12236 getmembers_DN doesn't properly handle errors from __ns_ldap_dn2uid

12240 nss_ldap does not properly look up group members by distinguished name
Reviewed by: Jorge Schrauwen <jorge@blackdot.be>
Reviewed by: Gordon Ross <gordon.w.ross@gmail.com>
Reviewed by: Andy Fiddaman <omnios@citrus-it.co.uk>
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Approved by: Dan McDonald <danmcd@joyent.com>

usr/src/lib/libsldap/common/ns_internal.h

@@ -22,6 +22,7 @@
 /*
  * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * Copyright 2017 Nexenta Systems, Inc.  All rights reserved.
+ * Copyright 2020 Joyent, Inc.
  */
 
 
@@ -67,8 +68,7 @@ extern "C" {
 #define	UIDNUMFILTER_SSD	"(&(%%s)(uidnumber=%s))"
 #define	UIDFILTER		"(&(objectclass=posixAccount)(uid=%s))"
 #define	UIDFILTER_SSD		"(&(%%s)(uid=%s))"
-#define	UIDDNFILTER	"(&(objectclass=posixAccount)(distinguishedName=%s))"
-#define	UIDDNFILTER_SSD		"(&(%%s)(distinguishedName=%s))"
+#define	UIDDNFILTER		"(objectclass=posixAccount)"
 
 #define	HOSTFILTER		"(&(objectclass=ipHost)(cn=%s))"
 #define	HOSTFILTER_SSD		"(&(%%s)(cn=%s))"
@@ -765,6 +765,7 @@ int __s_api_requestServer(const char *request, const char *server,
 
 /* ************ internal sldap-api functions *********** */
 void	__ns_ldap_freeEntry(ns_ldap_entry_t *ep);
+void	__ns_ldap_freeASearchDesc(ns_ldap_search_desc_t *);
 void	__s_api_split_key_value(char *buffer, char **name, char **value);
 int	__s_api_printResult(ns_ldap_result_t *);
 int	__s_api_getSearchScope(int *, ns_ldap_error_t **);
@@ -856,25 +857,16 @@ ns_ldap_error_t *__ns_ldap_print_config(int);
 void		__ns_ldap_default_config();
 int		__ns_ldap_download(const char *, char *, char *,
 				ns_ldap_error_t **);
-int
-__ns_ldap_check_dns_preq(int foreground,
-		int mode_verbose,
-		int mode_quiet,
-		const char *fname,
-		ns_ldap_self_gssapi_config_t config,
-		ns_ldap_error_t **errpp);
-int
-__ns_ldap_check_gssapi_preq(int foreground,
-		int mode_verbose,
-		int mode_quiet,
-		ns_ldap_self_gssapi_config_t config,
-		ns_ldap_error_t **errpp);
-int
-__ns_ldap_check_all_preq(int foreground,
-		int mode_verbose,
-		int mode_quiet,
-		ns_ldap_self_gssapi_config_t config,
-		ns_ldap_error_t **errpp);
+int __ns_ldap_check_dns_preq(int foreground, int mode_verbose, int mode_quiet,
+    const char *fname, ns_ldap_self_gssapi_config_t config,
+    ns_ldap_error_t **errpp);
+
+int __ns_ldap_check_gssapi_preq(int foreground, int mode_verbose,
+    int mode_quiet, ns_ldap_self_gssapi_config_t config,
+    ns_ldap_error_t **errpp);
+
+int __ns_ldap_check_all_preq(int foreground, int mode_verbose, int mode_quiet,
+    ns_ldap_self_gssapi_config_t config, ns_ldap_error_t **errpp);
 
 /* internal un-exposed APIs */
 ns_cred_t	*__ns_ldap_dupAuth(const ns_cred_t *authp);

usr/src/lib/libsldap/common/ns_mapping.c

@@ -20,6 +20,7 @@
  */
 /*
  * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright 2020 Joyent, Inc.
  */
 
 #include <stdlib.h>
@@ -201,7 +202,7 @@ __s_api_add_map2hash(ns_config_t *config, ns_hashtype_t type,
  * Assume space is the only legal whitespace.
  * attributeMap syntax:
  * attributeMap      = serviceId ":" origAttribute "="
- * 			attributes
+ *			attributes
  * origAttribute     = attribute
  * attributes        = wattribute *( space wattribute )
  * wattribute        = whsp newAttribute whsp
@@ -210,7 +211,7 @@ __s_api_add_map2hash(ns_config_t *config, ns_hashtype_t type,
  *
  * objectclassMap syntax:
  * objectclassMap    = serviceId ":" origObjectclass "="
- * 			objectclass
+ *			objectclass
  * origObjectclass   = objectclass
  * objectclass       = keystring
  */
@@ -295,7 +296,7 @@ __s_api_parse_map(char *cp, char **sid, char **origA, char ***mapA)
 }
 
 
-static void
+void
 __ns_ldap_freeASearchDesc(ns_ldap_search_desc_t *ptr)
 {
 	if (ptr == NULL)
@@ -662,7 +663,7 @@ int __ns_ldap_getSearchDescriptors(
 	int			cnt, max;
 	int			vers;
 	ns_config_t		*cfg;
-	ns_ldap_search_desc_t 	*ret;
+	ns_ldap_search_desc_t	*ret;
 
 	if ((desc == NULL) || (errorp == NULL))
 		return (NS_LDAP_INVALID_PARAM);