From 9604ff1731ab7bd067bef62a0df6000eca091856 Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Mon, 4 May 2015 15:16:44 +0200

Subject: [PATCH 07/13] LDAP: Fetch users and groups using wildcards

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Related:

    https://fedorahosted.org/sssd/ticket/2553

Adds handler for the BE_FILTER_WILDCARD in the LDAP provider. So far

it's the same code as if enumeration was used, so there are no limits.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

---

 src/providers/ldap/ldap_common.h |  3 +++

 src/providers/ldap/ldap_id.c     | 50 ++++++++++++++++++++++++++++++++++++++--

 2 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h

index 424eacb1da0a6934b132ccb2a5bb175233fa1a80..8294d1db23bdca8d94a098533d93405c4d55226b 100644

--- a/src/providers/ldap/ldap_common.h

+++ b/src/providers/ldap/ldap_common.h

@@ -39,6 +39,9 @@

 #define LDAP_SSL_URI "ldaps://"

 #define LDAP_LDAPI_URI "ldapi://"

+/* Only the asterisk is allowed in wildcard requests */

+#define LDAP_ALLOWED_WILDCARDS "*"

+

 /* a fd the child process would log into */

 extern int ldap_child_debug_fd;

diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c

index 3245e1b12a69483f961f01210d13654b1c7c5345..61f09fc41d3210af5044f5338dd90db67e0123a7 100644

--- a/src/providers/ldap/ldap_id.c

+++ b/src/providers/ldap/ldap_id.c

@@ -114,6 +114,14 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,

                                                           sdom->dom->name,

                                                           sdom->dom->domain_id);

     switch (filter_type) {

+    case BE_FILTER_WILDCARD:

+        attr_name = ctx->opts->user_map[SDAP_AT_USER_NAME].name;

+        ret = sss_filter_sanitize_ex(state, name, &clean_name,

+                                     LDAP_ALLOWED_WILDCARDS);

+        if (ret != EOK) {

+            goto done;

+        }

+        break;

     case BE_FILTER_NAME:

         if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_UPN) == 0) {

             attr_name = ctx->opts->user_map[SDAP_AT_USER_PRINC].name;

@@ -388,6 +396,13 @@ static void users_get_search(struct tevent_req *req)

     struct users_get_state *state = tevent_req_data(req,

                                                      struct users_get_state);

     struct tevent_req *subreq;

+    bool multiple_results;

+

+    if (state->filter_type == BE_FILTER_WILDCARD) {

+        multiple_results = true;

+    } else {

+        multiple_results = false;

+    }

     subreq = sdap_get_users_send(state, state->ev,

                                  state->domain, state->sysdb,

@@ -397,7 +412,7 @@ static void users_get_search(struct tevent_req *req)

                                  state->attrs, state->filter,

                                  dp_opt_get_int(state->ctx->opts->basic,

                                                 SDAP_SEARCH_TIMEOUT),

-                                 false);

+                                 multiple_results);

     if (!subreq) {

         tevent_req_error(req, ENOMEM);

         return;

@@ -508,6 +523,13 @@ static void users_get_done(struct tevent_req *subreq)

              * group we have nothing to do here. */

             break;

+        case BE_FILTER_WILDCARD:

+            /* We can't know if all users are up-to-date, especially in a large

+             * environment. Do not delete any records, let the responder fetch

+             * the entries they are requested in

+             */

+            break;

+

         default:

             tevent_req_error(req, EINVAL);

             return;

@@ -619,6 +641,14 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx,

                                                           sdom->dom->domain_id);

     switch(filter_type) {

+    case BE_FILTER_WILDCARD:

+        attr_name = ctx->opts->group_map[SDAP_AT_GROUP_NAME].name;

+        ret = sss_filter_sanitize_ex(state, name, &clean_name,

+                                     LDAP_ALLOWED_WILDCARDS);

+        if (ret != EOK) {

+            goto done;

+        }

+        break;

     case BE_FILTER_NAME:

         attr_name = ctx->opts->group_map[SDAP_AT_GROUP_NAME].name;

@@ -871,6 +901,13 @@ static void groups_get_search(struct tevent_req *req)

     struct groups_get_state *state = tevent_req_data(req,

                                                      struct groups_get_state);

     struct tevent_req *subreq;

+    bool multiple_results;

+

+    if (state->filter_type == BE_FILTER_WILDCARD) {

+        multiple_results = true;

+    } else {

+        multiple_results = false;

+    }

     subreq = sdap_get_groups_send(state, state->ev,

                                   state->sdom,

@@ -879,7 +916,8 @@ static void groups_get_search(struct tevent_req *req)

                                   state->attrs, state->filter,

                                   dp_opt_get_int(state->ctx->opts->basic,

                                                  SDAP_SEARCH_TIMEOUT),

-                                  false, state->no_members);

+                                  multiple_results,

+                                  state->no_members);

     if (!subreq) {

         tevent_req_error(req, ENOMEM);

         return;

@@ -953,6 +991,14 @@ static void groups_get_done(struct tevent_req *subreq)

              * group we have nothing to do here. */

             break;

+        case BE_FILTER_WILDCARD:

+            /* We can't know if all groups are up-to-date, especially in

+             * a large environment. Do not delete any records, let the

+             * responder fetch the entries they are requested in.

+             */

+            break;

+

+

         default:

             tevent_req_error(req, EINVAL);

             return;

-- 

2.4.3