dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0007-LDAP-Fetch-users-and-groups-using-wildcards.patch

6cf099
From 9604ff1731ab7bd067bef62a0df6000eca091856 Mon Sep 17 00:00:00 2001
6cf099
From: Jakub Hrozek <jhrozek@redhat.com>
6cf099
Date: Mon, 4 May 2015 15:16:44 +0200
6cf099
Subject: [PATCH 07/13] LDAP: Fetch users and groups using wildcards
6cf099
MIME-Version: 1.0
6cf099
Content-Type: text/plain; charset=UTF-8
6cf099
Content-Transfer-Encoding: 8bit
6cf099
6cf099
Related:
6cf099
    https://fedorahosted.org/sssd/ticket/2553
6cf099
6cf099
Adds handler for the BE_FILTER_WILDCARD in the LDAP provider. So far
6cf099
it's the same code as if enumeration was used, so there are no limits.
6cf099
6cf099
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
6cf099
---
6cf099
 src/providers/ldap/ldap_common.h |  3 +++
6cf099
 src/providers/ldap/ldap_id.c     | 50 ++++++++++++++++++++++++++++++++++++++--
6cf099
 2 files changed, 51 insertions(+), 2 deletions(-)
6cf099
6cf099
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
6cf099
index 424eacb1da0a6934b132ccb2a5bb175233fa1a80..8294d1db23bdca8d94a098533d93405c4d55226b 100644
6cf099
--- a/src/providers/ldap/ldap_common.h
6cf099
+++ b/src/providers/ldap/ldap_common.h
6cf099
@@ -39,6 +39,9 @@
6cf099
 #define LDAP_SSL_URI "ldaps://"
6cf099
 #define LDAP_LDAPI_URI "ldapi://"
6cf099
 
6cf099
+/* Only the asterisk is allowed in wildcard requests */
6cf099
+#define LDAP_ALLOWED_WILDCARDS "*"
6cf099
+
6cf099
 /* a fd the child process would log into */
6cf099
 extern int ldap_child_debug_fd;
6cf099
 
6cf099
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
6cf099
index 3245e1b12a69483f961f01210d13654b1c7c5345..61f09fc41d3210af5044f5338dd90db67e0123a7 100644
6cf099
--- a/src/providers/ldap/ldap_id.c
6cf099
+++ b/src/providers/ldap/ldap_id.c
6cf099
@@ -114,6 +114,14 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
6cf099
                                                           sdom->dom->name,
6cf099
                                                           sdom->dom->domain_id);
6cf099
     switch (filter_type) {
6cf099
+    case BE_FILTER_WILDCARD:
6cf099
+        attr_name = ctx->opts->user_map[SDAP_AT_USER_NAME].name;
6cf099
+        ret = sss_filter_sanitize_ex(state, name, &clean_name,
6cf099
+                                     LDAP_ALLOWED_WILDCARDS);
6cf099
+        if (ret != EOK) {
6cf099
+            goto done;
6cf099
+        }
6cf099
+        break;
6cf099
     case BE_FILTER_NAME:
6cf099
         if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_UPN) == 0) {
6cf099
             attr_name = ctx->opts->user_map[SDAP_AT_USER_PRINC].name;
6cf099
@@ -388,6 +396,13 @@ static void users_get_search(struct tevent_req *req)
6cf099
     struct users_get_state *state = tevent_req_data(req,
6cf099
                                                      struct users_get_state);
6cf099
     struct tevent_req *subreq;
6cf099
+    bool multiple_results;
6cf099
+
6cf099
+    if (state->filter_type == BE_FILTER_WILDCARD) {
6cf099
+        multiple_results = true;
6cf099
+    } else {
6cf099
+        multiple_results = false;
6cf099
+    }
6cf099
 
6cf099
     subreq = sdap_get_users_send(state, state->ev,
6cf099
                                  state->domain, state->sysdb,
6cf099
@@ -397,7 +412,7 @@ static void users_get_search(struct tevent_req *req)
6cf099
                                  state->attrs, state->filter,
6cf099
                                  dp_opt_get_int(state->ctx->opts->basic,
6cf099
                                                 SDAP_SEARCH_TIMEOUT),
6cf099
-                                 false);
6cf099
+                                 multiple_results);
6cf099
     if (!subreq) {
6cf099
         tevent_req_error(req, ENOMEM);
6cf099
         return;
6cf099
@@ -508,6 +523,13 @@ static void users_get_done(struct tevent_req *subreq)
6cf099
              * group we have nothing to do here. */
6cf099
             break;
6cf099
 
6cf099
+        case BE_FILTER_WILDCARD:
6cf099
+            /* We can't know if all users are up-to-date, especially in a large
6cf099
+             * environment. Do not delete any records, let the responder fetch
6cf099
+             * the entries they are requested in
6cf099
+             */
6cf099
+            break;
6cf099
+
6cf099
         default:
6cf099
             tevent_req_error(req, EINVAL);
6cf099
             return;
6cf099
@@ -619,6 +641,14 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx,
6cf099
                                                           sdom->dom->domain_id);
6cf099
 
6cf099
     switch(filter_type) {
6cf099
+    case BE_FILTER_WILDCARD:
6cf099
+        attr_name = ctx->opts->group_map[SDAP_AT_GROUP_NAME].name;
6cf099
+        ret = sss_filter_sanitize_ex(state, name, &clean_name,
6cf099
+                                     LDAP_ALLOWED_WILDCARDS);
6cf099
+        if (ret != EOK) {
6cf099
+            goto done;
6cf099
+        }
6cf099
+        break;
6cf099
     case BE_FILTER_NAME:
6cf099
         attr_name = ctx->opts->group_map[SDAP_AT_GROUP_NAME].name;
6cf099
 
6cf099
@@ -871,6 +901,13 @@ static void groups_get_search(struct tevent_req *req)
6cf099
     struct groups_get_state *state = tevent_req_data(req,
6cf099
                                                      struct groups_get_state);
6cf099
     struct tevent_req *subreq;
6cf099
+    bool multiple_results;
6cf099
+
6cf099
+    if (state->filter_type == BE_FILTER_WILDCARD) {
6cf099
+        multiple_results = true;
6cf099
+    } else {
6cf099
+        multiple_results = false;
6cf099
+    }
6cf099
 
6cf099
     subreq = sdap_get_groups_send(state, state->ev,
6cf099
                                   state->sdom,
6cf099
@@ -879,7 +916,8 @@ static void groups_get_search(struct tevent_req *req)
6cf099
                                   state->attrs, state->filter,
6cf099
                                   dp_opt_get_int(state->ctx->opts->basic,
6cf099
                                                  SDAP_SEARCH_TIMEOUT),
6cf099
-                                  false, state->no_members);
6cf099
+                                  multiple_results,
6cf099
+                                  state->no_members);
6cf099
     if (!subreq) {
6cf099
         tevent_req_error(req, ENOMEM);
6cf099
         return;
6cf099
@@ -953,6 +991,14 @@ static void groups_get_done(struct tevent_req *subreq)
6cf099
              * group we have nothing to do here. */
6cf099
             break;
6cf099
 
6cf099
+        case BE_FILTER_WILDCARD:
6cf099
+            /* We can't know if all groups are up-to-date, especially in
6cf099
+             * a large environment. Do not delete any records, let the
6cf099
+             * responder fetch the entries they are requested in.
6cf099
+             */
6cf099
+            break;
6cf099
+
6cf099
+
6cf099
         default:
6cf099
             tevent_req_error(req, EINVAL);
6cf099
             return;
6cf099
-- 
6cf099
2.4.3
6cf099