summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/config/SSSDConfig.py1
-rw-r--r--src/config/etc/sssd.api.d/sssd-ldap.conf1
-rw-r--r--src/man/sssd-ldap.5.xml14
-rw-r--r--src/providers/ipa/ipa_common.c3
-rw-r--r--src/providers/ipa/ipa_common.h2
-rw-r--r--src/providers/ldap/ldap_common.c3
-rw-r--r--src/providers/ldap/sdap.h2
-rw-r--r--src/providers/ldap/sdap_async.c144
-rw-r--r--src/providers/ldap/sdap_async_connection.c4
9 files changed, 148 insertions, 26 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 9c61f06f5..6026bf4ff 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -139,6 +139,7 @@ option_strings = {
'ldap_krb5_ticket_lifetime' : _('Lifetime of TGT for LDAP connection'),
'ldap_deref' : _('How to dereference aliases'),
'ldap_dns_service_name' : _('Service name for DNS service lookups'),
+ 'ldap_page_size' : _('The number of records to retrieve in a single LDAP query'),
'ldap_entry_usn' : _('entryUSN attribute'),
'ldap_rootdse_last_usn' : _('lastUSN attribute'),
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index 0e1b2ca55..d69b906ac 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -27,6 +27,7 @@ ldap_referrals = bool, None, false
ldap_krb5_ticket_lifetime = int, None, false
ldap_dns_service_name = str, None, false
ldap_deref = str, None, false
+ldap_page_size = int, None, false
[provider/ldap/id]
ldap_search_timeout = int, None, false
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 95fda7811..b45b355a6 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -838,6 +838,20 @@
</varlistentry>
<varlistentry>
+ <term>ldap_page_size (integer)</term>
+ <listitem>
+ <para>
+ Specify the number of records to retrieve from
+ LDAP in a single request. Some LDAP servers
+ enforce a maximum limit per-request.
+ </para>
+ <para>
+ Default: 1000
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>ldap_tls_reqcert (string)</term>
<listitem>
<para>
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 579b8b60e..7d7f04665 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -91,7 +91,8 @@ struct dp_option ipa_def_ldap_opts[] = {
/* Do not include ldap_auth_disable_tls_never_use_in_production in the
* manpages or SSSDConfig API
*/
- { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }
+ { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER }
};
struct sdap_attr_map ipa_attr_map[] = {
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 588aa63e4..922806234 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -35,7 +35,7 @@ struct ipa_service {
/* the following defines are used to keep track of the options in the ldap
* module, so that if they change and ipa is not updated correspondingly
* this will trigger a runtime abort error */
-#define IPA_OPTS_BASIC_TEST 48
+#define IPA_OPTS_BASIC_TEST 49
/* the following define is used to keep track of the options in the krb5
* module, so that if they change and ipa is not updated correspondingly
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 4562b0e17..8294e9225 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -85,7 +85,8 @@ struct dp_option default_basic_opts[] = {
/* Do not include ldap_auth_disable_tls_never_use_in_production in the
* manpages or SSSDConfig API
*/
- { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }
+ { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER }
};
struct sdap_attr_map generic_attr_map[] = {
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 31e72cd5b..e03e7e624 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -87,6 +87,7 @@ struct sdap_handle {
bool connected;
/* Authentication ticket expiration time (if any) */
time_t expire_time;
+ ber_int_t page_size;
struct sdap_fd_events *sdap_fd_events;
@@ -201,6 +202,7 @@ enum sdap_basic_opt {
SDAP_CHPASS_DNS_SERVICE_NAME,
SDAP_ENUM_SEARCH_TIMEOUT,
SDAP_DISABLE_AUTH_TLS,
+ SDAP_PAGE_SIZE,
SDAP_OPTS_BASIC /* opts counter */
};
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index ebd8d485b..e183855a2 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -749,21 +749,24 @@ struct sdap_get_generic_state {
const char **attrs;
struct sdap_attr_map *map;
int map_num_attrs;
+ int timeout;
struct sdap_op *op;
+ struct berval cookie;
+
size_t reply_max;
size_t reply_count;
struct sysdb_attrs **reply;
};
+static errno_t sdap_get_generic_step(struct tevent_req *req);
+static void sdap_get_generic_done(struct sdap_op *op,
+ struct sdap_msg *reply,
+ int error, void *pvt);
static errno_t add_to_reply(struct sdap_get_generic_state *state,
struct sysdb_attrs *msg);
-static void sdap_get_generic_done(struct sdap_op *op,
- struct sdap_msg *reply,
- int error, void *pvt);
-
struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx,
struct tevent_context *ev,
struct sdap_options *opts,
@@ -776,13 +779,9 @@ struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx,
int map_num_attrs,
int timeout)
{
- struct tevent_req *req = NULL;
- struct sdap_get_generic_state *state = NULL;
- char *errmsg;
- int lret;
- int optret;
- int ret;
- int msgid;
+ errno_t ret;
+ struct sdap_get_generic_state *state;
+ struct tevent_req *req;
req = tevent_req_create(memctx, &state, struct sdap_get_generic_state);
if (!req) return NULL;
@@ -800,6 +799,38 @@ struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx,
state->reply_max = 0;
state->reply_count = 0;
state->reply = NULL;
+ state->timeout = timeout;
+ state->cookie.bv_len = 0;
+ state->cookie.bv_val = NULL;
+
+ ret = sdap_get_generic_step(req);
+ if (ret != EOK) {
+ tevent_req_error(req, ret);
+ tevent_req_post(req, ev);
+ return req;
+ }
+
+ return req;
+}
+
+static errno_t sdap_get_generic_step(struct tevent_req *req)
+{
+ struct sdap_get_generic_state *state =
+ tevent_req_data(req, struct sdap_get_generic_state);
+ char *errmsg;
+ int lret;
+ int optret;
+ errno_t ret;
+ int msgid;
+
+ LDAPControl *page_control = NULL;
+ LDAPControl *m_controls[2] = { NULL, NULL };
+
+ /* Make sure to free any previous operations so
+ * if we are handling a large number of pages we
+ * don't waste memory.
