diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2015-06-17 16:13:51 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-07-15 17:32:46 +0200 |
commit | b9e74a747b8f1012bba3575f3e4289ef4877d64a (patch) | |
tree | 168dc2018bf564d1282ca9f1e138e7c5ebce9c10 /src | |
parent | 1f2fc55ecf7b5e170b2c0752304d1a2ecebc5259 (diff) | |
download | sssd-b9e74a747b8f1012bba3575f3e4289ef4877d64a.tar.gz sssd-b9e74a747b8f1012bba3575f3e4289ef4877d64a.tar.xz sssd-b9e74a747b8f1012bba3575f3e4289ef4877d64a.zip |
LDAP: Add the wildcard_limit option
Related:
https://fedorahosted.org/sssd/ticket/2553
Adds a new wildcard_limit option that is set by default to 1000 (one
page). This option limits the number of entries that can by default be
returned by a wildcard search.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/config/SSSDConfig/__init__.py.in | 1 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ad.conf | 1 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ipa.conf | 1 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ldap.conf | 1 | ||||
-rw-r--r-- | src/man/sssd-ldap.5.xml | 17 | ||||
-rw-r--r-- | src/providers/ad/ad_opts.h | 1 | ||||
-rw-r--r-- | src/providers/ipa/ipa_opts.h | 1 | ||||
-rw-r--r-- | src/providers/ldap/ldap_opts.h | 1 | ||||
-rw-r--r-- | src/providers/ldap/sdap.h | 1 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_groups.c | 8 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_users.c | 8 |
11 files changed, 39 insertions, 2 deletions
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 4d45e42af..4b519eddd 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -355,6 +355,7 @@ option_strings = { 'ldap_min_id' : _('Set lower boundary for allowed IDs from the LDAP server'), 'ldap_max_id' : _('Set upper boundary for allowed IDs from the LDAP server'), 'ldap_pwdlockout_dn' : _('DN for ppolicy queries'), + 'wildcard_limit' : _('How many maximum entries to fetch during a wildcard request'), # [provider/ldap/auth] 'ldap_pwd_policy' : _('Policy to evaluate the password expiration'), diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf index faab3a51e..b636d9310 100644 --- a/src/config/etc/sssd.api.d/sssd-ad.conf +++ b/src/config/etc/sssd.api.d/sssd-ad.conf @@ -56,6 +56,7 @@ ldap_deref_threshold = int, None, false ldap_connection_expire_timeout = int, None, false ldap_disable_paging = bool, None, false krb5_confd_path = str, None, false +wildcard_limit = int, None, false [provider/ad/id] ldap_search_timeout = int, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index cfcc00f6f..ab712fe55 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -52,6 +52,7 @@ ldap_deref_threshold = int, None, false ldap_connection_expire_timeout = int, None, false ldap_disable_paging = bool, None, false krb5_confd_path = str, None, false +wildcard_limit = int, None, false [provider/ipa/id] ldap_search_timeout = int, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf index c10290217..8fd45fd40 100644 --- a/src/config/etc/sssd.api.d/sssd-ldap.conf +++ b/src/config/etc/sssd.api.d/sssd-ldap.conf @@ -37,6 +37,7 @@ ldap_sasl_minssf = int, None, false ldap_connection_expire_timeout = int, None, false ldap_disable_paging = bool, None, false ldap_disable_range_retrieval = bool, None, false +wildcard_limit = int, None, false [provider/ldap/id] ldap_search_timeout = int, None, false diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index f14090843..9ac175f8d 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -2135,6 +2135,23 @@ ldap_access_filter = (employeeType=admin) </listitem> </varlistentry> + <varlistentry> + <term>wildcart_limit (integer)</term> + <listitem> + <para> + Specifies an upper limit on the number of entries + that are downloaded during a wildcard lookup. + </para> + <para> + At the moment, only the InfoPipe responder supports + wildcard lookups. + </para> + <para> + Default: 1000 (often the size of one page) + </para> + </listitem> + </varlistentry> + </variablelist> </para> </refsect1> diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h index cb4c05d84..d685edcb4 100644 --- a/src/providers/ad/ad_opts.h +++ b/src/providers/ad/ad_opts.h @@ -146,6 +146,7 @@ struct