|
 |
6cf099 |
From 4e795d8ff3a1d1f5cd5a7dddaf364909c60d9191 Mon Sep 17 00:00:00 2001
|
|
|
6cf099 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
6cf099 |
Date: Wed, 17 Jun 2015 16:13:51 +0200
|
|
|
6cf099 |
Subject: [PATCH 11/13] LDAP: Add the wildcard_limit option
|
|
|
6cf099 |
MIME-Version: 1.0
|
|
|
6cf099 |
Content-Type: text/plain; charset=UTF-8
|
|
|
6cf099 |
Content-Transfer-Encoding: 8bit
|
|
|
6cf099 |
|
|
|
6cf099 |
Related:
|
|
|
6cf099 |
https://fedorahosted.org/sssd/ticket/2553
|
|
|
6cf099 |
|
|
|
6cf099 |
Adds a new wildcard_limit option that is set by default to 1000 (one
|
|
|
6cf099 |
page). This option limits the number of entries that can by default be
|
|
|
6cf099 |
returned by a wildcard search.
|
|
|
6cf099 |
|
|
|
6cf099 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
6cf099 |
---
|
|
|
6cf099 |
src/config/SSSDConfig/__init__.py.in | 1 +
|
|
|
6cf099 |
src/config/etc/sssd.api.d/sssd-ad.conf | 1 +
|
|
|
6cf099 |
src/config/etc/sssd.api.d/sssd-ipa.conf | 1 +
|
|
|
6cf099 |
src/config/etc/sssd.api.d/sssd-ldap.conf | 1 +
|
|
|
6cf099 |
src/man/sssd-ldap.5.xml | 17 +++++++++++++++++
|
|
|
6cf099 |
src/providers/ad/ad_opts.h | 1 +
|
|
|
6cf099 |
src/providers/ipa/ipa_opts.h | 1 +
|
|
|
6cf099 |
src/providers/ldap/ldap_opts.h | 1 +
|
|
|
6cf099 |
src/providers/ldap/sdap.h | 1 +
|
|
|
6cf099 |
src/providers/ldap/sdap_async_groups.c | 8 +++++++-
|
|
|
6cf099 |
src/providers/ldap/sdap_async_users.c | 8 +++++++-
|
|
|
6cf099 |
11 files changed, 39 insertions(+), 2 deletions(-)
|
|
|
6cf099 |
|
|
|
6cf099 |
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
|
|
6cf099 |
index 4d45e42af4fa32717caa69cc621834cdffc27431..4b519eddd04cde83c209f5a1940832cc7f41c736 100644
|
|
|
6cf099 |
--- a/src/config/SSSDConfig/__init__.py.in
|
|
|
6cf099 |
+++ b/src/config/SSSDConfig/__init__.py.in
|
|
|
6cf099 |
@@ -355,6 +355,7 @@ option_strings = {
|
|
|
6cf099 |
'ldap_min_id' : _('Set lower boundary for allowed IDs from the LDAP server'),
|
|
|
6cf099 |
'ldap_max_id' : _('Set upper boundary for allowed IDs from the LDAP server'),
|
|
|
6cf099 |
'ldap_pwdlockout_dn' : _('DN for ppolicy queries'),
|
|
|
6cf099 |
+ 'wildcard_limit' : _('How many maximum entries to fetch during a wildcard request'),
|
|
|
6cf099 |
|
|
|
6cf099 |
# [provider/ldap/auth]
|
|
|
6cf099 |
'ldap_pwd_policy' : _('Policy to evaluate the password expiration'),
|
|
|
6cf099 |
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
|
|
|
6cf099 |
index faab3a51e54d6d498392021a8945501120870f70..b636d93108ef0a3831970d7827895c14b0f3571c 100644
|
|
|
6cf099 |
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
|
|
|
6cf099 |
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
|
|
|
6cf099 |
@@ -56,6 +56,7 @@ ldap_deref_threshold = int, None, false
|
|
|
6cf099 |
ldap_connection_expire_timeout = int, None, false
|
|
|
6cf099 |
ldap_disable_paging = bool, None, false
|
|
|
6cf099 |
krb5_confd_path = str, None, false
|
|
|
6cf099 |
+wildcard_limit = int, None, false
|
|
|
6cf099 |
|
|
|
6cf099 |
[provider/ad/id]
|
|
|
6cf099 |
ldap_search_timeout = int, None, false
|
|
|
