>From 2f4e2e6d5e8f29f5b2cdd9f0b825edc172da57ea Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 21 Jul 2015 21:00:27 +0200
Subject: [PATCH] LDAP: imposing sizelimit=1 for single-entry searches breaks
 overlapping domains

https://fedorahosted.org/sssd/ticket/2723

In case there are overlapping sdap domains, a search for a single user
might match and return multiple entries. For instance, with AD domains
represented by search bases:
    DC=win,DC=trust,DC=test
    DC=child,DC=win,DC=trust,DC=test

A search for user from win.trust.test would be based at:
    DC=win,DC=trust,DC=test
but would match both search bases and return both users.

Instead of performing complex filtering, just save both users. The
responder would select the entry that matches the user's search.
---
 src/providers/ldap/sdap_async_groups.c | 3 ---
 src/providers/ldap/sdap_async_users.c  | 3 ---
 2 files changed, 6 deletions(-)

diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index 525c6fa09553d8c0232ce2317751184f83632d86..0a5033e5da0f8fa6c005c5cacd72c466bf5f161a 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -1874,8 +1874,6 @@ static errno_t sdap_get_groups_next_base(struct tevent_req *req)
 
     switch (state->lookup_type) {
     case SDAP_LOOKUP_SINGLE:
-        sizelimit = 1;
-        need_paging = false;
         break;
     /* Only requests that can return multiple entries should require
      * the paging control
@@ -1885,7 +1883,6 @@ static errno_t sdap_get_groups_next_base(struct tevent_req *req)
         need_paging = true;
         break;
     case SDAP_LOOKUP_ENUMERATE:
-        sizelimit = 0;  /* unlimited */
         need_paging = true;
         break;
     }
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
index a864a8b2187de7972aa963b355856e97f7c692a9..e38f4cd1610e62aa2cf9f4add3a5f7ad5290e748 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -692,8 +692,6 @@ static errno_t sdap_search_user_next_base(struct tevent_req *req)
 
     switch (state->lookup_type) {
     case SDAP_LOOKUP_SINGLE:
-        sizelimit = 1;
-        need_paging = false;
         break;
     /* Only requests that can return multiple entries should require
      * the paging control
@@ -703,7 +701,6 @@ static errno_t sdap_search_user_next_base(struct tevent_req *req)
         need_paging = true;
         break;
     case SDAP_LOOKUP_ENUMERATE:
-        sizelimit = 0;  /* unlimited */
         need_paging = true;
         break;
     }
-- 
2.4.3