From 023ebc3d7e76978cfe7952480e0d7d88a2e1f690 Mon Sep 17 00:00:00 2001 From: Pavel Březina Date: Mon, 7 Jan 2013 09:56:18 +0100 Subject: sudo smart refresh: do not include usn in filter if no valid usn is known https://fedorahosted.org/sssd/ticket/1736 When there are no rules during first refresh, we don't have valid USN value. We use 0 in this case, but it turned out that OpenLDAP takes it as invalid time format (if modifyTimestamp is used instead of USN) and thus returns no records. Now we don't include USN/modifyTimestamp attribute in the filter if such situasion occurs. --- src/providers/ldap/sdap_sudo.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) (limited to 'src/providers') diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c index 4b0d7570..e1d5a4ab 100644 --- a/src/providers/ldap/sdap_sudo.c +++ b/src/providers/ldap/sdap_sudo.c @@ -865,11 +865,18 @@ static struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx, state->sysdb = id_ctx->be->sysdb; /* Download all rules from LDAP that are newer than usn */ - usn = srv_opts->max_sudo_value == NULL ? "0" : srv_opts->max_sudo_value; - ldap_filter = talloc_asprintf(state, "(&(objectclass=%s)(%s>=%s)(!(%s=%s)))", - map[SDAP_OC_SUDORULE].name, - map[SDAP_AT_SUDO_USN].name, usn, - map[SDAP_AT_SUDO_USN].name, usn); + usn = srv_opts->max_sudo_value; + if (usn != NULL) { + ldap_filter = talloc_asprintf(state, + "(&(objectclass=%s)(%s>=%s)(!(%s=%s)))", + map[SDAP_OC_SUDORULE].name, + map[SDAP_AT_SUDO_USN].name, usn, + map[SDAP_AT_SUDO_USN].name, usn); + } else { + /* no valid USN value known */ + ldap_filter = talloc_asprintf(state, SDAP_SUDO_FILTER_CLASS, + map[SDAP_OC_SUDORULE].name); + } if (ldap_filter == NULL) { ret = ENOMEM; goto immediately; -- cgit