6cf099 |
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
|
|
|
6cf099 |
index cfcc00f6f7ca768df861e8cf7face065f90e9e83..ab712fe55cdac6d247a085aeca5cc82d65966623 100644
|
|
|
6cf099 |
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
|
|
|
6cf099 |
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
|
|
|
6cf099 |
@@ -52,6 +52,7 @@ ldap_deref_threshold = int, None, false
|
|
|
6cf099 |
ldap_connection_expire_timeout = int, None, false
|
|
|
6cf099 |
ldap_disable_paging = bool, None, false
|
|
|
6cf099 |
krb5_confd_path = str, None, false
|
|
|
6cf099 |
+wildcard_limit = int, None, false
|
|
|
6cf099 |
|
|
|
6cf099 |
[provider/ipa/id]
|
|
|
6cf099 |
ldap_search_timeout = int, None, false
|
|
|
6cf099 |
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
|
|
|
6cf099 |
index c10290217b1b133792b893d9b80e2599969838a6..8fd45fd4093714f458161eb352157c845d926f06 100644
|
|
|
6cf099 |
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
|
|
|
6cf099 |
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
|
|
|
6cf099 |
@@ -37,6 +37,7 @@ ldap_sasl_minssf = int, None, false
|
|
|
6cf099 |
ldap_connection_expire_timeout = int, None, false
|
|
|
6cf099 |
ldap_disable_paging = bool, None, false
|
|
|
6cf099 |
ldap_disable_range_retrieval = bool, None, false
|
|
|
6cf099 |
+wildcard_limit = int, None, false
|
|
|
6cf099 |
|
|
|
6cf099 |
[provider/ldap/id]
|
|
|
6cf099 |
ldap_search_timeout = int, None, false
|
|
|
6cf099 |
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
|
|
|
6cf099 |
index f14090843fd32141ad4f491b69868aa7b2412301..9ac175f8d4a8aa01ca2434b800ebae1be88575f5 100644
|
|
|
6cf099 |
--- a/src/man/sssd-ldap.5.xml
|
|
|
6cf099 |
+++ b/src/man/sssd-ldap.5.xml
|
|
|
6cf099 |
@@ -2135,6 +2135,23 @@ ldap_access_filter = (employeeType=admin)
|
|
|
6cf099 |
</listitem>
|
|
|
6cf099 |
</varlistentry>
|
|
|
6cf099 |
|
|
|
6cf099 |
+ <varlistentry>
|
|
|
6cf099 |
+ <term>wildcart_limit (integer)</term>
|
|
|
6cf099 |
+ <listitem>
|
|
|
6cf099 |
+ <para>
|
|
|
6cf099 |
+ Specifies an upper limit on the number of entries
|
|
|
6cf099 |
+ that are downloaded during a wildcard lookup.
|
|
|
6cf099 |
+ </para>
|
|
|
6cf099 |
+ <para>
|
|
|
6cf099 |
+ At the moment, only the InfoPipe responder supports
|
|
|
6cf099 |
+ wildcard lookups.
|
|
|
6cf099 |
+ </para>
|
|
|
6cf099 |
+ <para>
|
|
|
6cf099 |
+ Default: 1000 (often the size of one page)
|
|
|
6cf099 |
+ </para>
|
|
|
6cf099 |
+ </listitem>
|
|
|
6cf099 |
+ </varlistentry>
|
|
|
6cf099 |
+
|
|
|
6cf099 |
</variablelist>
|
|
|
6cf099 |
</para>
|
|
|
6cf099 |
</refsect1>
|
|
|
6cf099 |
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
|
|
|
6cf099 |
index cb4c05d846d9abe5eedb28013ad13fff6476d431..d685edcb44c771b0afc7a232a82c21fc9d1c89f9 100644
|
|
|
6cf099 |
--- a/src/providers/ad/ad_opts.h
|
|
|
6cf099 |
+++ b/src/providers/ad/ad_opts.h
|
|
|
6cf099 |
@@ -146,6 +146,7 @@ struct dp_option ad_def_ldap_opts[] = {
|
|
|
6cf099 |
{ "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER},
|
|
|
6cf099 |
{ "ldap_max_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER},
|
|
|
6cf099 |
