3 files changed, 27 insertions, 16 deletions
diff --git a/nslcd/attmap.c b/nslcd/attmap.c
index 08130fa..1911273 100644
--- a/nslcd/attmap.c
+++ b/nslcd/attmap.c
@@ -2,7 +2,7 @@
    attmap.c - attribute mapping values and functions
    This file is part of the nss-pam-ldapd library.
 
-   Copyright (C) 2007, 2008, 2009, 2010, 2011, 2012 Arthur de Jong
+   Copyright (C) 2007-2014 Arthur de Jong
 
    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Lesser General Public
@@ -217,6 +217,7 @@ const char *attmap_set_mapping(const char **var, const char *value)
        (note that this needs to match the functionality in the specific
        lookup module) */
     if ((var != &attmap_group_userPassword) &&
+        (var != &attmap_group_member) &&
         (var != &attmap_passwd_userPassword) &&
         (var != &attmap_passwd_gidNumber) &&
         (var != &attmap_passwd_gecos) &&
@@ -231,6 +232,9 @@ const char *attmap_set_mapping(const char **var, const char *value)
         (var != &attmap_shadow_shadowExpire) &&
         (var != &attmap_shadow_shadowFlag))
       return NULL;
+    /* the member attribute may only be set to an empty string */
+    if ((var == attmap_group_member) && (strcmp(value, "\"\"") != 0))
+      return NULL;
   }
   /* check if the value will be changed */
   if ((*var == NULL) || (strcmp(*var, value) != 0))
diff --git a/nslcd/group.c b/nslcd/group.c
index 5ce6730..1455930 100644
--- a/nslcd/group.c
+++ b/nslcd/group.c
@@ -123,7 +123,8 @@ static int mkfilter_group_bymember(MYLDAP_SESSION *session,
   if (myldap_escape(uid, safeuid, sizeof(safeuid)))
     return -1;
   /* try to translate uid to DN */
-  if (uid2dn(session, uid, dn, sizeof(dn)) == NULL)
+  if ((strcasecmp(attmap_group_member, "\"\"") == 0) ||
+      (uid2dn(session, uid, dn, sizeof(dn)) == NULL))
     return mysnprintf(buffer, buflen, "(&%s(%s=%s))",
                       group_filter, attmap_group_memberUid, safeuid);
   /* escape DN */
@@ -227,6 +228,9 @@ static void getmembers(MYLDAP_ENTRY *entry, MYLDAP_SESSION *session,
       if (isvalidname(values[i]))
         set_add(members, values[i]);
     }
+  /* skip rest if attmap_group_member is blank */
+  if (strcasecmp(attmap_group_member, "\"\"") == 0)
+    return;
   /* add the member values */
   values = myldap_get_values(entry, attmap_group_member);
   if (values != NULL)
@@ -423,7 +427,7 @@ int nslcd_group_bymember(TFILE *fp, MYLDAP_SESSION *session)
     log_log(LOG_WARNING, "nslcd_group_bymember(): filter buffer too small");
     return -1;
   }
-  if (nslcd_cfg->nss_nested_groups)
+  if ((nslcd_cfg->nss_nested_groups) && (strcasecmp(attmap_group_member, "\"\"") != 0))
   {
     seen = set_new();
     tocheck = set_new();
diff --git a/pynslcd/group.py b/pynslcd/group.py
index da2d315..c8abfe5 100644
--- a/pynslcd/group.py
+++ b/pynslcd/group.py
@@ -1,7 +1,7 @@
 
 # group.py - group entry lookup routines
 #
-# Copyright (C) 2010, 2011, 2012, 2013 Arthur de Jong
+# Copyright (C) 2010-2014 Arthur de Jong
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -55,8 +55,10 @@ class Search(search.LDAPSearch):
         if 'memberUid' in self.parameters or 'member' in self.parameters:
             # set up our own attributes that leave out membership attributes
             self.attributes = list(self.attributes)
-            self.attributes.remove(attmap['memberUid'])
-            self.attributes.remove(attmap['member'])
+            if attmap['memberUid'] in self.attributes:
+                self.attributes.remove(attmap['memberUid'])
+            if attmap['member'] in self.attributes:
+                self.attributes.remove(attmap['member'])
 
     def mk_filter(self):
         # we still need a custom mk_filter because this is an | query
@@ -125,15 +127,16 @@ class GroupRequest(common.Request):
             if common.is_valid_name(member):
                 members.add(member)
         # translate and add the member values
-        for memberdn in clean(attributes['member']):
-            if memberdn in seen:
-                continue
-            seen.add(memberdn)
-            member = passwd.dn2uid(self.conn, memberdn)
-            if member and common.is_valid_name(member):
-                members.add(member)
-            elif cfg.nss_nested_groups:
-                subgroups.append(memberdn)
+        if attmap['member']:
+            for memberdn in clean(attributes['member']):
+                if memberdn in seen:
+                    continue
+                seen.add(memberdn)
+                member = passwd.dn2uid(self.conn, memberdn)
+                if member and common.is_valid_name(member):
+                    members.add(member)
+                elif cfg.nss_nested_groups:
+                    subgroups.append(memberdn)
 
     def convert(self, dn, attributes, parameters):
         # get group names and check against requested group name
@@ -200,7 +203,7 @@ class GroupByMemberRequest(GroupRequest):
             seen.add(dn)
             for values in self.convert(dn, attributes, parameters):
                 yield values
-        if cfg.nss_nested_groups:
+        if cfg.nss_nested_groups and attmap['member']:
             tocheck = list(seen)
             # find parent groups
             while tocheck: