From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Thu, 31 Aug 2017 17:05:48 +0000 (-0600)
Subject: Fix the pass2 ldap query string when no search filter is defined.
X-Git-Tag: SUDO_1_8_21p1^2~8
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5cdee2c2c070081da38cf8014390887cd119920d;p=sudo

Fix the pass2 ldap query string when no search filter is defined.
Due to the addition of "(sudoUser=*)" to the query we always need
the AND operator, even if no search filter is present.
---

diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index f21a99ee7..83202e288 100644
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -1847,12 +1847,10 @@ sudo_ldap_build_pass2(void)
 	    ldap_conf.timed ? timebuffer : "",
 	    (ldap_conf.timed || ldap_conf.search_filter) ? ")" : "");
     } else {
-	len = asprintf(&filt, "%s%s(sudoUser=*)(sudoUser=%s*)%s%s",
-	    (ldap_conf.timed || ldap_conf.search_filter) ? "(&" : "",
+	len = asprintf(&filt, "(&%s(sudoUser=*)(sudoUser=%s*)%s)",
 	    ldap_conf.search_filter ? ldap_conf.search_filter : "",
 	    query_netgroups ? "+" : "%:",
-	    ldap_conf.timed ? timebuffer : "",
-	    (ldap_conf.timed || ldap_conf.search_filter) ? ")" : "");
+	    ldap_conf.timed ? timebuffer : "");
     }
     if (len == -1)
 	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));