diff options
-rw-r--r-- | src/config/SSSDConfig.py | 1 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ldap.conf | 1 | ||||
-rw-r--r-- | src/man/sssd-ldap.5.xml | 14 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.c | 3 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.h | 2 | ||||
-rw-r--r-- | src/providers/ldap/ldap_common.c | 3 | ||||
-rw-r--r-- | src/providers/ldap/sdap.h | 2 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async.c | 144 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_connection.c | 4 |
9 files changed, 148 insertions, 26 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index 9c61f06f5..6026bf4ff 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -139,6 +139,7 @@ option_strings = { 'ldap_krb5_ticket_lifetime' : _('Lifetime of TGT for LDAP connection'), 'ldap_deref' : _('How to dereference aliases'), 'ldap_dns_service_name' : _('Service name for DNS service lookups'), + 'ldap_page_size' : _('The number of records to retrieve in a single LDAP query'), 'ldap_entry_usn' : _('entryUSN attribute'), 'ldap_rootdse_last_usn' : _('lastUSN attribute'), diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf index 0e1b2ca55..d69b906ac 100644 --- a/src/config/etc/sssd.api.d/sssd-ldap.conf +++ b/src/config/etc/sssd.api.d/sssd-ldap.conf @@ -27,6 +27,7 @@ ldap_referrals = bool, None, false ldap_krb5_ticket_lifetime = int, None, false ldap_dns_service_name = str, None, false ldap_deref = str, None, false +ldap_page_size = int, None, false [provider/ldap/id] ldap_search_timeout = int, None, false diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 95fda7811..b45b355a6 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -838,6 +838,20 @@ </varlistentry> <varlistentry> + <term>ldap_page_size (integer)</term> + <listitem> + <para> + Specify the number of records to retrieve from + LDAP in a single request. Some LDAP servers + enforce a maximum limit per-request. + </para> + <para> + Default: 1000 + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>ldap_tls_reqcert (string)</term> <listitem> <para> diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 579b8b60e..7d7f04665 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -91,7 +91,8 @@ struct dp_option ipa_def_ldap_opts[] = { /* Do not include ldap_auth_disable_tls_never_use_in_production in the * manpages or SSSDConfig API */ - { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE } + { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER } }; struct sdap_attr_map ipa_attr_map[] = { diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 588aa63e4..922806234 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -35,7 +35,7 @@ struct ipa_service { /* the following defines are used to keep track of the options in the ldap * module, so that if they change and ipa is not updated correspondingly * this will trigger a runtime abort error */ -#define IPA_OPTS_BASIC_TEST 48 +#define IPA_OPTS_BASIC_TEST 49 /* the following define is used to keep track of the options in the krb5 * module, so that if they change and ipa is not updated correspondingly diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index 4562b0e17..8294e9225 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -85,7 +85,8 @@ struct dp_option default_basic_opts[] = { /* Do not include ldap_auth_disable_tls_never_use_in_production in the * manpages or SSSDConfig API */ - { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE } + { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER } }; struct sdap_attr_map generic_attr_map[] = { diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index 31e72cd5b..e03e7e624 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -87,6 +87,7 @@ struct sdap_handle { bool connected; /* Authentication ticket expiration time (if any) */ time_t expire_time; + ber_int_t page_size; struct sdap_fd_events *sdap_fd_events; @@ -201,6 +202,7 @@ enum sdap_basic_opt { SDAP_CHPASS_DNS_SERVICE_NAME, SDAP_ENUM_SEARCH_TIMEOUT, SDAP_DISABLE_AUTH_TLS, + SDAP_PAGE_SIZE, SDAP_OPTS_BASIC /* opts counter */ }; diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c index ebd8d485b..e183855a2 100644 --- a/src/providers/ldap/sdap_async.c +++ b/src/providers/ldap/sdap_async.c @@ -749,21 +749,24 @@ struct sdap_get_generic_state { const char **attrs; struct sdap_attr_map *map; int map_num_attrs; + int timeout; struct sdap_op *op; + struct berval cookie; + size_t reply_max; size_t reply_count; struct sysdb_attrs **reply; }; +static errno_t sdap_get_generic_step(struct tevent_req *req); +static void sdap_get_generic_done(struct sdap_op *op, + struct sdap_msg *reply, + int error, void *pvt); static errno_t add_to_reply(struct sdap_get_generic_state *state, struct sysdb_attrs *msg); -static void sdap_get_generic_done(struct sdap_op *op, - struct sdap_msg *reply, - int error, void *pvt); - struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx, struct tevent_context *ev, struct sdap_options *opts, @@ -776,13 +779,9 @@ struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx, int map_num_attrs, int timeout) { - struct tevent_req *req = NULL; - struct sdap_get_generic_state *state = NULL; - char *errmsg; - int lret; - int optret; - int ret; - int msgid; + errno_t ret; + struct sdap_get_generic_state *state; + struct tevent_req *req; req = tevent_req_create(memctx, &state, struct sdap_get_generic_state); if (!req) return NULL; @@ -800,6 +799,38 @@ struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx, state->reply_max = 0; state->reply_count = 0; state->reply = NULL; + state->timeout = timeout; + state->cookie.bv_len = 0; + state->cookie.bv_val = NULL; + + ret = sdap_get_generic_step(req); + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; + } + + return req; +} + +static errno_t sdap_get_generic_step(struct tevent_req *req) +{ + struct sdap_get_generic_state *state = + tevent_req_data(req, struct sdap_get_generic_state); + char *errmsg; + int lret; + int optret; + errno_t ret; + int msgid; + + LDAPControl *page_control = NULL; + LDAPControl *m_controls[2] = { NULL, NULL }; + + /* Make sure to free any previous operations so + * if we are handling a large number of pages we + * don't waste memory. + */ + talloc_zfree(state->op); DEBUG(6, ("calling ldap_search_ext with [%s][%s].\n", state->filter, state->search_base)); @@ -813,10 +844,28 @@ struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx, } } + if (sdap_is_control_supported(state->sh, + LDAP_CONTROL_PAGEDRESULTS)) { + lret = ldap_create_page_control(state->sh->ldap, + state->sh->page_size, + state->cookie.bv_val ? + &state->cookie : + NULL, + false, + &page_control); + if (lret != LDAP_SUCCESS) { + ret = EIO; + goto done; + } + m_controls[0] = page_control; + } + lret = ldap_search_ext(state->sh->ldap, state->search_base, state->scope, state->filter, discard_const(state->attrs), - false, NULL, NULL, NULL, 0, &msgid); + false, m_controls, NULL, NULL, 0, &msgid); + ldap_control_free(page_control); + m_controls[0] = NULL; if (lret != LDAP_SUCCESS) { DEBUG(3, ("ldap_search_ext failed: %s\n", ldap_err2string(lret))); if (lret == LDAP_SERVER_DOWN) { @@ -838,27 +887,23 @@ struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx, else { ret = EIO; } - goto fail; + goto done; } DEBUG(8, ("ldap_search_ext called, msgid = %d\n", msgid)); ret = sdap_op_add(state, state->ev, state->sh, msgid, - sdap_get_generic_done, req, timeout, + sdap_get_generic_done, req, + state->timeout, &state->op); if (ret != EOK) { DEBUG(1, ("Failed to set up operation!\n")); - goto fail; + goto done; } - return req; - -fail: - tevent_req_error(req, ret); - tevent_req_post(req, ev); - return req; +done: + return ret; } - static void sdap_get_generic_done(struct sdap_op *op, struct sdap_msg *reply, int error, void *pvt) @@ -870,6 +915,11 @@ static void sdap_get_generic_done(struct sdap_op *op, char *errmsg = NULL; int result; int ret; + int lret; + ber_int_t total_count; + struct berval cookie; + LDAPControl **returned_controls = NULL; + LDAPControl *page_control; if (error) { tevent_req_error(req, error); @@ -907,7 +957,8 @@ static void sdap_get_generic_done(struct sdap_op *op, case LDAP_RES_SEARCH_RESULT: ret = ldap_parse_result(state->sh->ldap, reply->msg, - &result, NULL, &errmsg, NULL, NULL, 0); + &result, NULL, &errmsg, NULL, + &returned_controls, 0); if (ret != LDAP_SUCCESS) { DEBUG(2, ("ldap_parse_result failed (%d)\n", state->op->msgid)); tevent_req_error(req, EIO); @@ -923,6 +974,53 @@ static void sdap_get_generic_done(struct sdap_op *op, } ldap_memfree(errmsg); + /* Determine if there are more pages to retrieve */ + page_control = ldap_control_find(LDAP_CONTROL_PAGEDRESULTS, + returned_controls, NULL ); + if (!page_control) { + /* No paging support. We are done */ + tevent_req_done(req); + return; + } + + lret = ldap_parse_pageresponse_control(state->sh->ldap, page_control, + &total_count, &cookie); + ldap_controls_free(returned_controls); + if (lret != LDAP_SUCCESS) { + DEBUG(1, ("Could not determine page control")); + tevent_req_error(req, EIO); + return; + } + DEBUG(7, ("Total count [%lu]\n", total_count)); + + if (cookie.bv_val != NULL && cookie.bv_len > 0) { + /* Cookie contains data, which means there are more requests + * to be processed. + */ + talloc_zfree(state->cookie.bv_val); + state->cookie.bv_len = cookie.bv_len; + state->cookie.bv_val = talloc_memdup(state, + cookie.bv_val, + cookie.bv_len); + if (!state->cookie.bv_val) { + tevent_req_error(req, ENOMEM); + return; + } + ber_memfree(cookie.bv_val); + + ret = sdap_get_generic_step(req); + if (ret != EOK) { + tevent_req_error(req, ENOMEM); + return; + } + + return; + } + /* The cookie must be freed even if len == 0 */ + ber_memfree(cookie.bv_val); + + /* This was the last page. We're done */ + tevent_req_done(req); return; diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c index 1a61f15fe..aa6725e83 100644 --- a/src/providers/ldap/sdap_async_connection.c +++ b/src/providers/ldap/sdap_async_connection.c @@ -108,6 +108,10 @@ struct tevent_req *sdap_connect_send(TALLOC_CTX *memctx, talloc_zfree(req); return NULL; } + + state->sh->page_size = dp_opt_get_int(state->opts->basic, + SDAP_PAGE_SIZE); + /* Initialize LDAP handler */ lret = ldap_initialize(&state->sh->ldap, uri); if (lret != LDAP_SUCCESS) { |