From 74183389e2376d143e0da194e2ee8a94ee6ac931 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Mon, 8 Dec 2025 14:50:21 +0100 Subject: [PATCH 1/9] SYSDB: Remove unused function Function sysdb_enumpwent() is not used. It was replaced by sysdb_enumpwent_filter(). Reviewed-by: Alexey Tikhonov Reviewed-by: Sumit Bose (cherry picked from commit b89f9b6263f0aef43e30d6663d8ec5583ab2e09b) --- src/db/sysdb.h | 4 ---- src/db/sysdb_search.c | 7 ------- src/tests/cmocka/test_sysdb_views.c | 14 -------------- src/tests/sysdb-tests.c | 30 ----------------------------- 4 files changed, 55 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 2d5a2415757..9071e998f26 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -876,10 +876,6 @@ int sysdb_getpwuid(TALLOC_CTX *mem_ctx, uid_t uid, struct ldb_result **res); -int sysdb_enumpwent(TALLOC_CTX *mem_ctx, - struct sss_domain_info *domain, - struct ldb_result **res); - int sysdb_enumpwent_filter(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, const char *attr, diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c index 645871354fe..b7d2673a4ee 100644 --- a/src/db/sysdb_search.c +++ b/src/db/sysdb_search.c @@ -953,13 +953,6 @@ int sysdb_enumpwent_filter(TALLOC_CTX *mem_ctx, return ret; } -int sysdb_enumpwent(TALLOC_CTX *mem_ctx, - struct sss_domain_info *domain, - struct ldb_result **_res) -{ - return sysdb_enumpwent_filter(mem_ctx, domain, NULL, NULL, NULL, _res); -} - int sysdb_enumpwent_filter_with_views(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, const char *attr, diff --git a/src/tests/cmocka/test_sysdb_views.c b/src/tests/cmocka/test_sysdb_views.c index adc989cef3e..07ddb08ee21 100644 --- a/src/tests/cmocka/test_sysdb_views.c +++ b/src/tests/cmocka/test_sysdb_views.c @@ -1083,17 +1083,6 @@ static void check_enumpwent(int ret, struct sss_domain_info *dom, assert_user_attrs(res->msgs[2], dom, "bob", views); } -static void test_sysdb_enumpwent(void **state) -{ - int ret; - struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, - struct sysdb_test_ctx); - struct ldb_result *res; - - ret = sysdb_enumpwent(test_ctx, test_ctx->domain, &res); - check_enumpwent(ret, test_ctx->domain, res, false); -} - static void test_sysdb_enumpwent_views(void **state) { int ret; @@ -1497,9 +1486,6 @@ int main(int argc, const char *argv[]) test_sysdb_setup, test_sysdb_teardown), cmocka_unit_test_setup_teardown(test_sysdb_domain_update_domain_template, test_sysdb_setup, test_sysdb_teardown), - cmocka_unit_test_setup_teardown(test_sysdb_enumpwent, - test_enum_users_setup, - test_enum_users_teardown), cmocka_unit_test_setup_teardown(test_sysdb_enumpwent_views, test_enum_users_setup, test_enum_users_teardown), diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c index a93325e2d91..36877f03b77 100644 --- a/src/tests/sysdb-tests.c +++ b/src/tests/sysdb-tests.c @@ -1360,33 +1360,6 @@ START_TEST (test_sysdb_enumgrent) } END_TEST -START_TEST (test_sysdb_enumpwent) -{ - struct sysdb_test_ctx *test_ctx; - struct ldb_result *res; - int ret; - - /* Setup */ - ret = setup_sysdb_tests(&test_ctx); - if (ret != EOK) { - ck_abort_msg("Could not set up the test"); - return; - } - - ret = sysdb_enumpwent(test_ctx, - test_ctx->domain, - &res); - ck_assert_msg(ret == EOK, - "sysdb_enumpwent failed (%d: %s)", - ret, strerror(ret)); - - sss_ck_fail_if_msg(res->count != 10, "Expected 10 users, got %d", res->count); - - talloc_free(test_ctx); -} -END_TEST - - START_TEST (test_sysdb_set_user_attr) { struct sysdb_test_ctx *test_ctx; @@ -7837,9 +7810,6 @@ Suite *create_sysdb_suite(void) /* Verify the users can be queried by UID */ tcase_add_loop_test(tc_sysdb, test_sysdb_getpwuid, 27010, 27020); - /* Enumerate the users */ - tcase_add_test(tc_sysdb, test_sysdb_enumpwent); - /* Change their attribute */ tcase_add_loop_test(tc_sysdb, test_sysdb_set_user_attr, 27010, 27020); From d251246fbb803f53240aa7810c673c60847614ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Mon, 12 Jan 2026 15:41:37 +0100 Subject: [PATCH 2/9] NSS: Reduce a possibly extremely long log message When there are too many users (17,000+) this message can be too long. Limit it to the first 50 characters. Resolves: https://github.com/SSSD/sssd/issues/6951 Reviewed-by: Alexey Tikhonov Reviewed-by: Sumit Bose (cherry picked from commit 5b5d1ffd64da0e233bc769d47f8d9ca8b7691b76) --- src/db/sysdb_search.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c index b7d2673a4ee..889280c3ae7 100644 --- a/src/db/sysdb_search.c +++ b/src/db/sysdb_search.c @@ -904,10 +904,9 @@ int sysdb_enumpwent_filter(TALLOC_CTX *mem_ctx, if (ret != EOK) { goto done; } - - DEBUG(SSSDBG_TRACE_LIBS, "Searching timestamp entries with [%s]\n", + DEBUG(SSSDBG_TRACE_LIBS, + "Searching timestamp entries with [%.50s] (limited to 50 characters)\n", dn_filter); - ret = sysdb_search_ts_matches(tmp_ctx, domain->sysdb, attrs, &ts_res, dn_filter, &ts_cache_res); if (ret != EOK && ret != ENOENT) { From b5e66da338ecf0015140d4199e123f994c9b6f5e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Wed, 21 Jan 2026 15:14:22 +0100 Subject: [PATCH 3/9] NSS: Fix wrong condition invalidating an optimization We must look into the TS cache only when a name is provided. Using the TS cache on an unfiltered enumeration is useless. Resolves: https://github.com/SSSD/sssd/issues/6951 Reviewed-by: Alexey Tikhonov Reviewed-by: Sumit Bose (cherry picked from commit e91c10a643f6dbc1e21a88a5d2cd4c332ebbd8d5) --- src/db/sysdb_search.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c index 889280c3ae7..9769bed24ab 100644 --- a/src/db/sysdb_search.c +++ b/src/db/sysdb_search.c @@ -878,7 +878,7 @@ int sysdb_enumpwent_filter(TALLOC_CTX *mem_ctx, /* Do not look for the user's attribute in the timestamp db as it could * not be present. Only look for the name. */ - if (attr == NULL || is_sysdb_name(attr)) { + if (attr != NULL && is_sysdb_name(attr)) { ts_filter = enum_filter(tmp_ctx, SYSDB_PWENT_FILTER, NULL, NULL, NULL, addtl_filter); if (ts_filter == NULL) { From 69a92e5837b2cf484f2ecbfa3039fb36277e5981 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Wed, 21 Jan 2026 13:32:51 +0100 Subject: [PATCH 4/9] TESTS: Improve test_sysdb_enumpwent_filter Added a case that was not checked before. It is the case when `attr`, `attr_name` and `addtl_filter` are all `NULL`. Reviewed-by: Alexey Tikhonov Reviewed-by: Sumit Bose (cherry picked from commit 70e78f105809fb1c6c1c5227f078f7608d39c7ad) --- src/tests/cmocka/test_sysdb_views.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/tests/cmocka/test_sysdb_views.c b/src/tests/cmocka/test_sysdb_views.c index 07ddb08ee21..05481c3fb06 100644 --- a/src/tests/cmocka/test_sysdb_views.c +++ b/src/tests/cmocka/test_sysdb_views.c @@ -1149,6 +1149,15 @@ static void test_sysdb_enumpwent_filter(void **state) assert_int_equal(ret, EOK); assert_int_equal(res->count, 1); assert_user_attrs(res->msgs[0], test_ctx->domain, "alice", false); + + ret = sysdb_enumpwent_filter(test_ctx, test_ctx->domain, NULL, NULL, + NULL, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, N_ELEMENTS(users)-1); + order_ldb_res_msgs(res); + assert_user_attrs(res->msgs[0], test_ctx->domain, "alice", false); + assert_user_attrs(res->msgs[1], test_ctx->domain, "barney", false); + assert_user_attrs(res->msgs[2], test_ctx->domain, "bob", false); } static void test_sysdb_enumpwent_filter_views(void **state) From b3e732ff9660ef10e6fcd2a02ea24d07c6f197f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Thu, 