Dne 22.11.2011 14:14, Pavel Březina napsal(a): > There is probably one bug, when you have several search bases when one > is a generalization of the other but with more restrictive filter. > > For example (LDIF attached): > ldap_group_search_base = > cn=QA,ou=Groups,dc=brq,dc=redhat,dc=com?sub?? > cn=DEV,ou=Groups,dc=brq,dc=redhat,dc=com?sub? > > ldap_user_search_base = > cn=NewHires,ou=People,dc=brq,dc=redhat,dc=com?sub?? (A) > ou=People,dc=brq,dc=redhat,dc=com?sub?(&(uid=u1)(uid=u5)) (B) > > GroupA (direct or indirect) members in LDIF are: > u1, u3 (from B), u4 (from A) > > Expected result might be u4 (it is currently the actual result). > However, B is a contradiction and the filter contains this > contradiction*) so the actual result should be empty membership. But the > result is: > getent group groupA > groupA:*:10002:u4 > > * calling ldap_search_ext with > [(&(|(&(uid=u1)(uid=u3)))(objectclass=posixAccount))][cn=u4,cn=NewHires,ou=People,dc=brq,dc=redhat,dc=com] > > > Does anyone know what am I missing?
With Jan's help we've managed to localize the problem. The behaviour depends on enumerate option. If enumeration is disabled, it returns an empty result. If enabled, the result is u4. I'll work on a fix. Thank you Jan. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
