sudo/sme9/sudo-1.8.6p3-ldapusermatchfix.patch

diff -up sudo-1.8.6p3/plugins/sudoers/ldap.c.ldapusermatchfix sudo-1.8.6p3/plugins/sudoers/ldap.c
--- sudo-1.8.6p3/plugins/sudoers/ldap.c.ldapusermatchfix        2015-03-02 15:25:26.350220294 +0100
+++ sudo-1.8.6p3/plugins/sudoers/ldap.c 2015-03-02 15:47:39.684287537 +0100
@@ -2646,22 +2646,37 @@ sudo_ldap_result_get(struct sudo_nss *ns
            result = NULL;
            rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, filt,
                NULL, 0, NULL, NULL, tvp, 0, &result);
-           if (rc != LDAP_SUCCESS) {
+           if (rc != LDAP_SUCCESS || result == NULL) {
                DPRINTF(("nothing found for '%s'", filt), 1);
                continue;
            }
-           lres->user_matches = true;
+
+           DPRINTF(("search result has %d entries (do_netgr=%s)",
+                    ldap_count_entries(ld, result), do_netgr ? "true" : "false"), 1);
+           /*
+            * Only set user_matches if we got some results back and if we are
+            * NOT searching for netgroup entries. For the netgroup case, user_maches
+            * will be set only if a netgroup match was found.
+            */
+           lres->user_matches = lres->user_matches ? true : ldap_count_entries(ld, result) > 0 && !do_netgr;
 
            /* Add the seach result to list of search results. */
            DPRINTF(("adding search result"), 1);
            sudo_ldap_result_add_search(lres, ld, result);
            LDAP_FOREACH(entry, ld, result) {
-               if ((!do_netgr ||
-                   sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name)) &&
+             if (do_netgr) {
+               if (sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name) &&
                    sudo_ldap_check_host(ld, entry)) {
-                   lres->host_matches = true;
-                   sudo_ldap_result_add_entry(lres, entry);
+                 lres->host_matches = true;
+                 lres->user_matches = true;
+                 sudo_ldap_result_add_entry(lres, entry);
+               }
+             } else {
+               if (sudo_ldap_check_host(ld, entry)) {
+                 lres->host_matches = true;
+                 sudo_ldap_result_add_entry(lres, entry);
                }
+             }
            }
            DPRINTF(("result now has %d entries", lres->nentries), 1);
        }
1	diff -up sudo-1.8.6p3/plugins/sudoers/ldap.c.ldapusermatchfix sudo-1.8.6p3/plugins/sudoers/ldap.c
2	--- sudo-1.8.6p3/plugins/sudoers/ldap.c.ldapusermatchfix 2015-03-02 15:25:26.350220294 +0100
3	+++ sudo-1.8.6p3/plugins/sudoers/ldap.c 2015-03-02 15:47:39.684287537 +0100
4	@@ -2646,22 +2646,37 @@ sudo_ldap_result_get(struct sudo_nss *ns
5	result = NULL;
6	rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, filt,
7	NULL, 0, NULL, NULL, tvp, 0, &result);
8	- if (rc != LDAP_SUCCESS) {
9	+ if (rc != LDAP_SUCCESS \|\| result == NULL) {
10	DPRINTF(("nothing found for '%s'", filt), 1);
11	continue;
12	}
13	- lres->user_matches = true;
14	+
15	+ DPRINTF(("search result has %d entries (do_netgr=%s)",
16	+ ldap_count_entries(ld, result), do_netgr ? "true" : "false"), 1);
17	+ /*
18	+ * Only set user_matches if we got some results back and if we are
19	+ * NOT searching for netgroup entries. For the netgroup case, user_maches
20	+ * will be set only if a netgroup match was found.
21	+ */
22	+ lres->user_matches = lres->user_matches ? true : ldap_count_entries(ld, result) > 0 && !do_netgr;
23
24	/* Add the seach result to list of search results. */
25	DPRINTF(("adding search result"), 1);
26	sudo_ldap_result_add_search(lres, ld, result);
27	LDAP_FOREACH(entry, ld, result) {
28	- if ((!do_netgr \|\|
29	- sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name)) &&
30	+ if (do_netgr) {
31	+ if (sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name) &&
32	sudo_ldap_check_host(ld, entry)) {
33	- lres->host_matches = true;
34	- sudo_ldap_result_add_entry(lres, entry);
35	+ lres->host_matches = true;
36	+ lres->user_matches = true;
37	+ sudo_ldap_result_add_entry(lres, entry);
38	+ }
39	+ } else {
40	+ if (sudo_ldap_check_host(ld, entry)) {
41	+ lres->host_matches = true;
42	+ sudo_ldap_result_add_entry(lres, entry);
43	}
44	+ }
45	}
46	DPRINTF(("result now has %d entries", lres->nentries), 1);
47	}