{ "ldap_pwdlockout_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
|
|
6cf099 |
+ { "wildcard_limit", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER},
|
|
|
6cf099 |
DP_OPTION_TERMINATOR
|
|
|
6cf099 |
};
|
|
|
6cf099 |
|
|
|
6cf099 |
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
|
|
|
6cf099 |
index 253c0715355536cc181c57beed5326a77e87e464..9576228d1bf3424c8867bda058b59c3ca6b2216b 100644
|
|
|
6cf099 |
--- a/src/providers/ipa/ipa_opts.h
|
|
|
6cf099 |
+++ b/src/providers/ipa/ipa_opts.h
|
|
|
6cf099 |
@@ -157,6 +157,7 @@ struct dp_option ipa_def_ldap_opts[] = {
|
|
|
6cf099 |
{ "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER},
|
|
|
6cf099 |
{ "ldap_max_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER},
|
|
|
6cf099 |
{ "ldap_pwdlockout_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
|
|
6cf099 |
+ { "wildcard_limit", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER},
|
|
|
6cf099 |
DP_OPTION_TERMINATOR
|
|
|
6cf099 |
};
|
|
|
6cf099 |
|
|
|
6cf099 |
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
|
|
|
6cf099 |
index c1b9bf688ef0a92046195c13a11d2c17b2419d67..9f58db5bd9eef1391e97c1890cbff94c2a5406d6 100644
|
|
|
6cf099 |
--- a/src/providers/ldap/ldap_opts.h
|
|
|
6cf099 |
+++ b/src/providers/ldap/ldap_opts.h
|
|
|
6cf099 |
@@ -122,6 +122,7 @@ struct dp_option default_basic_opts[] = {
|
|
|
6cf099 |
{ "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER},
|
|
|
6cf099 |
{ "ldap_max_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER},
|
|
|
6cf099 |
{ "ldap_pwdlockout_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
|
|
6cf099 |
+ { "wildcard_limit", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER},
|
|
|
6cf099 |
DP_OPTION_TERMINATOR
|
|
|
6cf099 |
};
|
|
|
6cf099 |
|
|
|
6cf099 |
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
|
|
|
6cf099 |
index d9b2d18637bdb3e7823af9d1de2c042c8134780f..444502bf7159edcf4cebe530cce8b216c737ec30 100644
|
|
|
6cf099 |
--- a/src/providers/ldap/sdap.h
|
|
|
6cf099 |
+++ b/src/providers/ldap/sdap.h
|
|
|
6cf099 |
@@ -231,6 +231,7 @@ enum sdap_basic_opt {
|
|
|
6cf099 |
SDAP_MIN_ID,
|
|
|
6cf099 |
SDAP_MAX_ID,
|
|
|
6cf099 |
SDAP_PWDLOCKOUT_DN,
|
|
|
6cf099 |
+ SDAP_WILDCARD_LIMIT,
|
|
|
6cf099 |
|
|
|
6cf099 |
SDAP_OPTS_BASIC /* opts counter */
|
|
|
6cf099 |
};
|
|
|
6cf099 |
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
|
|
|
6cf099 |
index ad0354df1fce9011c68cabb6049e7feee92a44c0..525c6fa09553d8c0232ce2317751184f83632d86 100644
|
|
|
6cf099 |
--- a/src/providers/ldap/sdap_async_groups.c
|
|
|
6cf099 |
+++ b/src/providers/ldap/sdap_async_groups.c
|
|
|
6cf099 |
@@ -1856,6 +1856,7 @@ static errno_t sdap_get_groups_next_base(struct tevent_req *req)
|
|
|
6cf099 |
struct tevent_req *subreq;
|
|
|
6cf099 |
struct sdap_get_groups_state *state;
|
|
|
6cf099 |
bool need_paging = false;
|
|
|
6cf099 |
+ int sizelimit = 0;
|
|
|
6cf099 |
|
|
|
6cf099 |
state = tevent_req_data(req, struct sdap_get_groups_state);
|
|
|
6cf099 |
|
|
|
6cf099 |
@@ -1873,13 +1874,18 @@ static errno_t sdap_get_groups_next_base(struct tevent_req *req)
|
|
|
6cf099 |
|
|
|