12 Feb 2026 10:48:15 +0100 Subject: [PATCH 5/9] NSS: Some optimizations. Create the filter to retrieve only the requested entries. Do not create a new filter and search for matches if there is no results from the previous search. The called functions handle this case correctly but why wasting time calling them? Reviewed-by: Alexey Tikhonov Reviewed-by: Sumit Bose (cherry picked from commit 5284ea6c321ba501c7aa76df9d0e4c4905f9e888) --- src/db/sysdb_search.c | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c index 9769bed24ab..ebf9b6783e4 100644 --- a/src/db/sysdb_search.c +++ b/src/db/sysdb_search.c @@ -880,7 +880,7 @@ int sysdb_enumpwent_filter(TALLOC_CTX *mem_ctx, * not be present. Only look for the name. */ if (attr != NULL && is_sysdb_name(attr)) { ts_filter = enum_filter(tmp_ctx, SYSDB_PWENT_FILTER, - NULL, NULL, NULL, addtl_filter); + attr, attr_filter, domain->name, addtl_filter); if (ts_filter == NULL) { ret = ENOMEM; goto done; @@ -899,18 +899,20 @@ int sysdb_enumpwent_filter(TALLOC_CTX *mem_ctx, goto done; } - ret = sysdb_enum_dn_filter(tmp_ctx, &ts_res, attr_filter, domain->name, - &dn_filter); - if (ret != EOK) { - goto done; - } - DEBUG(SSSDBG_TRACE_LIBS, - "Searching timestamp entries with [%.50s] (limited to 50 characters)\n", - dn_filter); - ret = sysdb_search_ts_matches(tmp_ctx, domain->sysdb, attrs, &ts_res, - dn_filter, &ts_cache_res); - if (ret != EOK && ret != ENOENT) { - goto done; + if (ts_res.count > 0) { + ret = sysdb_enum_dn_filter(tmp_ctx, &ts_res, attr_filter, domain->name, + &dn_filter); + if (ret != EOK) { + goto done; + } + DEBUG(SSSDBG_TRACE_LIBS, + "Searching timestamp entries with [%.50s] (limited to 50 characters)\n", + dn_filter); + ret = sysdb_search_ts_matches(tmp_ctx, domain->sysdb, attrs, &ts_res, + dn_filter, &ts_cache_res); + if (ret != EOK && ret != ENOENT) { + goto done; + } } } From 71bb8dad95fd3a89460d56eac5e62a6c2b2191ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Thu, 12 Feb 2026 15:26:11 +0100 Subject: [PATCH 6/9] CONFLICT! NSS: Be coherent when using a lastUpdate filter Function cache_req_user_by_filter_lookup() will set or not the recent filter depending on whether data->name.attr is set or not. As mentioned in the comment, it should be done base on whether the refernced attribute is name or not. Reviewed-by: Alexey Tikhonov Reviewed-by: Sumit Bose (cherry picked from commit 670db53b151f3da8ab7ada8889f5eacb6bc9691c) --- .../common/cache_req/plugins/cache_req_user_by_filter.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c b/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c index a649c4f483a..f209a79dc4e 100644 --- a/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +++ b/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c @@ -90,7 +90,11 @@ cache_req_user_by_filter_lookup(TALLOC_CTX *mem_ctx, * Neither it is possible to use it when asking for a non-"name" attribute * as it could not be present in the timestamp cache. */ +<<<<<<< HEAD if (is_files_provider(domain) || data->name.attr != NULL) { +======= + if (strcmp(attr, SYSDB_NAME) != 0) { +>>>>>>> 670db53b1 (NSS: Be coherent when using a lastUpdate filter) recent_filter = NULL; } else { recent_filter = talloc_asprintf(mem_ctx, "(%s>=%"SPRItime")", SYSDB_LAST_UPDATE, From f070b590abfab335ec170e6dcce12f7066827f77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Mon, 9 Mar 2026 08:57:32 +0100 Subject: [PATCH 7/9] NSS: Fix the logged function name The message said that sysdb_enumpwent() had failed, but it was actually sysdb_enumpwent_filter() which failed. Reviewed-by: Alexey Tikhonov Reviewed-by: Sumit Bose (cherry picked from commit 55e3a308e3f4e383830fa409e2b9953585d7dcbf) --- src/db/sysdb_search.