemigly "miss" entries when searching in Global Catalog in the scenario where the POSIX attributes are not replicated to the GC. --- src/providers/ldap/ldap_id.c | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) (limited to 'src/providers/ldap/ldap_id.c') diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index 5fd05ebb..162d987b 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -169,9 +169,28 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx, goto fail; } - state->filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", - attr_name, clean_name, - ctx->opts->user_map[SDAP_OC_USER].name); + if (use_id_mapping || filter_type == BE_FILTER_SECID) { + /* When mapping IDs or looking for SIDs, we don't want to limit + * ourselves to users with a UID value. But there must be a SID to map + * from. + */ + state->filter = talloc_asprintf(state, + "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))", + attr_name, clean_name, + ctx->opts->user_map[SDAP_OC_USER].name, + ctx->opts->user_map[SDAP_AT_USER_NAME].name, + ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name); + } else { + /* When not ID-mapping, make sure there is a non-NULL UID */ + state->filter = talloc_asprintf(state, + "(&(%s=%s)(objectclass=%s)(%s=*)(&(%s=*)(!(%s=0))))", + attr_name, clean_name, + ctx->opts->user_map[SDAP_OC_USER].name, + ctx->opts->user_map[SDAP_AT_USER_NAME].name, + ctx->opts->user_map[SDAP_AT_USER_UID].name, + ctx->opts->user_map[SDAP_AT_USER_UID].name); + } + talloc_zfree(clean_name); if (!state->filter) { DEBUG(2, ("Failed to build the base filter\n")); -- cgit