summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2015-05-04 15:16:44 +0200
committerJakub Hrozek <jhrozek@redhat.com>2015-07-16 11:12:32 +0200
commit9604ff1731ab7bd067bef62a0df6000eca091856 (patch)
tree5c680a0f0942cc0598a5668a2e0ec9ef32b02837
parentf736b14f1e308d67e091d3ee56ef0384d618130e (diff)
downloadsssd-9604ff1731ab7bd067bef62a0df6000eca091856.tar.gz
sssd-9604ff1731ab7bd067bef62a0df6000eca091856.tar.xz
sssd-9604ff1731ab7bd067bef62a0df6000eca091856.zip
LDAP: Fetch users and groups using wildcards
Related: https://fedorahosted.org/sssd/ticket/2553 Adds handler for the BE_FILTER_WILDCARD in the LDAP provider. So far it's the same code as if enumeration was used, so there are no limits. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-rw-r--r--src/providers/ldap/ldap_common.h3
-rw-r--r--src/providers/ldap/ldap_id.c50
2 files changed, 51 insertions, 2 deletions
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index 424eacb1d..8294d1db2 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -39,6 +39,9 @@
#define LDAP_SSL_URI "ldaps://"
#define LDAP_LDAPI_URI "ldapi://"
+/* Only the asterisk is allowed in wildcard requests */
+#define LDAP_ALLOWED_WILDCARDS "*"
+
/* a fd the child process would log into */
extern int ldap_child_debug_fd;
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index 3245e1b12..61f09fc41 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -114,6 +114,14 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
sdom->dom->name,
sdom->dom->domain_id);
switch (filter_type) {
+ case BE_FILTER_WILDCARD:
+ attr_name = ctx->opts->user_map[SDAP_AT_USER_NAME].name;
+ ret = sss_filter_sanitize_ex(state, name, &clean_name,
+ LDAP_ALLOWED_WILDCARDS);
+ if (ret != EOK) {
+ goto done;
+ }
+ break;
case BE_FILTER_NAME:
if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_UPN) == 0) {
attr_name = ctx->opts->user_map[SDAP_AT_USER_PRINC].name;
@@ -388,6 +396,13 @@ static void users_get_search(struct tevent_req *req)
struct users_get_state *state = tevent_req_data(req,
struct users_get_state);
struct tevent_req *subreq;
+ bool multiple_results;
+
+ if (state->filter_type == BE_FILTER_WILDCARD) {
+ multiple_results = true;
+ } else {
+ multiple_results = false;
+ }
subreq = sdap_get_users_send(state, state->ev,
state->domain, state->sysdb,
@@ -397,7 +412,7 @@ static void users_get_search(struct tevent_req *req)
state->attrs, state->filter,
dp_opt_get_int(state->ctx->opts->basic,
SDAP_SEARCH_TIMEOUT),
- false);
+ multiple_results);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
@@ -508,6 +523,13 @@ static void users_get_done(struct tevent_req *subreq)
* group we have nothing to do here. */
break;
+ case BE_FILTER_WILDCARD:
+ /* We can't know if all users are up-to-date, especially in a large
+ * environment. Do not delete any records, let the responder fetch
+ * the entries they are requested in
+ */
+ break;
+
default:
tevent_req_error(req, EINVAL);
return;
@@ -619,6 +641,14 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx,
sdom->dom->domain_id);
switch(filter_type) {
+ case BE_FILTER_WILDCARD:
+ attr_name = ctx->opts->group_map[SDAP_AT_GROUP_NAME].name;
+ ret = sss_filter_sanitize_ex(state, name, &clean_name,
+ LDAP_ALLOWED_WILDCARDS);
+ if (ret != EOK) {
+ goto done;
+ }
+ break;
case BE_FILTER_NAME:
attr_name = ctx->opts->group_map[SDAP_AT_GROUP_NAME].name;
@@ -871,6 +901,13 @@ static void groups_get_search(struct tevent_req *req)
struct groups_get_state *state = tevent_req_data(req,
struct groups_get_state);
struct tevent_req *subreq;
+ bool multiple_results;
+
+ if (state->filter_type == BE_FILTER_WILDCARD) {
+ multiple_results = true;
+ } else {
+ multiple_results = false;
+ }
subreq = sdap_get_groups_send(state, state->ev,
state->sdom,
@@ -879,7 +916,8 @@ static void groups_get_search(struct tevent_req *req)
state->attrs, state->filter,
dp_opt_get_int(state->ctx->opts->basic,
SDAP_SEARCH_TIMEOUT),
- false, state->no_members);
+ multiple_results,
+ state->no_members);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
@@ -953,6 +991,14 @@ static void groups_get_done(struct tevent_req *subreq)
* group we have nothing to do here. */
break;
+ case BE_FILTER_WILDCARD:
+ /* We can't know if all groups are up-to-date, especially in
+ * a large environment. Do not delete any records, let the
+ * responder fetch the entries they are requested in.
+ */
+ break;
+
+
default:
tevent_req_error(req, EINVAL);
return;