>From c6ca4c3be7f96eb637700ef88836846e8a32152d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 25 Sep 2013 18:33:11 +0200
Subject: [PATCH 1/5] LDAP: Require ID numbers when ID mapping is off

Related: https://fedorahosted.org/sssd/ticket/2070

When searching for users and groups without the use of ID mapping, make
sure the UIDs and GIDs are included in the search. This will make the
SSSD seemigly "miss" entries when searching in Global Catalog in the
scenario where the POSIX attributes are not replicated to the GC.
---
 src/providers/ldap/ldap_id.c               | 25 +++++++++++--
 src/providers/ldap/sdap_async_initgroups.c | 59 ++++++++++++++++++++++++++++--
 2 files changed, 77 insertions(+), 7 deletions(-)

diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index 5fd05ebbd2c95d1e8362c916feee2f4f9dfd4ffc..162d987b60d76af2e18b96b14b56a5dde3311b3b 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -169,9 +169,28 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
         goto fail;
     }
 
-    state->filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))",
-                                    attr_name, clean_name,
-                                    ctx->opts->user_map[SDAP_OC_USER].name);
+    if (use_id_mapping || filter_type == BE_FILTER_SECID) {
+        /* When mapping IDs or looking for SIDs, we don't want to limit
+         * ourselves to users with a UID value. But there must be a SID to map
+         * from.
+         */
+        state->filter = talloc_asprintf(state,
+                                        "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))",
+                                        attr_name, clean_name,
+                                        ctx->opts->user_map[SDAP_OC_USER].name,
+                                        ctx->opts->user_map[SDAP_AT_USER_NAME].name,
+                                        ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name);
+    } else {
+        /* When not ID-mapping, make sure there is a non-NULL UID */
+        state->filter = talloc_asprintf(state,
+                                        "(&(%s=%s)(objectclass=%s)(%s=*)(&(%s=*)(!(%s=0))))",
+                                        attr_name, clean_name,
+                                        ctx->opts->user_map[SDAP_OC_USER].name,
+                                        ctx->opts->user_map[SDAP_AT_USER_NAME].name,
+                                        ctx->opts->user_map[SDAP_AT_USER_UID].name,
+                                        ctx->opts->user_map[SDAP_AT_USER_UID].name);
+    }
+
     talloc_zfree(clean_name);
     if (!state->filter) {
         DEBUG(2, ("Failed to build the base filter\n"));
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index a0df82ca54c89f1df0e301d4e0bae439c97f20f7..875bf7115648058333e5ff170b5621e51ec12dc9 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -1442,7 +1442,7 @@ struct sdap_initgr_rfc2307bis_state {
     struct sss_domain_info *dom;
     struct sdap_handle *sh;
     const char *name;
-    const char *base_filter;
+    char *base_filter;
     char *filter;
     const char **attrs;
     const char *orig_dn;
@@ -1493,6 +1493,7 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send(
     struct sdap_initgr_rfc2307bis_state *state;
     const char **attr_filter;
     char *clean_orig_dn;
+    bool use_id_mapping;
 
     req = tevent_req_create(memctx, &state, struct sdap_initgr_rfc2307bis_state);
     if (!req) return NULL;
@@ -1540,8 +1541,11 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send(
     ret = sss_filter_sanitize(state, orig_dn, &clean_orig_dn);
     if (ret != EOK) goto done;
 
+    use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(opts->idmap_ctx,
+                                                               dom->domain_id);
+
     state->base_filter =
-            talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*))",
+            talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)",
                             opts->group_map[SDAP_AT_GROUP_MEMBER].name,
                             clean_orig_dn,
                             opts->group_map[SDAP_OC_GROUP].name,
@@ -1550,6 +1554,28 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send(
         ret = ENOMEM;
         goto done;
     }
+
+    if (use_id_mapping) {
+        /* When mapping IDs or looking for SIDs, we don't want to limit
+         * ourselves to groups with a GID value. But there must be a SID to map
+         * from.
+         */
+        state->base_filter = talloc_asprintf_append(state->base_filter,
+                                        "(%s=*))",
+                                        opts->group_map[SDAP_AT_GROUP_OBJECTSID].name);
+    } else {
+        /* When not ID-mapping, make sure there is a non-NULL UID */
+        state->base_filter = talloc_asprintf_append(state->base_filter,
+                                        "(&(%s=*)(!(%s=0))))",
+                                        opts->group_map[SDAP_AT_GROUP_GID].name,
+                                        opts->group_map[SDAP_AT_GROUP_GID].name);
+    }
+    if (!state->base_filter) {
+        talloc_zfree(req);
+        return NULL;
+    }
+
+
     talloc_zfree(clean_orig_dn);
 
     ret = sdap_initgr_rfc2307bis_next_base(req);
@@ -2551,7 +2577,7 @@ struct sdap_get_initgr_state {
     const char *name;
     const char **grp_attrs;
     const char **user_attrs;
-    const char *user_base_filter;
+    char *user_base_filter;
     char *filter;
     int timeout;
 
@@ -2580,6 +2606,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
     struct sdap_get_initgr_state *state;
     int ret;
     char *clean_name;
+    bool use_id_mapping;
 
     DEBUG(9, ("Retrieving info for initgroups call\n"));
 
@@ -2606,6 +2633,10 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
         goto done;
     }
 
+    use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(
+                                                          id_ctx->opts->idmap_ctx,
+                                                          sdom->dom->domain_id);
+
     ret = sss_filter_sanitize(state, name, &clean_name);
     if (ret != EOK) {
         talloc_zfree(req);
@@ -2613,7 +2644,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
     }
 
     state->user_base_filter =
-            talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))",
+            talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)",
                             state->opts->user_map[SDAP_AT_USER_NAME].name,
                             clean_name,
                             state->opts->user_map[SDAP_OC_USER].name);
@@ -2622,6 +2653,26 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
         return NULL;
     }
 
+    if (use_id_mapping) {
+        /* When mapping IDs or looking for SIDs, we don't want to limit
+         * ourselves to users with a UID value. But there must be a SID to map
+         * from.
+         */
+        state->user_base_filter = talloc_asprintf_append(state->user_base_filter,
+                                        "(%s=*))",
+                                        id_ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name);
+    } else {
+        /* When not ID-mapping, make sure there is a non-NULL UID */
+        state->user_base_filter = talloc_asprintf_append(state->user_base_filter,
+                                        "(&(%s=*)(!(%s=0))))",
+                                        id_ctx->opts->user_map[SDAP_AT_USER_UID].name,
+                                        id_ctx->opts->user_map[SDAP_AT_USER_UID].name);
+    }
+    if (!state->user_base_filter) {
+        talloc_zfree(req);
+        return NULL;
+    }
+
     ret = build_attrs_from_map(state, state->opts->user_map, SDAP_OPTS_USER,
                                NULL, &state->user_attrs, NULL);
     if (ret) {
-- 
1.8.3.1