Honor ldap filters

[ondrejv2]

fixes bug #8533

[gemini-code-assist]

Warning

Gemini is experiencing higher than usual traffic and was unable to create the review. Please try again in a few hours by commenting /gemini review.

[ondrejv2]

/gemini review

[gemini-code-assist]

Code Review

This pull request addresses bug #8533 by adding a check to filter out entries in sdap_nested_group_lookup_recv based on their type, ensuring that only entries matching the expected type are processed. This change prevents incorrect entries from being included in nested group lookups.

[sumit-bose]

Hi,

thank you for the fix, ACK.

I think Gemini's comments can be ignored, especially the return EOK;.

bye,
Sumit

[alexey-tikhonov]

In sdap_nested_group_single_step_process()

    case SDAP_NESTED_GROUP_DN_IGNORE:
        /* Mapping was found but required attribute is missing */
        DEBUG(SSSDBG_TRACE_FUNC, "Ignoring [%s] because of missing attributes\n",
                                 state->current_member->dn);
        break;

both debug message and comment needs update.

[alexey-tikhonov]

Note: #8526 will need to cherry-pick this once merged.

[alexey-tikhonov]

@ondrejv2, please see comments inline.

[alexey-tikhonov]

In sdap_nested_group_single_step_process()

    case SDAP_NESTED_GROUP_DN_IGNORE:
        /* Mapping was found but required attribute is missing */
        DEBUG(SSSDBG_TRACE_FUNC, "Ignoring [%s] because of missing attributes\n",
                                 state->current_member->dn);
        break;

both debug message and comment needs update.

@ondrejv2, this needs updates as 'SDAP_NESTED_GROUP_DN_IGNORE' now can also mean "filtered out intentionally".

[alexey-tikhonov]

@ondrejv2, thank you for updates.
The only open thread remains:
#8534 (comment)

[sumit-bose]

Hi,

jfyi, I'm still fine with the latest version.

bye,
Sumit

[alexey-tikhonov]

ACK

[sssd-bot]

The pull request was accepted by @alexey-tikhonov with the following PR CI status:

---

🟢 CodeQL (success)
🟢 osh-diff-scan:fedora-rawhide-x86_64:upstream (success)
🟢 rpm-build:centos-stream-10-x86_64:upstream (success)
🟢 rpm-build:fedora-42-x86_64:upstream (success)
🟢 rpm-build:fedora-43-x86_64:upstream (success)
🟢 rpm-build:fedora-44-x86_64:upstream (success)
🟢 rpm-build:fedora-rawhide-x86_64:upstream (success)
🟢 Analyze (target) / cppcheck (success)
🟢 Build / freebsd (success)
🟢 Build / make-distcheck (success)
🟢 ci / intgcheck (centos-10) (success)
🟢 ci / intgcheck (fedora-42) (success)
🟢 ci / intgcheck (fedora-43) (success)
🟢 ci / intgcheck (fedora-44) (success)
🟢 ci / intgcheck (fedora-45) (success)
🟢 ci / prepare (success)
🟢 ci / system (centos-10) (success)
🟢 ci / system (fedora-42) (success)
🟢 ci / system (fedora-43) (success)
🟢 ci / system (fedora-44) (success)
🟢 ci / system (fedora-45) (success)
➖ Coverity scan / coverity (skipped)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

---

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.