From 9604ff1731ab7bd067bef62a0df6000eca091856 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 4 May 2015 15:16:44 +0200
Subject: [PATCH 07/13] LDAP: Fetch users and groups using wildcards
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Related:
https://fedorahosted.org/sssd/ticket/2553
Adds handler for the BE_FILTER_WILDCARD in the LDAP provider. So far
it's the same code as if enumeration was used, so there are no limits.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ldap/ldap_common.h | 3 +++
src/providers/ldap/ldap_id.c | 50 ++++++++++++++++++++++++++++++++++++++--
2 files changed, 51 insertions(+), 2 deletions(-)
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index 424eacb1da0a6934b132ccb2a5bb175233fa1a80..8294d1db23bdca8d94a098533d93405c4d55226b 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -39,6 +39,9 @@
#define LDAP_SSL_URI "ldaps://"
#define LDAP_LDAPI_URI "ldapi://"
+/* Only the asterisk is allowed in wildcard requests */
+#define LDAP_ALLOWED_WILDCARDS "*"
+
/* a fd the child process would log into */
extern int ldap_child_debug_fd;
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index 3245e1b12a69483f961f01210d13654b1c7c5345..61f09fc41d3210af5044f5338dd90db67e0123a7 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -114,6 +114,14 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
sdom->dom->name,
sdom->dom->domain_id);
switch (filter_type) {
+ case BE_FILTER_WILDCARD:
+ attr_name = ctx->opts->user_map[SDAP_AT_USER_NAME].name;
+ ret = sss_filter_sanitize_ex(state, name, &clean_name,
+ LDAP_ALLOWED_WILDCARDS);
+ if (ret != EOK) {
+ goto done;
+ }
+ break;
case BE_FILTER_NAME:
if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_UPN) == 0) {
attr_name = ctx->opts->user_map[SDAP_AT_USER_PRINC].name;
@@ -388,6 +396,13 @@ static void users_get_search(struct tevent_req *req)
struct users_get_state *state = tevent_req_data(req,
struct users_get_state);
struct tevent_req *subreq;
+ bool multiple_results;
+
+ if (state->filter_type == BE_FILTER_WILDCARD) {
+ multiple_results = true;
+ } else {
+ multiple_results = false;
+ }
subreq = sdap_get_users_send(state, state->ev,
state->domain, state->sysdb,
@@ -397,7 +412,7 @@ static void users_get_search(struct tevent_req *req)
state->attrs, state->filter,
dp_opt_get_int(state->ctx->opts->basic,
SDAP_SEARCH_TIMEOUT),
- false);
+ multiple_results);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
@@ -508,6 +523,13 @@ static void users_get_done(struct tevent_req *subreq)
* group we have nothing to do here. */
break;
+ case BE_FILTER_WILDCARD:
+ /* We can't know if all users are up-to-date, especially in a large
+ * environment. Do not delete any records, let the responder fetch
+ * the entries they are requested in
+ */
+ break;
+
default:
tevent_req_error(req, EINVAL);
return;
@@ -619,6 +641,14 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx,
sdom->dom->domain_id);
switch(filter_type) {
+ case BE_FILTER_WILDCARD:
+ attr_name = ctx->opts->group_map[SDAP_AT_GROUP_NAME].name;
+ ret = sss_filter_sanitize_ex(state, name, &clean_name,
+ LDAP_ALLOWED_WILDCARDS);
+ if (ret != EOK) {
+ goto done;
+ }
+ break;
case BE_FILTER_NAME:
attr_name = ctx->opts->group_map[SDAP_AT_GROUP_NAME].name;
@@ -871,6 +901,13 @@ static void groups_get_search(struct tevent_req *req)
struct groups_get_state *state = tevent_req_data(req,
struct groups_get_state);
struct tevent_req *subreq;
+ bool multiple_results;
+
+ if (state->filter_type == BE_FILTER_WILDCARD) {
+ multiple_results = true;
+ } else {
+ multiple_results = false;
+ }
subreq = sdap_get_groups_send(state, state->ev,
state->sdom,
@@ -879,7 +916,8 @@ static void groups_get_search(struct tevent_req *req)
state->attrs, state->filter,
dp_opt_get_int(state->ctx->opts->basic,
SDAP_SEARCH_TIMEOUT),
- false, state->no_members);
+ multiple_results,
+ state->no_members);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
@@ -953,6 +991,14 @@ static void groups_get_done(struct tevent_req *subreq)
* group we have nothing to do here. */
break;
+ case BE_FILTER_WILDCARD:
+ /* We can't know if all groups are up-to-date, especially in
+ * a large environment. Do not delete any records, let the
+ * responder fetch the entries they are requested in.
+ */
+ break;
+
+
default:
tevent_req_error(req, EINVAL);
return;
--
2.4.3