From 9604ff1731ab7bd067bef62a0df6000eca091856 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 4 May 2015 15:16:44 +0200
Subject: [PATCH 07/13] LDAP: Fetch users and groups using wildcards
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Related:
    https://fedorahosted.org/sssd/ticket/2553

Adds handler for the BE_FILTER_WILDCARD in the LDAP provider. So far
it's the same code as if enumeration was used, so there are no limits.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
 src/providers/ldap/ldap_common.h |  3 +++
 src/providers/ldap/ldap_id.c     | 50 ++++++++++++++++++++++++++++++++++++++--
 2 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index 424eacb1da0a6934b132ccb2a5bb175233fa1a80..8294d1db23bdca8d94a098533d93405c4d55226b 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -39,6 +39,9 @@
 #define LDAP_SSL_URI "ldaps://"
 #define LDAP_LDAPI_URI "ldapi://"
 
+/* Only the asterisk is allowed in wildcard requests */
+#define LDAP_ALLOWED_WILDCARDS "*"
+
 /* a fd the child process would log into */
 extern int ldap_child_debug_fd;
 
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index 3245e1b12a69483f961f01210d13654b1c7c5345..61f09fc41d3210af5044f5338dd90db67e0123a7 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -114,6 +114,14 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
                                                           sdom->dom->name,
                                                           sdom->dom->domain_id);
     switch (filter_type) {
+    case BE_FILTER_WILDCARD:
+        attr_name = ctx->opts->user_map[SDAP_AT_USER_NAME].name;
+        ret = sss_filter_sanitize_ex(state, name, &clean_name,
+                                     LDAP_ALLOWED_WILDCARDS);
+        if (ret != EOK) {
+            goto done;
+        }
+        break;
     case BE_FILTER_NAME:
         if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_UPN) == 0) {
             attr_name = ctx->opts->user_map[SDAP_AT_USER_PRINC].name;
@@ -388,6 +396,13 @@ static void users_get_search(struct tevent_req *req)
     struct users_get_state *state = tevent_req_data(req,
                                                      struct users_get_state);
     struct tevent_req *subreq;
+    bool multiple_results;
+
+    if (state->filter_type == BE_FILTER_WILDCARD) {
+        multiple_results = true;
+    } else {
+        multiple_results = false;
+    }
 
     subreq = sdap_get_users_send(state, state->ev,
                                  state->domain, state->sysdb,
@@ -397,7 +412,7 @@ static void users_get_search(struct tevent_req *req)
                                  state->attrs, state->filter,
                                  dp_opt_get_int(state->ctx->opts->basic,
                                                 SDAP_SEARCH_TIMEOUT),
-                                 false);
+                                 multiple_results);
     if (!subreq) {
         tevent_req_error(req, ENOMEM);
         return;
@@ -508,6 +523,13 @@ static void users_get_done(struct tevent_req *subreq)
              * group we have nothing to do here. */
             break;
 
+        case BE_FILTER_WILDCARD:
+            /* We can't know if all users are up-to-date, especially in a large
+             * environment. Do not delete any records, let the responder fetch
+             * the entries they are requested in
+             */
+            break;
+
         default:
             tevent_req_error(req, EINVAL);
             return;
@@ -619,6 +641,14 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx,
                                                           sdom->dom->domain_id);
 
     switch(filter_type) {
+    case BE_FILTER_WILDCARD:
+        attr_name = ctx->opts->group_map[SDAP_AT_GROUP_NAME].name;
+        ret = sss_filter_sanitize_ex(state, name, &clean_name,
+                                     LDAP_ALLOWED_WILDCARDS);
+        if (ret != EOK) {
+            goto done;
+        }
+        break;
     case BE_FILTER_NAME:
         attr_name = ctx->opts->group_map[SDAP_AT_GROUP_NAME].name;
 
@@ -871,6 +901,13 @@ static void groups_get_search(struct tevent_req *req)
     struct groups_get_state *state = tevent_req_data(req,
                                                      struct groups_get_state);
     struct tevent_req *subreq;
+    bool multiple_results;
+
+    if (state->filter_type == BE_FILTER_WILDCARD) {
+        multiple_results = true;
+    } else {
+        multiple_results = false;
+    }
 
     subreq = sdap_get_groups_send(state, state->ev,
                                   state->sdom,
@@ -879,7 +916,8 @@ static void groups_get_search(struct tevent_req *req)
                                   state->attrs, state->filter,
                                   dp_opt_get_int(state->ctx->opts->basic,
                                                  SDAP_SEARCH_TIMEOUT),
-                                  false, state->no_members);
+                                  multiple_results,
+                                  state->no_members);
     if (!subreq) {
         tevent_req_error(req, ENOMEM);
         return;
@@ -953,6 +991,14 @@ static void groups_get_done(struct tevent_req *subreq)
              * group we have nothing to do here. */
             break;
 
+        case BE_FILTER_WILDCARD:
+            /* We can't know if all groups are up-to-date, especially in
+             * a large environment. Do not delete any records, let the
+             * responder fetch the entries they are requested in.
+             */
+            break;
+
+
         default:
             tevent_req_error(req, EINVAL);
             return;
-- 
2.4.3