r23733: Limit LDAP lookup in lookup_usergroups_member() to security groups.

author Lars Müller <lmuelle@samba.org>

Fri, 6 Jul 2007 18:49:49 +0000 (18:49 +0000)

committer Gerald (Jerry) Carter <jerry@samba.org>

Wed, 10 Oct 2007 17:23:50 +0000 (12:23 -0500)
author Lars Müller <lmuelle@samba.org>
Fri, 6 Jul 2007 18:49:49 +0000 (18:49 +0000)
committer Gerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 17:23:50 +0000 (12:23 -0500)
diff --git a/source/nsswitch/winbindd_ads.c b/source/nsswitch/winbindd_ads.c

index 09289912f998d3b096e621fb955d50934c7d693a..b6aa95c51ead41e5f2ffa6f193e5a25331f4b8ae 100644 (file)
--- a/source/nsswitch/winbindd_ads.c
+++ b/source/nsswitch/winbindd_ads.c
@@ -570,7 +570,12 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
                 goto done;
         }
  
-       if (!(ldap_exp = talloc_asprintf(mem_ctx, "(&(member=%s)(objectCategory=group))", escaped_dn))) {
+       ldap_exp = talloc_asprintf(mem_ctx,
+               "(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
+               escaped_dn,
+               ADS_LDAP_MATCHING_RULE_BIT_AND,
+               GROUP_TYPE_SECURITY_ENABLED);
+       if (!ldap_exp) {
                 DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
                 SAFE_FREE(escaped_dn);
                 status = NT_STATUS_NO_MEMORY;
author	Lars Müller <lmuelle@samba.org>
	Fri, 6 Jul 2007 18:49:49 +0000 (18:49 +0000)
committer	Gerald (Jerry) Carter <jerry@samba.org>
	Wed, 10 Oct 2007 17:23:50 +0000 (12:23 -0500)