From 71f62e86ef0dde610129f5296a30853afd84294c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sat, 10 Dec 2022 11:50:27 +0000
Subject: [PATCH] ext_kerberos_ldap_group_acl: Support -b with -D (#1207)

When both '-b' (i.e. bind DN) and '-D' (i.e. Kerberos domain) options
are specified, '-b' is ignored completely. This breaks the helper when a
search subtree has to be limited (e.g., when using FreeIPA).

Fix it to take '-b' into account if it was specified with '-D'.
---
 src/acl/external/kerberos_ldap_group/support_ldap.cc | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/acl/external/kerberos_ldap_group/support_ldap.cc b/src/acl/external/kerberos_ldap_group/support_ldap.cc
index e0c8950f5b..afd7b73ec4 100644
--- a/src/acl/external/kerberos_ldap_group/support_ldap.cc
+++ b/src/acl/external/kerberos_ldap_group/support_ldap.cc
@@ -1115,7 +1115,11 @@ get_memberof(struct main_args *margs, char *user, char *domain, char *group)
                   "%s| %s: DEBUG: Error during initialisation of ldap connection: %s\n",
                   LogTime(), PROGRAM, strerror(errno));
         }
-        bindp = convert_domain_to_bind_path(domain);
+        if (margs->lbind) {
+            bindp = xstrdup(margs->lbind);
+        } else {
+            bindp = convert_domain_to_bind_path(domain);
+        }
     }
     if ((!domain || !ld) && margs->lurl && strstr(margs->lurl, "://")) {
         char *hostname;
-- 
2.47.3