[SSSD] [PATCHES][PRELIMINARY] ldap_*_search_base doesn't fully limit the group / netgroup

https://fedorahosted.org/sssd/ticket/960 I'm sending the fix for groups first because I want this to be ACKed before I start working on netgroups. Current behaviour is that if any of the search bases contain filter, than dereference will be turned off and single step approach will be used. Algorithm for determining the search base: 1. output_filter = "" 1. String compare of memberdn and basedn (calculates with scope as well) 2. If compare is true and filter != "", append filter to output_filter (|) 3. return true and output_filter if it is possible that memberdn belongs to basedn The output_filter is then appended (&) in the actual filter. There is probably one bug, when you have several search bases when one is a generalization of the other but with more restrictive filter. For example (LDIF attached): ldap_group_search_base = cn=QA,ou=Groups,dc=brq,dc=redhat,dc=com?sub?? cn=DEV,ou=Groups,dc=brq,dc=redhat,dc=com?sub? ldap_user_search_base = cn=NewHires,ou=People,dc=brq,dc=redhat,dc=com?sub?? (A) ou=People,dc=brq,dc=redhat,dc=com?sub?(&(uid=u1)(uid=u5)) (B) GroupA (direct or indirect) members in LDIF are: u1, u3 (from B), u4 (from A) Expected result might be u4 (it is currently the actual result). However, B is a contradiction and the filter contains this contradiction*) so the actual result should be empty membership. But the result is: getent group groupA groupA:*:10002:u4 * calling ldap_search_ext with [(&(|(&(uid=u1)(uid=u3)))(objectclass=posixAccount))][cn=u4,cn=NewHires,ou=People,dc=brq,dc=redhat,dc=com] Does anyone know what am I missing? Thank you, Pavel. [PATCH 1/3] Function that compares dn to base dn (thanks Jan) [PATCH 2/3] Fixes some bugs in previous function and changes it's behaviour to follow my needs [PATCH 3/3] Fixes the group processing