Dne 22.11.2011 19:56, Jan Zeleny napsal(a):
Pavel Březina<pbrezina(a)redhat.com> wrote:
>
https://fedorahosted.org/sssd/ticket/960
>
> I'm sending the fix for groups first because I want this to be ACKed
> before I start working on netgroups.
>
> Current behaviour is that if any of the search bases contain filter,
> than dereference will be turned off and single step approach will be used.
>
> Algorithm for determining the search base:
> 1. output_filter = ""
> 1. String compare of memberdn and basedn
> (calculates with scope as well)
> 2. If compare is true and filter != "", append filter to
> output_filter (|)
> 3. return true and output_filter if it is possible that memberdn
> belongs to basedn
> The output_filter is then appended (&) in the actual filter.
Now if there is a base without filter and dn match this base, the
function return empty filter and true immediately.
Nack,
first of all, please squash the first two patches. Originally I hoped the
functionality in my helper function would be complete. Apparently I was wrong.
Squashed.
In the hepler function, in case the resulting filter was NULL, but there
wasn't null in the *_filter, you set NULL there. I don't think that's
correct,
you have potential for loosing some allocated memory. If anything, I believe
talloc_zero() would be better. More importantly, please double check that this
scenario doesn't happen (i.e. that you always initialize the filter variable
to NULL).
It is an output attribute. The caller is responsible for freeing any
possible content.
In the last patch you call either tevent_req_done() or tevent_req_error() and
then return EOK. That's certainly not correct. Just returning appropriate
return code (EOK, EAGAIN => EOK, other=>ret) should do the trick I think.
There is a problem that EOK is in the caller function transformed to
EAGAIN, so I would have to reserve some error code (e.g. ENOENT) to
signal that the iteration is over which is in my opinion insane.