s4-dsdb: Simplify search expression

We want to find objects for which the groupType attribute has at least
one of GROUP_TYPE_ACCOUNT_GROUP and GROUP_TYPE_UNIVERSAL_GROUP set. For
this the OR comparator is perfectly suited. It produces a true result if
at least one set bit is shared between both operands.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index 16853fbf49d4aca6b7be8479c82ac54be91fc97b..f58aa688ba25343f989ef65424e9624ad4a31437 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -197,11 +197,9 @@ static int get_group_sids(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
                filter = talloc_asprintf(mem_ctx,
                                         "(&(objectClass=group)"
                                         "(groupType:"LDB_OID_COMPARATOR_AND":=%u)"
-                                        "(|(groupType:"LDB_OID_COMPARATOR_AND":=%u)"
-                                        "(groupType:"LDB_OID_COMPARATOR_AND":=%u)))",
+                                        "(groupType:"LDB_OID_COMPARATOR_OR":=%u))",
                                         GROUP_TYPE_SECURITY_ENABLED,
-                                        GROUP_TYPE_ACCOUNT_GROUP,
-                                        GROUP_TYPE_UNIVERSAL_GROUP);
+                                        GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_UNIVERSAL_GROUP);
                break;
        case TOKEN_GROUPS_NO_GC_ACCEPTABLE:
        case TOKEN_GROUPS: