New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ipa-kdb: use predefined filters for a wild-card searches #5351
Conversation
daemons/ipa-kdb/ipa_kdb_principals.c
Outdated
#define PRINC_TGS_SEARCH_FILTER_WILD_EXTRA "(&(|(objectclass=krbprincipalaux)" \ | ||
"(objectclass=krbprincipal)" \ | ||
"(objectclass=ipakrbprincipal))" \ | ||
"(|(ipakrbprincipalalias=*)" \ | ||
"(krbprincipalname==*))" \ | ||
"%s)" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The aligment of the strings is a bit off. First line is indented one more than the rest, last line is indented one space less.
@tiran I updated the patch and also followed your IRC comment about the fact that we can reduce duplication of filter strings, indeed. |
Maybe I'm missing something but this doesn't seem to fix the issue.
|
Can you provide output from |
|
Thanks, there is excessive '=' in the _WILD_EXTRA filter term. I'll fix tonight |
In case we've got a principal name as '*', we don't need to specify the principal itself, use pre-defined filter for a wild-card search. Previously, we had to escape the '*' as specifying it with an explicit matching rule would have violated RFC 4515 section 3. However, since we don't really need to specify a different matching rule for a wild-card search, we can remove this part completely. Use this change as an opportunity to simplify the code and reduce number of duplicated filter constants -- if extra filter is NULL, we can simply pass "" and use _EXTRA filter constants to format the final filter. Fixes: https://pagure.io/freeipa/issue/8624 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, working now.
Added ACK based on @frozencemetery approval. |
master:
|
In case we've got a principal name as '*', we don't need to specify
the principal itself, use pre-defined filter for a wild-card search.
Previously, we had to escape the '*' as specifying it with an explicit
matching rule would have violated RFC 4515 section 3. However, since we
don't really need to specify a different matching rule for a wild-card
search, we can remove this part completely.
Fixes: https://pagure.io/freeipa/issue/8624
Signed-off-by: Alexander Bokovoy abokovoy@redhat.com