diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2015-05-25 10:21:05 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-06-01 15:21:45 +0200 |
| commit | 62e595a57440786af4bc7e7d05596dc6756e0e4d (patch) | |
| tree | 526467f2c3e3f3270fae66fb8a701c3f1e160624 | |
| parent | 2dfb4ed5a36a7be6bcde60e042811b81e83c4850 (diff) | |
| download | sssd-62e595a57440786af4bc7e7d05596dc6756e0e4d.tar.gz sssd-62e595a57440786af4bc7e7d05596dc6756e0e4d.tar.xz sssd-62e595a57440786af4bc7e7d05596dc6756e0e4d.zip | |
Skip enumeration requests in IPA and AD providers as well
Checking the enum request in the underlying LDAP provider to skip it
might be too late as the richer IPA or AD providers depend on having a
useful result when the sdap request finishes.
Move the enumeration check earlier instead and allow directly in the IPA
or AD handler.
Related:
https://fedorahosted.org/sssd/ticket/2659
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 40bc389bc79bc41429b5a92d5ce75955f8eefaf5)
| -rw-r--r-- | src/providers/ad/ad_id.c | 5 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_id.c | 5 | ||||
| -rw-r--r-- | src/providers/ldap/ldap_common.h | 3 | ||||
| -rw-r--r-- | src/providers/ldap/ldap_id.c | 48 |
4 files changed, 32 insertions, 29 deletions
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c index ab3934727..d8ea26875 100644 --- a/src/providers/ad/ad_id.c +++ b/src/providers/ad/ad_id.c @@ -350,6 +350,11 @@ ad_account_info_handler(struct be_req *be_req) return be_req_terminate(be_req, DP_ERR_OFFLINE, EAGAIN, "Offline"); } + if (sdap_is_enum_request(ar)) { + DEBUG(SSSDBG_TRACE_LIBS, "Skipping enumeration on demand\n"); + return sdap_handler_done(be_req, DP_ERR_OK, EOK, "Success"); + } + /* Try to shortcut if this is ID or SID search and it belongs to * other domain range than is in ar->domain. */ shortcut = ad_account_can_shortcut(be_ctx, sdap_id_ctx->opts->idmap_ctx, diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c index e3a7fffc3..1dcb82d66 100644 --- a/src/providers/ipa/ipa_id.c +++ b/src/providers/ipa/ipa_id.c @@ -89,6 +89,11 @@ void ipa_account_info_handler(struct be_req *breq) ar = talloc_get_type(be_req_get_data(breq), struct be_acct_req); + if (sdap_is_enum_request(ar)) { + DEBUG(SSSDBG_TRACE_LIBS, "Skipping enumeration on demand\n"); + return sdap_handler_done(breq, DP_ERR_OK, EOK, "Success"); + } + if (strcasecmp(ar->domain, be_ctx->domain->name) != 0) { /* if domain names do not match, this is a subdomain case * subdomain lookups are handled differently on the server diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h index 57ad1b845..c142af345 100644 --- a/src/providers/ldap/ldap_common.h +++ b/src/providers/ldap/ldap_common.h @@ -102,6 +102,9 @@ int sdap_id_setup_tasks(struct be_ctx *be_ctx, be_ptask_recv_t recv_fn, void *pvt); +/* Allow shortcutting an enumeration request */ +bool sdap_is_enum_request(struct be_acct_req *ar); + struct tevent_req * sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx, diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index 724990653..8ccb36092 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -1358,6 +1358,20 @@ void sdap_account_info_handler(struct be_req *breq) return sdap_handle_account_info(breq, ctx, ctx->conn); } +bool sdap_is_enum_request(struct be_acct_req *ar) +{ + switch (ar->entry_type & BE_REQ_TYPE_MASK) { + case BE_REQ_USER: + case BE_REQ_GROUP: + case BE_REQ_SERVICES: + if (ar->filter_type == BE_FILTER_ENUM) { + return true; + } + } + + return false; +} + /* A generic LDAP account info handler */ struct sdap_handle_acct_req_state { struct be_acct_req *ar; @@ -1398,16 +1412,6 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx, switch (ar->entry_type & BE_REQ_TYPE_MASK) { case BE_REQ_USER: /* user */ - - /* skip enumerations on demand */ - if (ar->filter_type == BE_FILTER_ENUM) { - DEBUG(SSSDBG_TRACE_LIBS, - "Skipping user enumeration on demand\n"); - state->err = "Success"; - ret = EOK; - goto done; - } - subreq = users_get_send(state, be_ctx->ev, id_ctx, sdom, conn, ar->filter_value, @@ -1418,16 +1422,6 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx, break; case BE_REQ_GROUP: /* group */ - - /* skip enumerations on demand */ - if (ar->filter_type == BE_FILTER_ENUM) { - DEBUG(SSSDBG_TRACE_LIBS, - "Skipping group enumeration on demand\n"); - state->err = "Success"; - ret = EOK; - goto done; - } - subreq = groups_get_send(state, be_ctx->ev, id_ctx, sdom, conn, ar->filter_value, @@ -1472,15 +1466,6 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx, break; case BE_REQ_SERVICES: - /* skip enumerations on demand */ - if (ar->filter_type == BE_FILTER_ENUM) { - DEBUG(SSSDBG_TRACE_LIBS, - "Skipping service enumeration on demand\n"); - state->err = "Success"; - ret = EOK; - goto done; - } - if (ar->filter_type == BE_FILTER_SECID || ar->filter_type == BE_FILTER_UUID) { ret = EINVAL; @@ -1666,6 +1651,11 @@ void sdap_handle_account_info(struct be_req *breq, struct sdap_id_ctx *ctx, EINVAL, "Invalid private data"); } + if (sdap_is_enum_request(ar)) { + DEBUG(SSSDBG_TRACE_LIBS, "Skipping enumeration on demand\n"); + return sdap_handler_done(breq, DP_ERR_OK, EOK, "Success"); + } + req = sdap_handle_acct_req_send(breq, ctx->be, ar, ctx, ctx->opts->sdom, conn, true); if (req == NULL) { |