https://fedorahosted.org/sssd/ticket/960
I'm sending the fix for groups first because I want this to be ACKed
before I start working on netgroups.
Current behaviour is that if any of the search bases contain filter,
than dereference will be turned off and single step approach will be used.
Algorithm for determining the search base:
1. output_filter = ""
1. String compare of memberdn and basedn
(calculates with scope as well)
2. If compare is true and filter != "", append filter to
output_filter (|)
3. return true and output_filter if it is possible that memberdn
belongs to basedn
The output_filter is then appended (&) in the actual filter.
There is probably one bug, when you have several search bases when one
is a generalization of the other but with more restrictive filter.
For example (LDIF attached):
ldap_group_search_base =
cn=QA,ou=Groups,dc=brq,dc=redhat,dc=com?sub??
cn=DEV,ou=Groups,dc=brq,dc=redhat,dc=com?sub?
ldap_user_search_base =
cn=NewHires,ou=People,dc=brq,dc=redhat,dc=com?sub?? (A)
ou=People,dc=brq,dc=redhat,dc=com?sub?(&(uid=u1)(uid=u5)) (B)
GroupA (direct or indirect) members in LDIF are:
u1, u3 (from B), u4 (from A)
Expected result might be u4 (it is currently the actual result).
However, B is a contradiction and the filter contains this
contradiction*) so the actual result should be empty membership. But the
result is:
getent group groupA
groupA:*:10002:u4
* calling ldap_search_ext with
[(&(|(&(uid=u1)(uid=u3)))(objectclass=posixAccount))][cn=u4,cn=NewHires,ou=People,dc=brq,dc=redhat,dc=com]
Does anyone know what am I missing?
Thank you,
Pavel.
[PATCH 1/3] Function that compares dn to base dn (thanks Jan)
[PATCH 2/3] Fixes some bugs in previous function and changes it's
behaviour to follow my needs
[PATCH 3/3] Fixes the group processing