From d7795e33668b3e2ef212c5fa0bfaf4485e87db65 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 31 Oct 2017 15:14:52 +0100
Subject: [PATCH] sudo ldap: do not store rules without sudoHost attribute
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Unless it is cn=defaults.

Resolves:
https://pagure.io/SSSD/sssd/issue/3558

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 47ad0778be72994a2294b2e73cc5c670be6811a7)
---
 src/providers/ldap/sdap_async_sudo.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c
index 5dc580128..3da76256e 100644
--- a/src/providers/ldap/sdap_async_sudo.c
+++ b/src/providers/ldap/sdap_async_sudo.c
@@ -158,8 +158,9 @@ static char *sdap_sudo_build_host_filter(TALLOC_CTX *mem_ctx,
         goto done;
     }
 
-    /* sudoHost is not specified */
-    filter = talloc_asprintf_append_buffer(filter, "(!(%s=*))",
+    /* sudoHost is not specified and it is a cn=defaults rule */
+    filter = talloc_asprintf_append_buffer(filter, "(&(!(%s=*))(%s=defaults))",
+                                           map[SDAP_AT_SUDO_HOST].name,
                                            map[SDAP_AT_SUDO_HOST].name);
     if (filter == NULL) {
         goto done;
-- 
2.14.3