diff options
| author | Sumit Bose <sbose@redhat.com> | 2015-03-02 10:59:34 +0100 |
|---|---|---|
| committer | Tomas Babej <tbabej@redhat.com> | 2015-03-09 14:48:08 +0100 |
| commit | c15a407cbfaed163a933ab137eed16387efe25d2 (patch) | |
| tree | 8f396aa824c383b3ab61d3d2261e5fc83c6dc669 /daemons/ipa-slapi-plugins | |
| parent | 50c8f0c80175c7812bb523ab2387b19a94245b59 (diff) | |
| download | freeipa-c15a407cbfaed163a933ab137eed16387efe25d2.tar.gz freeipa-c15a407cbfaed163a933ab137eed16387efe25d2.tar.xz freeipa-c15a407cbfaed163a933ab137eed16387efe25d2.zip | |
extdom: make nss buffer configurable
The get*_r_wrapper() calls expect a maximum buffer size to avoid memory
shortage if too many threads try to allocate buffers e.g. for large
groups. With this patch this size can be configured by setting
ipaExtdomMaxNssBufSize in the plugin config object
cn=ipa_extdom_extop,cn=plugins,cn=config.
Related to https://fedorahosted.org/freeipa/ticket/4908
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'daemons/ipa-slapi-plugins')
3 files changed, 48 insertions, 22 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h index 40bf93392..d4c851169 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h @@ -150,6 +150,7 @@ struct extdom_res { struct ipa_extdom_ctx { Slapi_ComponentId *plugin_id; char *base_dn; + size_t max_nss_buf_size; }; struct domain_info { diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index cbe336963..47bcb179f 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -49,9 +49,6 @@ #define MAX(a,b) (((a)>(b))?(a):(b)) #define SSSD_DOMAIN_SEPARATOR '@' -#define MAX_BUF (1024*1024*1024) - - int get_buffer(size_t *_buf_len, char **_buf) { @@ -464,7 +461,8 @@ static int pack_ber_sid(const char *sid, struct berval **berval) #define SSSD_SYSDB_SID_STR "objectSIDString" -static int pack_ber_user(enum response_types response_type, +static int pack_ber_user(struct ipa_extdom_ctx *ctx, + enum response_types response_type, const char *domain_name, const char *user_name, uid_t uid, gid_t gid, const char *gecos, const char *homedir, @@ -529,7 +527,8 @@ static int pack_ber_user(enum response_types response_type, } for (c = 0; c < ngroups; c++) { - ret = getgrgid_r_wrapper(MAX_BUF, groups[c], &grp, &buf, &buf_len); + ret = getgrgid_r_wrapper(ctx->max_nss_buf_size, + groups[c], &grp, &buf, &buf_len); if (ret != 0) { if (ret == ENOMEM || ret == ERANGE) { ret = LDAP_OPERATIONS_ERROR; @@ -691,7 +690,8 @@ static int pack_ber_name(const char *domain_name, const char *name, return LDAP_SUCCESS; } -static int handle_uid_request(enum request_types request_type, uid_t uid, +static int handle_uid_request(struct ipa_extdom_ctx *ctx, + enum request_types request_type, uid_t uid, const char *domain_name, struct berval **berval) { int ret; @@ -721,7 +721,8 @@ static int handle_uid_request(enum request_types request_type, uid_t uid, ret = pack_ber_sid(sid_str, berval); } else { - ret = getpwuid_r_wrapper(MAX_BUF, uid, &pwd, &buf, &buf_len); + ret = getpwuid_r_wrapper(ctx->max_nss_buf_size, uid, &pwd, &buf, + &buf_len); if (ret != 0) { if (ret == ENOMEM || ret == ERANGE) { ret = LDAP_OPERATIONS_ERROR; @@ -744,7 +745,8 @@ static int handle_uid_request(enum request_types request_type, uid_t uid, } } - ret = pack_ber_user((request_type == REQ_FULL ? RESP_USER + ret = pack_ber_user(ctx, + (request_type == REQ_FULL ? RESP_USER : RESP_USER_GROUPLIST), domain_name, pwd.pw_name, pwd.pw_uid, pwd.pw_gid, pwd.pw_gecos, pwd.pw_dir, @@ -758,7 +760,8 @@ done: return ret; } -static int handle_gid_request(enum request_types request_type, gid_t gid, +static int handle_gid_request(struct ipa_extdom_ctx *ctx, + enum request_types request_type, gid_t gid, const char *domain_name, struct berval **berval) { int ret; @@ -787,7 +790,8 @@ static int handle_gid_request(enum request_types request_type, gid_t gid, ret = pack_ber_sid(sid_str, berval); } else { - ret = getgrgid_r_wrapper(MAX_BUF, gid, &grp, &buf, &buf_len); + ret = getgrgid_r_wrapper(ctx->max_nss_buf_size, gid, &grp, &buf, + &buf_len); if (ret != 0) { if (ret == ENOMEM || ret == ERANGE) { ret = LDAP_OPERATIONS_ERROR; @@ -823,7 +827,8 @@ done: return ret; } -static int handle_sid_request(enum request_types request_type, const char *sid, +static