dp_option ad_def_ldap_opts[] = { { "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER}, { "ldap_max_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER}, { "ldap_pwdlockout_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "wildcard_limit", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER}, DP_OPTION_TERMINATOR }; diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h index 253c07153..9576228d1 100644 --- a/src/providers/ipa/ipa_opts.h +++ b/src/providers/ipa/ipa_opts.h @@ -157,6 +157,7 @@ struct dp_option ipa_def_ldap_opts[] = { { "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER}, { "ldap_max_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER}, { "ldap_pwdlockout_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "wildcard_limit", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER}, DP_OPTION_TERMINATOR }; diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h index c1b9bf688..9f58db5bd 100644 --- a/src/providers/ldap/ldap_opts.h +++ b/src/providers/ldap/ldap_opts.h @@ -122,6 +122,7 @@ struct dp_option default_basic_opts[] = { { "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER}, { "ldap_max_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER}, { "ldap_pwdlockout_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "wildcard_limit", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER}, DP_OPTION_TERMINATOR }; diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index d9b2d1863..444502bf7 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -231,6 +231,7 @@ enum sdap_basic_opt { SDAP_MIN_ID, SDAP_MAX_ID, SDAP_PWDLOCKOUT_DN, + SDAP_WILDCARD_LIMIT, SDAP_OPTS_BASIC /* opts counter */ }; diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index ad0354df1..525c6fa09 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -1856,6 +1856,7 @@ static errno_t sdap_get_groups_next_base(struct tevent_req *req) struct tevent_req *subreq; struct sdap_get_groups_state *state; bool need_paging = false; + int sizelimit = 0; state = tevent_req_data(req, struct sdap_get_groups_state); @@ -1873,13 +1874,18 @@ static errno_t sdap_get_groups_next_base(struct tevent_req *req) switch (state->lookup_type) { case SDAP_LOOKUP_SINGLE: + sizelimit = 1; need_paging = false; break; /* Only requests that can return multiple entries should require * the paging control */ case SDAP_LOOKUP_WILDCARD: + sizelimit = dp_opt_get_int(state->opts->basic, SDAP_WILDCARD_LIMIT); + need_paging = true; + break; case SDAP_LOOKUP_ENUMERATE: + sizelimit = 0; /* unlimited */ need_paging = true; break; } @@ -1891,7 +1897,7 @@ static errno_t sdap_get_groups_next_base(struct tevent_req *req) state->search_bases[state->base_iter]->scope, state->filter, state->attrs, state->opts->group_map, SDAP_OPTS_GROUP, - 0, NULL, NULL, 0, state->timeout, + 0, NULL, NULL, sizelimit, state->timeout, need_paging); if (!subreq) { return ENOMEM; diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c index f66ae2604..a864a8b21 100644 --- a/src/providers/ldap/sdap_async_users.c +++ b/src/providers/ldap/sdap_async_users.c @@ -674,6 +674,7 @@ static errno_t sdap_search_user_next_base(struct tevent_req *req) struct tevent_req *subreq; struct sdap_search_user_state *state; bool need_paging = false; + int sizelimit = 0; state = tevent_req_data(req, struct sdap_search_user_state); @@ -691,13 +692,18 @@ static errno_t sdap_search_user_next_base(struct tevent_req *req) switch (state->lookup_type) { case SDAP_LOOKUP_SINGLE: + sizelimit = 1; need_paging = false; break; /* Only requests that can return multiple entries should require * the paging control */ case SDAP_LOOKUP_WILDCARD: + sizelimit = dp_opt_get_int(state->opts->basic, SDAP_WILDCARD_LIMIT); + need_paging = true; + break; case SDAP_LOOKUP_ENUMERATE: + sizelimit = 0; /* unlimited */ need_paging = true; break; } @@ -708,7 +714,7 @@ static errno_t sdap_search_user_next_base(struct tevent_req *req) state->search_bases[state->base_iter]->scope, state->filter, state->attrs, state->opts->user_map, state->opts->user_map_cnt, - 0, NULL, NULL, 0, state->timeout, + 0, NULL, NULL, sizelimit, state->timeout, need_paging); if (subreq == NULL) { return ENOMEM; |