sssd/0017-sudo-ldap-do-not-store-rules-without-sudoHost-attrib.patch

From d7795e33668b3e2ef212c5fa0bfaf4485e87db65 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 31 Oct 2017 15:14:52 +0100
Subject: [PATCH] sudo ldap: do not store rules without sudoHost attribute
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Unless it is cn=defaults.

Resolves:
https://pagure.io/SSSD/sssd/issue/3558

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 47ad0778be72994a2294b2e73cc5c670be6811a7)
---
 src/providers/ldap/sdap_async_sudo.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c
index 5dc580128..3da76256e 100644
--- a/src/providers/ldap/sdap_async_sudo.c
+++ b/src/providers/ldap/sdap_async_sudo.c
@@ -158,8 +158,9 @@ static char *sdap_sudo_build_host_filter(TALLOC_CTX *mem_ctx,
         goto done;
     }
 
-    /* sudoHost is not specified */
-    filter = talloc_asprintf_append_buffer(filter, "(!(%s=*))",
+    /* sudoHost is not specified and it is a cn=defaults rule */
+    filter = talloc_asprintf_append_buffer(filter, "(&(!(%s=*))(%s=defaults))",
+                                           map[SDAP_AT_SUDO_HOST].name,
                                            map[SDAP_AT_SUDO_HOST].name);
     if (filter == NULL) {
         goto done;
-- 
2.14.3
Resolves: upstream#3558 - sudo: report error when two rules share cn Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> 2018-04-27 19:18:59 +00:00			`From d7795e33668b3e2ef212c5fa0bfaf4485e87db65 Mon Sep 17 00:00:00 2001`
			`From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>`
			`Date: Tue, 31 Oct 2017 15:14:52 +0100`
			`Subject: [PATCH] sudo ldap: do not store rules without sudoHost attribute`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`Unless it is cn=defaults.`

			`Resolves:`
			`https://pagure.io/SSSD/sssd/issue/3558`

			`Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>`
			`Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>`
			`(cherry picked from commit 47ad0778be72994a2294b2e73cc5c670be6811a7)`
			`---`
			`src/providers/ldap/sdap_async_sudo.c \| 5 +++--`
			`1 file changed, 3 insertions(+), 2 deletions(-)`

			`diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c`
			`index 5dc580128..3da76256e 100644`
			`--- a/src/providers/ldap/sdap_async_sudo.c`
			`+++ b/src/providers/ldap/sdap_async_sudo.c`
			`@@ -158,8 +158,9 @@ static char sdap_sudo_build_host_filter(TALLOC_CTX mem_ctx,`
			`goto done;`
			`}`

			`- /* sudoHost is not specified */`
			`- filter = talloc_asprintf_append_buffer(filter, "(!(%s=*))",`
			`+ /* sudoHost is not specified and it is a cn=defaults rule */`
			`+ filter = talloc_asprintf_append_buffer(filter, "(&(!(%s=*))(%s=defaults))",`
			`+ map[SDAP_AT_SUDO_HOST].name,`
			`map[SDAP_AT_SUDO_HOST].name);`
			`if (filter == NULL) {`
			`goto done;`
			`--`
			`2.14.3`