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c index ebf9b6783e4..efce3ef7926 100644 --- a/src/db/sysdb_search.c +++ b/src/db/sysdb_search.c @@ -975,7 +975,7 @@ int sysdb_enumpwent_filter_with_views(TALLOC_CTX *mem_ctx, ret = sysdb_enumpwent_filter(tmp_ctx, domain, attr, attr_filter, addtl_filter, &res); if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_enumpwent failed.\n"); + DEBUG(SSSDBG_OP_FAILURE, "sysdb_enumpwent_filter failed.\n"); goto done; } From 0d37930d9132b89d345c2c8cb606073bedbe0756 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Tue, 17 Mar 2026 11:12:15 +0100 Subject: [PATCH 8/9] NSS: Fix sysdb_enumpwent_filter() The "name" attribute was not being added to the TS cache, even though that it is part of the DN (ldb doesn't enforce it). Adding this attribute requires that the DB version is incremented for the TS cache to be regenerated with the missing attribute. This made the if-block in sysdb_enumpwent_filter() rather useless. In addition, once this if-block is executed, the fuction leaves without further processing. Reviewed-by: Alexey Tikhonov Reviewed-by: Sumit Bose (cherry picked from commit 11a15c25002033d6b5426a4b45f3cb2918b9fd90) --- src/db/sysdb_init.c | 7 +++++++ src/db/sysdb_ops.c | 24 +++++++++++++++++++++--- src/db/sysdb_private.h | 4 +++- src/db/sysdb_search.c | 21 +++++++++++++-------- src/db/sysdb_upgrade.c | 22 ++++++++++++++++++++++ 5 files changed, 66 insertions(+), 12 deletions(-) diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c index 68b9744dd49..697fbd452fc 100644 --- a/src/db/sysdb_init.c +++ b/src/db/sysdb_init.c @@ -37,6 +37,7 @@ const char *sysdb_ts_cache_attrs[] = { SYSDB_OBJECTCLASS, SYSDB_OBJECTCATEGORY, + SYSDB_NAME, SYSDB_LAST_UPDATE, SYSDB_CACHE_EXPIRE, SYSDB_ORIG_MODSTAMP, @@ -566,6 +567,12 @@ static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx, } } + if (strcmp(version, SYSDB_VERSION_0_25) == 0) { + ret = sysdb_upgrade_25(sysdb, &version); + if (ret != EOK) { + goto done; + } + } ret = EOK; done: sysdb->ldb = save_ldb; diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index 5090ae52f2f..0cf4c22f637 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -1005,6 +1005,7 @@ static errno_t sysdb_create_ts_entry(struct sysdb_ctx *sysdb, struct sysdb_attrs *attrs) { struct ldb_message *msg; + const struct ldb_val *rdn_value; errno_t ret; int lret; TALLOC_CTX *tmp_ctx; @@ -1013,16 +1014,26 @@ static errno_t sysdb_create_ts_entry(struct sysdb_ctx *sysdb, return EOK; } + if (entry_dn == NULL) { + return EINVAL; + } + tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { return ENOMEM; } - if (entry_dn == NULL) { + rdn_value = ldb_dn_get_rdn_val(entry_dn); + if (rdn_value == NULL) { ret = EINVAL; goto done; } + ret = sysdb_attrs_add_val_safe(attrs, SYSDB_NAME, rdn_value); + if (ret != EOK) { + goto done; + } + msg = sysdb_attrs2msg(tmp_ctx, entry_dn, attrs, 0); if (msg == NULL) { ret = ENOMEM; @@ -1048,7 +1059,8 @@ static errno_t sysdb_create_ts_entry(struct sysdb_ctx *sysdb, } static struct sysdb_attrs *ts_obj_attrs(TALLOC_CTX *mem_ctx, - enum sysdb_obj_type obj_type) + enum sysdb_obj_type obj_type, + const char *obj_name) { struct sysdb_attrs *attrs; const char *oc; @@ -1076,6 +1088,12 @@ static struct sysdb_attrs *ts_obj_attrs(TALLOC_CTX *mem_ctx, return NULL; } + ret = sysdb_attrs_add_string(attrs, SYSDB_NAME, obj_name); + if (ret != EOK) { + talloc_free(attrs); + return NULL; + } + return attrs; } @@ -1273,7 +1291,7 @@ static errno_t sysdb_create_ts_obj(struct sss_domain_info *domain, goto done; } - ts_attrs = ts_obj_attrs(tmp_ctx, obj_type); + ts_attrs = ts_obj_attrs(tmp_ctx, obj_type, obj_name); if (ts_attrs == NULL) { ret = ENOMEM; goto done; diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h index 8e2ebc5d013..84ea4a52fa7 100644 --- a/src/db/sysdb_private.h +++ b/src/db/sysdb_private.h @@ -23,6 +23,7 @@ #ifndef __INT_SYS_DB_H__ #define __INT_SYS_DB_H__ +#define SYSDB_VERSION_0_26 "0.26" #define SYSDB_VERSION_0_25 "0.25" #define SYSDB_VERSION_0_24 "0.24" #define SYSDB_VERSION_0_23 "0.23" @@ -49,7 +50,7 @@ #define SYSDB_VERSION_0_2 "0.2" #define SYSDB_VERSION_0_1 "0.1" -#define SYSDB_VERSION SYSDB_VERSION_0_25 +#define SYSDB_VERSION SYSDB_VERSION_0_26 #define SYSDB_BASE_LDIF \ "dn: @ATTRIBUTES\n" \ @@ -195,6 +196,7 @@ int sysdb_upgrade_21(struct sysdb_ctx *sysdb, const char **ver); int sysdb_upgrade_22(struct sysdb_ctx *sysdb, const char **ver); int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver); int sysdb_upgrade_24(struct sysdb_ctx *sysdb, const char **ver); +int sysdb_upgrade_25(struct sysdb_ctx *sysdb, const char **ver); int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver); diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c index efce3ef7926..78782e89806 100644 --- a/src/db/sysdb_search.c +++ b/src/db/sysdb_search.c @@ -913,7 +913,20 @@ int sysdb_enumpwent_filter(TALLOC_CTX *mem_ctx, if (ret != EOK && ret != ENOENT) { goto done; } + } else { + /* If there are no results, EOK and res->count == 0 are expected */ + ts_cache_res = talloc_zero(tmp_ctx, struct ldb_result); + if (ts_cache_res == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero() failed.\n"); + ret = ENOMEM; + goto done; + } } + + ret = EOK; + DEBUG(SSSDBG_TRACE_LIBS, "Returning timestamp cache based results [%d].\n", ts_cache_res->count); + *_res = talloc_steal(mem_ctx, ts_cache_res); + goto done; } filter = enum_filter(tmp_ctx, SYSDB_PWENT_FILTER, @@ -939,14 +952,6 @@ int sysdb_enumpwent_filter(TALLOC_CTX *mem_ctx, ret = EOK; } - if (ts_cache_res != NULL) { - res = sss_merge_ldb_results(res, ts_cache_res); - if (res == NULL) { - ret = ENOMEM; - goto done; - } - } - *_res = talloc_steal(mem_ctx, res); done: diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c index b010488cafa..728cfd9a4dc 100644 --- a/src/db/sysdb_upgrade.c +++ b/src/db/sysdb_upgrade.c @@ -2801,6 +2801,28 @@ int sysdb_upgrade_24(struct sysdb_ctx *sysdb, const char **ver) return ret; } +int sysdb_upgrade_25(struct sysdb_ctx *sysdb, const char **ver) +{ + struct upgrade_ctx *ctx; + errno_t ret; + + ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_VERSION_0_26, &ctx); + if (ret != EOK) { + return ret; + } + + /* We do nothing because the only goal of this version change is to remove the TS cache. */ + + ret = update_version(ctx); + if (ret != EOK) { + goto done; + } + +done: + ret = finish_upgrade(ret, &ctx, ver); + return ret; +} + /* * Example template for future upgrades. * Copy and change version numbers as appropriate. From c99af8084d9e0c003d85af08e42676208db59fa0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Fri, 20 Mar 2026 10:37:26 +0100 Subject: [PATCH 9/9] NSS: Better handle ERR_NO_TS in sysdb_enumpwent_filter() Although ts_res.count is set to 0 when sysdb_search_ts_users() return ERR_NO_TS, before using it we make an extra check to verify that the returned code is EOK. Reviewed-by: Alexey Tikhonov Reviewed-by: Sumit Bose (cherry picked from commit 0a739f855b344413d45b92cd7fb4750d28f9e0de) --- src/db/sysdb_search.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c index 78782e89806..e00b8571301 100644 --- a/src/db/sysdb_search.c +++ b/src/db/sysdb_search.c @@ -899,7 +899,7 @@ int sysdb_enumpwent_filter(TALLOC_CTX *mem_ctx, goto done; } - if (ts_res.count > 0) { + if (ret == EOK && ts_res.count > 0) { ret = sysdb_enum_dn_filter(tmp_ctx, &ts_res, attr_filter, domain->name, &dn_filter); if (ret != EOK) {