From 7f02a4454ced6f0c21fc7a7c988cbeb65eb98cb4 Mon Sep 17 00:00:00 2001
From: Martin Osvald <mosvald@redhat.com>
Date: Tue, 29 Oct 2024 05:35:21 +0100
Subject: [PATCH] Fix regression while retrieving ldap group names

Resolves: RHEL-61691
---
 cyrus-imapd.spec                 |  8 +++++++-
 patch-cyrus-ldap-group-retriaval | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 patch-cyrus-ldap-group-retriaval

diff --git a/cyrus-imapd.spec b/cyrus-imapd.spec
index 8ab1e70..036ad8e 100644
--- a/cyrus-imapd.spec
+++ b/cyrus-imapd.spec
@@ -9,7 +9,7 @@
 
 Name: cyrus-imapd
 Version: 3.0.7
-Release: 26%{?dist}
+Release: 27%{?dist}
 
 %define ssl_pem_file_prefix /etc/pki/%name/%name
 
@@ -54,6 +54,8 @@ Patch13: cyrus-squatter-assert-crash.patch
 Patch14: cyrus-imapd-load-tombstones-for-cleanup.patch
 # https://github.com/cyrusimap/cyrus-imapd/commit/ed1a17b09e2e03788852e122f213b88352bc24b9
 Patch15: cyrus-imapd-ptclient-canonification_across_multiple_domains.patch
+# https://github.com/cyrusimap/cyrus-imapd/commit/1152ce70af232fc4200bbeca18961f99e12d73df
+Patch16: patch-cyrus-ldap-group-retriaval
 
 Source10: cyrus-imapd.logrotate
 Source11: cyrus-imapd.pam-config
@@ -691,6 +693,10 @@ getent passwd cyrus >/dev/null || /usr/sbin/useradd -c "Cyrus IMAP Server" -d /v
 
 
 %changelog
+* Tue Oct 29 2024 Martin Osvald <mosvald@redhat.com> - 3.0.7-27
+- Fix regression while retrieving ldap group names
+- Resolves: RHEL-61691
+
 * Mon Jul 01 2024 Martin Osvald <mosvald@redhat.com> - 3.0.7-26
 - Update fmf plans and gating for c8s
 
diff --git a/patch-cyrus-ldap-group-retriaval b/patch-cyrus-ldap-group-retriaval
new file mode 100644
index 0000000..5029a7e
--- /dev/null
+++ b/patch-cyrus-ldap-group-retriaval
@@ -0,0 +1,32 @@
+commit 1152ce70af232fc4200bbeca18961f99e12d73df
+Author: Felix Schumacher <felix.schumacher@internetallee.de>
+Date:   Wed Feb 6 19:02:11 2019 +0100
+
+    Return correct group names when groups are resolved by filter
+    
+    This fixes an regression, that was introduced with 61f5296c0d727faee4726525a6812b200d946d83.
+    Back then the logic was changed from len(vals) != 1 to two if clauses len(vals) < 1 and len(vals) > 1
+    which logged errors and an else clause (which matched the correct number of len(val) == 1) that
+    got the old error handling code.
+
+diff --git a/ptclient/ldap.c b/ptclient/ldap.c
+index 40c9adee3..457951928 100644
+--- a/ptclient/ldap.c
++++ b/ptclient/ldap.c
+@@ -1336,11 +1336,15 @@ static int ptsmodule_make_authstate_filter(
+             syslog(LOG_ERR, "No values for attribute '%s' on entry '%s'",
+                             ptsm->member_attribute,
+                             errdn);
++            *reply = "no values";
++            rc = PTSM_FAIL;
++            ldap_value_free(vals);
++            vals = NULL;
++            goto done;
+         } else if (ldap_count_values(vals) > 1) {
+             syslog(LOG_ERR, "Too many values for attribute '%s' on entry '%s'",
+                             ptsm->member_attribute,
+                             errdn);
+-        } else {
+             *reply = "too many values";
+             rc = PTSM_FAIL;
+             ldap_value_free(vals);