From 6974302b2151c7d03d806dc310b39c1ce2d7c99f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Nov 23 2015 13:45:54 +0000
Subject: ipasam: use more restrictive search filter for group lookup


Since we are interested in looking up the SID of a group it makes sense
to include the objectclass which contains the SID attribute in the
search filter. This makes sure the group is not accidentally found a
second time in the compat tree.

Related to https://fedorahosted.org/freeipa/ticket/5457

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 2863ede..27c547c 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -3032,9 +3032,11 @@ static int ipasam_get_sid_by_gid(struct ldapsam_privates *ldap_state,
 		return ENOMEM;
 	}
 
-	filter = talloc_asprintf(tmp_ctx, "(&(%s=%s)(%s=%lu))",
+	filter = talloc_asprintf(tmp_ctx, "(&(%s=%s)(%s=%s)(%s=%lu))",
 					  LDAP_ATTRIBUTE_OBJECTCLASS,
 					  LDAP_OBJ_POSIXGROUP,
+					  LDAP_ATTRIBUTE_OBJECTCLASS,
+					  LDAP_OBJ_GROUPMAP,
 					  LDAP_ATTRIBUTE_GIDNUMBER,
 					  (unsigned long) gid);
 	if (filter == NULL) {