Fix the pass2 ldap query string when no search filter is defined.

Due to the addition of "(sudoUser=*)" to the query we always need
the AND operator, even if no search filter is present.

diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index f21a99ee74905f50e36ce49c25864ab213d9f7f8..83202e288ede4f61fb69b5371896609af925c305 100644 (file)
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -1847,12 +1847,10 @@ sudo_ldap_build_pass2(void)
            ldap_conf.timed ? timebuffer : "",
            (ldap_conf.timed || ldap_conf.search_filter) ? ")" : "");
     } else {
-       len = asprintf(&filt, "%s%s(sudoUser=*)(sudoUser=%s*)%s%s",
-           (ldap_conf.timed || ldap_conf.search_filter) ? "(&" : "",
+       len = asprintf(&filt, "(&%s(sudoUser=*)(sudoUser=%s*)%s)",
            ldap_conf.search_filter ? ldap_conf.search_filter : "",
            query_netgroups ? "+" : "%:",
-           ldap_conf.timed ? timebuffer : "",
-           (ldap_conf.timed || ldap_conf.search_filter) ? ")" : "");
+           ldap_conf.timed ? timebuffer : "");
     }
     if (len == -1)
        sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));