+ */
+ talloc_zfree(state->op);
DEBUG(6, ("calling ldap_search_ext with [%s][%s].\n", state->filter,
state->search_base));
@@ -813,10 +844,28 @@ struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx,
}
}
+ if (sdap_is_control_supported(state->sh,
+ LDAP_CONTROL_PAGEDRESULTS)) {
+ lret = ldap_create_page_control(state->sh->ldap,
+ state->sh->page_size,
+ state->cookie.bv_val ?
+ &state->cookie :
+ NULL,
+ false,
+ &page_control);
+ if (lret != LDAP_SUCCESS) {
+ ret = EIO;
+ goto done;
+ }
+ m_controls[0] = page_control;
+ }
+
lret = ldap_search_ext(state->sh->ldap, state->search_base,
state->scope, state->filter,
discard_const(state->attrs),
- false, NULL, NULL, NULL, 0, &msgid);
+ false, m_controls, NULL, NULL, 0, &msgid);
+ ldap_control_free(page_control);
+ m_controls[0] = NULL;
if (lret != LDAP_SUCCESS) {
DEBUG(3, ("ldap_search_ext failed: %s\n", ldap_err2string(lret)));
if (lret == LDAP_SERVER_DOWN) {
@@ -838,27 +887,23 @@ struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx,
else {
ret = EIO;
}
- goto fail;
+ goto done;
}
DEBUG(8, ("ldap_search_ext called, msgid = %d\n", msgid));
ret = sdap_op_add(state, state->ev, state->sh, msgid,
- sdap_get_generic_done, req, timeout,
+ sdap_get_generic_done, req,
+ state->timeout,
&state->op);
if (ret != EOK) {
DEBUG(1, ("Failed to set up operation!\n"));
- goto fail;
+ goto done;
}
- return req;
-
-fail:
- tevent_req_error(req, ret);
- tevent_req_post(req, ev);
- return req;
+done:
+ return ret;
}
-
static void sdap_get_generic_done(struct sdap_op *op,
struct sdap_msg *reply,
int error, void *pvt)
@@ -870,6 +915,11 @@ static void sdap_get_generic_done(struct sdap_op *op,
char *errmsg = NULL;
int result;
int ret;
+ int lret;
+ ber_int_t total_count;
+ struct berval cookie;
+ LDAPControl **returned_controls = NULL;
+ LDAPControl *page_control;
if (error) {
tevent_req_error(req, error);
@@ -907,7 +957,8 @@ static void sdap_get_generic_done(struct sdap_op *op,
case LDAP_RES_SEARCH_RESULT:
ret = ldap_parse_result(state->sh->ldap, reply->msg,
- &result, NULL, &errmsg, NULL, NULL, 0);
+ &result, NULL, &errmsg, NULL,
+ &returned_controls, 0);
if (ret != LDAP_SUCCESS) {
DEBUG(2, ("ldap_parse_result failed (%d)\n", state->op->msgid));
tevent_req_error(req, EIO);
@@ -923,6 +974,53 @@ static void sdap_get_generic_done(struct sdap_op *op,
}
ldap_memfree(errmsg);
+ /* Determine if there are more pages to retrieve */
+ page_control = ldap_control_find(LDAP_CONTROL_PAGEDRESULTS,
+ returned_controls, NULL );
+ if (!page_control) {
+ /* No paging support. We are done */
+ tevent_req_done(req);
+ return;
+ }
+
+ lret = ldap_parse_pageresponse_control(state->sh->ldap, page_control,
+ &total_count, &cookie);
+ ldap_controls_free(returned_controls);
+ if (lret != LDAP_SUCCESS) {
+ DEBUG(1, ("Could not determine page control"));
+ tevent_req_error(req, EIO);
+ return;
+ }
+ DEBUG(7, ("Total count [%lu]\n", total_count));
+
+ if (cookie.bv_val != NULL && cookie.bv_len > 0) {
+ /* Cookie contains data, which means there are more requests
+ * to be processed.
+ */
+ talloc_zfree(state->cookie.bv_val);
+ state->cookie.bv_len = cookie.bv_len;
+ state->cookie.bv_val = talloc_memdup(state,
+ cookie.bv_val,
+ cookie.bv_len);
+ if (!state->cookie.bv_val) {
+ tevent_req_error(req, ENOMEM);
+ return;
+ }
+ ber_memfree(cookie.bv_val);
+
+ ret = sdap_get_generic_step(req);
+ if (ret != EOK) {
+ tevent_req_error(req, ENOMEM);
+ return;
+ }
+
+ return;
+ }
+ /* The cookie must be freed even if len == 0 */
+ ber_memfree(cookie.bv_val);
+
+ /* This was the last page. We're done */
+
tevent_req_done(req);
return;
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index 1a61f15fe..aa6725e83 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -108,6 +108,10 @@ struct tevent_req *sdap_connect_send(TALLOC_CTX *memctx,
talloc_zfree(req);
return NULL;
}
+
+ state->sh->page_size = dp_opt_get_int(state->opts->basic,
+ SDAP_PAGE_SIZE);
+
/* Initialize LDAP handler */
lret = ldap_initialize(&state->sh->ldap, uri);
if (lret != LDAP_SUCCESS) {