diff options
| author | Sumit Bose <sbose@redhat.com> | 2015-03-09 16:36:29 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-03-20 07:49:59 +0100 |
| commit | ea3df3783ad95875020f56fa6e992c0e0d729dc2 (patch) | |
| tree | 70bc00925152da2b94747aa589f0e2f13649552f /src/providers/ldap/ldap_id.c | |
| parent | 41cce42c02f2ef0bdc3faa7003378a424be5e165 (diff) | |
| download | sssd-ea3df3783ad95875020f56fa6e992c0e0d729dc2.tar.gz sssd-ea3df3783ad95875020f56fa6e992c0e0d729dc2.tar.xz sssd-ea3df3783ad95875020f56fa6e992c0e0d729dc2.zip | |
LDAP/AD: do not resolve group members during tokenGroups request
During initgroups requests we try to avoid to resolve the complete
member list of groups if possible, e.g. if there are no nested groups.
The tokenGroups LDAP lookup return the complete list of memberships for
a user hence it is not necessary lookup the other group member and
un-roll nested groups. With this patch only the group entry is looked up
and saved as incomplete group to the cache.
This is achieved by adding a new boolean parameter no_members to
groups_get_send() and sdap_get_groups_send(). The difference to config
options like ldap_group_nesting_level = 0 or ignore_group_members is
that if no_members is set to true groups which are missing in the cache
are created a incomplete groups. As a result a request to lookup this
group will trigger a new LDAP request to resolve the group completely.
This way no information is ignored but the time needed to read all data
is better distributed between different requests.
https://fedorahosted.org/sssd/ticket/2601
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit d81d8d3dc151ebc95cd0e3f3b14c1cdaa48980f1)
(cherry picked from commit b8d9eca0d9469c1209161b31a0109d8e4ea2868c)
Diffstat (limited to 'src/providers/ldap/ldap_id.c')
| -rw-r--r-- | src/providers/ldap/ldap_id.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index 6de5b72a8..55bb3c9fb 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -528,6 +528,7 @@ struct groups_get_state { int dp_error; int sdap_ret; bool noexist_delete; + bool no_members; }; static int groups_get_retry(struct tevent_req *req); @@ -544,7 +545,8 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx, const char *name, int filter_type, int attrs_type, - bool noexist_delete) + bool noexist_delete, + bool no_members) { struct tevent_req *req; struct groups_get_state *state; @@ -567,6 +569,7 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx, state->conn = conn; state->dp_error = DP_ERR_FATAL; state->noexist_delete = noexist_delete; + state->no_members = no_members; state->op = sdap_id_op_create(state, state->conn->conn_cache); if (!state->op) { @@ -713,7 +716,8 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx, /* TODO: handle attrs_type */ ret = build_attrs_from_map(state, ctx->opts->group_map, SDAP_OPTS_GROUP, - state->domain->ignore_group_members ? + (state->domain->ignore_group_members + || state->no_members) ? (const char **)member_filter : NULL, &state->attrs, NULL); @@ -845,7 +849,7 @@ static void groups_get_search(struct tevent_req *req) state->attrs, state->filter, dp_opt_get_int(state->ctx->opts->basic, SDAP_SEARCH_TIMEOUT), - false); + false, state->no_members); if (!subreq) { tevent_req_error(req, ENOMEM); return; @@ -1383,7 +1387,7 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx, ar->filter_value, ar->filter_type, ar->attr_type, - noexist_delete); + noexist_delete, false); break; case BE_REQ_INITGROUPS: /* init groups for user */ @@ -1718,7 +1722,7 @@ static struct tevent_req *get_user_and_group_send(TALLOC_CTX *memctx, subreq = groups_get_send(req, state->ev, state->id_ctx, state->sdom, state->conn, state->filter_val, state->filter_type, - state->attrs_type, state->noexist_delete); + state->attrs_type, state->noexist_delete, false); if (subreq == NULL) { DEBUG(SSSDBG_OP_FAILURE, "users_get_send failed.\n"); ret = ENOMEM; |