From 738eef1c76ac086256c48139495fa0eddda17e50 Mon Sep 17 00:00:00 2001
From: Nathan Kinder <nkinder@redhat.com>
Date: Oct 29 2010 21:47:13 +0000
Subject: Bug 647932 - multiple memberOf configuration adding memberOf where there is no member


There is a bug in the way we construct the filter in memberof_call_foreach_dn()
when multiple grouping attribtues are set.  We should be constructing a filter
using the passed in types and dn that looks like this:

  (|(type1=dn)(type2=dn))

Instead, we have hard-coded wildcards in the place of the dn when multiple
types are passed in.  The result is a filter that looks like this:

  (|(type1=*)(type2=*))

When this function is used to find groups who have dn as a member, we end up
finding all groups that have any grouping attribute present and treat dn as if
it is a member.

This issue does not occur when a single type is used.

---

diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c
index 50da09a..b21f880 100644
--- a/ldap/servers/plugins/memberof/memberof.c
+++ b/ldap/servers/plugins/memberof/memberof.c
@@ -448,6 +448,7 @@ int memberof_call_foreach_dn(Slapi_PBlock *pb, char *dn,
 	char *filter_str = 0;
 	int num_types = 0;
 	int types_name_len = 0;
+	int dn_len = 0;
 	int i = 0;
 
 	/* get the base dn for the backend we are in
@@ -463,6 +464,9 @@ int memberof_call_foreach_dn(Slapi_PBlock *pb, char *dn,
 
 	if(base_sdn)
 	{
+		/* Find the length of the dn */
+		dn_len = strlen(dn);
+
 		/* Count the number of types. */
 		for (num_types = 0; types && types[num_types]; num_types++)
 		{
@@ -475,7 +479,7 @@ int memberof_call_foreach_dn(Slapi_PBlock *pb, char *dn,
 		if (num_types > 1)
 		{
 			int bytes_out = 0;
-			int filter_str_len = types_name_len + (num_types * 4) + 4;
+			int filter_str_len = types_name_len + (num_types * (3 + dn_len)) + 4;
 
 			/* Allocate enough space for the filter */
 			filter_str = slapi_ch_malloc(filter_str_len);
@@ -486,7 +490,8 @@ int memberof_call_foreach_dn(Slapi_PBlock *pb, char *dn,
 			/* Add filter section for each type. */
 			for (i = 0; types[i]; i++)
 			{
-				bytes_out += snprintf(filter_str + bytes_out, filter_str_len - bytes_out, "(%s=*)", types[i]);
+				bytes_out += snprintf(filter_str + bytes_out, filter_str_len - bytes_out,
+						"(%s=%s)", types[i], dn);
 			}
 
 			/* Add end of filter. */