sudo/sme9/sudo-1.8.6p3-ldapusermatchfix.patch

diff -up sudo-1.8.6p3/plugins/sudoers/ldap.c.ldapusermatchfix sudo-1.8.6p3/plugins/sudoers/ldap.c
--- sudo-1.8.6p3/plugins/sudoers/ldap.c.ldapusermatchfix        2015-03-02 15:25:26.350220294 +0100
+++ sudo-1.8.6p3/plugins/sudoers/ldap.c 2015-03-02 15:47:39.684287537 +0100
@@ -2646,22 +2646,37 @@ sudo_ldap_result_get(struct sudo_nss *ns
            result = NULL;
            rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, filt,
                NULL, 0, NULL, NULL, tvp, 0, &result);
-           if (rc != LDAP_SUCCESS) {
+           if (rc != LDAP_SUCCESS || result == NULL) {
                DPRINTF(("nothing found for '%s'", filt), 1);
                continue;
            }
-           lres->user_matches = true;
+
+           DPRINTF(("search result has %d entries (do_netgr=%s)",
+                    ldap_count_entries(ld, result), do_netgr ? "true" : "false"), 1);
+           /*
+            * Only set user_matches if we got some results back and if we are
+            * NOT searching for netgroup entries. For the netgroup case, user_maches
+            * will be set only if a netgroup match was found.
+            */
+           lres->user_matches = lres->user_matches ? true : ldap_count_entries(ld, result) > 0 && !do_netgr;
 
            /* Add the seach result to list of search results. */
            DPRINTF(("adding search result"), 1);
            sudo_ldap_result_add_search(lres, ld, result);
            LDAP_FOREACH(entry, ld, result) {
-               if ((!do_netgr ||
-                   sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name)) &&
+             if (do_netgr) {
+               if (sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name) &&
                    sudo_ldap_check_host(ld, entry)) {
-                   lres->host_matches = true;
-                   sudo_ldap_result_add_entry(lres, entry);
+                 lres->host_matches = true;
+                 lres->user_matches = true;
+                 sudo_ldap_result_add_entry(lres, entry);
+               }
+             } else {
+               if (sudo_ldap_check_host(ld, entry)) {
+                 lres->host_matches = true;
+                 sudo_ldap_result_add_entry(lres, entry);
                }
+             }
            }
            DPRINTF(("result now has %d entries", lres->nentries), 1);
        }
1	jpp	1.1	diff -up sudo-1.8.6p3/plugins/sudoers/ldap.c.ldapusermatchfix sudo-1.8.6p3/plugins/sudoers/ldap.c
2			--- sudo-1.8.6p3/plugins/sudoers/ldap.c.ldapusermatchfix 2015-03-02 15:25:26.350220294 +0100
3			+++ sudo-1.8.6p3/plugins/sudoers/ldap.c 2015-03-02 15:47:39.684287537 +0100
4			@@ -2646,22 +2646,37 @@ sudo_ldap_result_get(struct sudo_nss *ns
5			result = NULL;
6			rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, filt,
7			NULL, 0, NULL, NULL, tvp, 0, &result);
8			- if (rc != LDAP_SUCCESS) {
9			+ if (rc != LDAP_SUCCESS \|\| result == NULL) {
10			DPRINTF(("nothing found for '%s'", filt), 1);
11			continue;
12			}
13			- lres->user_matches = true;
14			+
15			+ DPRINTF(("search result has %d entries (do_netgr=%s)",
16			+ ldap_count_entries(ld, result), do_netgr ? "true" : "false"), 1);
17			+ /*
18			+ * Only set user_matches if we got some results back and if we are
19			+ * NOT searching for netgroup entries. For the netgroup case, user_maches
20			+ * will be set only if a netgroup match was found.
21			+ */
22			+ lres->user_matches = lres->user_matches ? true : ldap_count_entries(ld, result) > 0 && !do_netgr;
23
24			/* Add the seach result to list of search results. */
25			DPRINTF(("adding search result"), 1);
26			sudo_ldap_result_add_search(lres, ld, result);
27			LDAP_FOREACH(entry, ld, result) {
28			- if ((!do_netgr \|\|
29			- sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name)) &&
30			+ if (do_netgr) {
31			+ if (sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name) &&
32			sudo_ldap_check_host(ld, entry)) {
33			- lres->host_matches = true;
34			- sudo_ldap_result_add_entry(lres, entry);
35			+ lres->host_matches = true;
36			+ lres->user_matches = true;
37			+ sudo_ldap_result_add_entry(lres, entry);
38			+ }
39			+ } else {
40			+ if (sudo_ldap_check_host(ld, entry)) {
41			+ lres->host_matches = true;
42			+ sudo_ldap_result_add_entry(lres, entry);
43			}
44			+ }
45			}
46			DPRINTF(("result now has %d entries", lres->nentries), 1);
47			}