int handle_sid_request(struct ipa_extdom_ctx *ctx, + enum request_types request_type, const char *sid, struct berval **berval) { int ret; @@ -874,7 +879,8 @@ static int handle_sid_request(enum request_types request_type, const char *sid, switch(id_type) { case SSS_ID_TYPE_UID: case SSS_ID_TYPE_BOTH: - ret = getpwnam_r_wrapper(MAX_BUF, fq_name, &pwd, &buf, &buf_len); + ret = getpwnam_r_wrapper(ctx->max_nss_buf_size, fq_name, &pwd, &buf, + &buf_len); if (ret != 0) { if (ret == ENOMEM || ret == ERANGE) { ret = LDAP_OPERATIONS_ERROR; @@ -897,14 +903,16 @@ static int handle_sid_request(enum request_types request_type, const char *sid, } } - ret = pack_ber_user((request_type == REQ_FULL ? RESP_USER + ret = pack_ber_user(ctx, + (request_type == REQ_FULL ? RESP_USER : RESP_USER_GROUPLIST), domain_name, pwd.pw_name, pwd.pw_uid, pwd.pw_gid, pwd.pw_gecos, pwd.pw_dir, pwd.pw_shell, kv_list, berval); break; case SSS_ID_TYPE_GID: - ret = getgrnam_r_wrapper(MAX_BUF, fq_name, &grp, &buf, &buf_len); + ret = getgrnam_r_wrapper(ctx->max_nss_buf_size, fq_name, &grp, &buf, + &buf_len); if (ret != 0) { if (ret == ENOMEM || ret == ERANGE) { ret = LDAP_OPERATIONS_ERROR; @@ -947,7 +955,8 @@ done: return ret; } -static int handle_name_request(enum request_types request_type, +static int handle_name_request(struct ipa_extdom_ctx *ctx, + enum request_types request_type, const char *name, const char *domain_name, struct berval **berval) { @@ -988,7 +997,8 @@ static int handle_name_request(enum request_types request_type, goto done; } - ret = getpwnam_r_wrapper(MAX_BUF, fq_name, &pwd, &buf, &buf_len); + ret = getpwnam_r_wrapper(ctx->max_nss_buf_size, fq_name, &pwd, &buf, + &buf_len); if (ret == 0) { if (request_type == REQ_FULL_WITH_GROUPS) { ret = sss_nss_getorigbyname(pwd.pw_name, &kv_list, &id_type); @@ -1002,7 +1012,8 @@ static int handle_name_request(enum request_types request_type, goto done; } } - ret = pack_ber_user((request_type == REQ_FULL ? RESP_USER + ret = pack_ber_user(ctx, + (request_type == REQ_FULL ? RESP_USER : RESP_USER_GROUPLIST), domain_name, pwd.pw_name, pwd.pw_uid, pwd.pw_gid, pwd.pw_gecos, pwd.pw_dir, @@ -1015,7 +1026,8 @@ static int handle_name_request(enum request_types request_type, * error codes which can indicate that the user was not found. To * be on the safe side we fail back to the group lookup on all * errors. */ - ret = getgrnam_r_wrapper(MAX_BUF, fq_name, &grp, &buf, &buf_len); + ret = getgrnam_r_wrapper(ctx->max_nss_buf_size, fq_name, &grp, &buf, + &buf_len); if (ret != 0) { if (ret == ENOMEM || ret == ERANGE) { ret = LDAP_OPERATIONS_ERROR; @@ -1061,20 +1073,23 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, switch (req->input_type) { case INP_POSIX_UID: - ret = handle_uid_request(req->request_type, req->data.posix_uid.uid, + ret = handle_uid_request(ctx, req->request_type, + req->data.posix_uid.uid, req->data.posix_uid.domain_name, berval); break; case INP_POSIX_GID: - ret = handle_gid_request(req->request_type, req->data.posix_gid.gid, + ret = handle_gid_request(ctx, req->request_type, + req->data.posix_gid.gid, req->data.posix_uid.domain_name, berval); break; case INP_SID: - ret = handle_sid_request(req->request_type, req->data.sid, berval); + ret = handle_sid_request(ctx, req->request_type, req->data.sid, berval); break; case INP_NAME: - ret = handle_name_request(req->request_type, req->data.name.object_name, + ret = handle_name_request(ctx, req->request_type, + req->data.name.object_name, req->data.name.domain_name, berval); break; diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c index aa66c145b..e53f968db 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c @@ -40,6 +40,8 @@ #include "ipa_extdom.h" #include "util.h" +#define DEFAULT_MAX_NSS_BUFFER (128*1024*1024) + Slapi_PluginDesc ipa_extdom_plugin_desc = { IPA_EXTDOM_FEATURE_DESC, "FreeIPA project", @@ -185,6 +187,14 @@ static int ipa_extdom_init_ctx(Slapi_PBlock *pb, struct ipa_extdom_ctx **_ctx) goto done; } + ctx->max_nss_buf_size = slapi_entry_attr_get_uint(e, + "ipaExtdomMaxNssBufSize"); + if (ctx->max_nss_buf_size == 0) { + ctx->max_nss_buf_size = DEFAULT_MAX_NSS_BUFFER; + } + LOG("Maximal nss buffer size set to [%d]!\n", ctx->max_nss_buf_size); + + ret = 0; done: if (ret) { |