6cf099 |
switch (state->lookup_type) {
|
|
|
6cf099 |
case SDAP_LOOKUP_SINGLE:
|
|
|
6cf099 |
+ sizelimit = 1;
|
|
|
6cf099 |
need_paging = false;
|
|
|
6cf099 |
break;
|
|
|
6cf099 |
/* Only requests that can return multiple entries should require
|
|
|
6cf099 |
* the paging control
|
|
|
6cf099 |
*/
|
|
|
6cf099 |
case SDAP_LOOKUP_WILDCARD:
|
|
|
6cf099 |
+ sizelimit = dp_opt_get_int(state->opts->basic, SDAP_WILDCARD_LIMIT);
|
|
|
6cf099 |
+ need_paging = true;
|
|
|
6cf099 |
+ break;
|
|
|
6cf099 |
case SDAP_LOOKUP_ENUMERATE:
|
|
|
6cf099 |
+ sizelimit = 0; /* unlimited */
|
|
|
6cf099 |
need_paging = true;
|
|
|
6cf099 |
break;
|
|
|
6cf099 |
}
|
|
|
6cf099 |
@@ -1891,7 +1897,7 @@ static errno_t sdap_get_groups_next_base(struct tevent_req *req)
|
|
|
6cf099 |
state->search_bases[state->base_iter]->scope,
|
|
|
6cf099 |
state->filter, state->attrs,
|
|
|
6cf099 |
state->opts->group_map, SDAP_OPTS_GROUP,
|
|
|
6cf099 |
- 0, NULL, NULL, 0, state->timeout,
|
|
|
6cf099 |
+ 0, NULL, NULL, sizelimit, state->timeout,
|
|
|
6cf099 |
need_paging);
|
|
|
6cf099 |
if (!subreq) {
|
|
|
6cf099 |
return ENOMEM;
|
|
|
6cf099 |
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
|
|
|
6cf099 |
index f66ae2604c867d4a5e8d223081ece9f1e474cf73..a864a8b2187de7972aa963b355856e97f7c692a9 100644
|
|
|
6cf099 |
--- a/src/providers/ldap/sdap_async_users.c
|
|
|
6cf099 |
+++ b/src/providers/ldap/sdap_async_users.c
|
|
|
6cf099 |
@@ -674,6 +674,7 @@ static errno_t sdap_search_user_next_base(struct tevent_req *req)
|
|
|
6cf099 |
struct tevent_req *subreq;
|
|
|
6cf099 |
struct sdap_search_user_state *state;
|
|
|
6cf099 |
bool need_paging = false;
|
|
|
6cf099 |
+ int sizelimit = 0;
|
|
|
6cf099 |
|
|
|
6cf099 |
state = tevent_req_data(req, struct sdap_search_user_state);
|
|
|
6cf099 |
|
|
|
6cf099 |
@@ -691,13 +692,18 @@ static errno_t sdap_search_user_next_base(struct tevent_req *req)
|
|
|
6cf099 |
|
|
|
6cf099 |
switch (state->lookup_type) {
|
|
|
6cf099 |
case SDAP_LOOKUP_SINGLE:
|
|
|
6cf099 |
+ sizelimit = 1;
|
|
|
6cf099 |
need_paging = false;
|
|
|
6cf099 |
break;
|
|
|
6cf099 |
/* Only requests that can return multiple entries should require
|
|
|
6cf099 |
* the paging control
|
|
|
6cf099 |
*/
|
|
|
6cf099 |
case SDAP_LOOKUP_WILDCARD:
|
|
|
6cf099 |
+ sizelimit = dp_opt_get_int(state->opts->basic, SDAP_WILDCARD_LIMIT);
|
|
|
6cf099 |
+ need_paging = true;
|
|
|
6cf099 |
+ break;
|
|
|
6cf099 |
case SDAP_LOOKUP_ENUMERATE:
|
|
|
6cf099 |
+ sizelimit = 0; /* unlimited */
|
|
|
6cf099 |
need_paging = true;
|
|
|
6cf099 |
break;
|
|
|
6cf099 |
}
|
|
|
6cf099 |
@@ -708,7 +714,7 @@ static errno_t sdap_search_user_next_base(struct tevent_req *req)
|
|
|
6cf099 |
state->search_bases[state->base_iter]->scope,
|
|
|
6cf099 |
state->filter, state->attrs,
|
|
|
6cf099 |
state->opts->user_map, state->opts->user_map_cnt,
|
|
|
6cf099 |
- 0, NULL, NULL, 0, state->timeout,
|
|
|
6cf099 |
+ 0, NULL, NULL, sizelimit, state->timeout,
|
|
|
6cf099 |
need_paging);
|
|
|
6cf099 |
if (subreq == NULL) {
|
|
|
6cf099 |
return ENOMEM;
|
|
|
6cf099 |
--
|
|
|
6cf099 |
2.4.3
|
|
|
6cf099 |
|