summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2013-04-29 16:42:46 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-05-02 19:44:32 +0200
commitc45495c7a585da4de99e34c98223981a41cfd56d (patch)
treea0f14c0309f377355cc4757bd662cd11f9ca8f22
parentb503cbdaf175f96da726a7679fafaebe0b27d004 (diff)
downloadsssd2-c45495c7a585da4de99e34c98223981a41cfd56d.tar.gz
sssd2-c45495c7a585da4de99e34c98223981a41cfd56d.tar.xz
sssd2-c45495c7a585da4de99e34c98223981a41cfd56d.zip
LDAP: Only use paging control on requests for multiple entries
The paging control can cause issues on servers that put limits on how many paging controls can be active at one time (on some servers, it is limited to one per connection). We need to reduce our usage so that we only activate the paging control when making a request that may return an arbitrary number of results.
Diffstat
-rw-r--r--src/providers/ipa/ipa_auth.c3
-rw-r--r--src/providers/ipa/ipa_hbac_hosts.c12
-rw-r--r--src/providers/ipa/ipa_hbac_rules.c3
-rw-r--r--src/providers/ipa/ipa_hbac_services.c6
-rw-r--r--src/providers/ldap/ldap_id.c6
-rw-r--r--src/providers/ldap/ldap_id_enum.c6
-rw-r--r--src/providers/ldap/sdap_access.c3
-rw-r--r--src/providers/ldap/sdap_async.c22
-rw-r--r--src/providers/ldap/sdap_async.h9
-rw-r--r--src/providers/ldap/sdap_async_accounts.c44
-rw-r--r--src/providers/ldap/sdap_async_netgroups.c5
11 files changed, 82 insertions, 37 deletions
diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
index d8d8ad5a..3b125e30 100644
--- a/src/providers/ipa/ipa_auth.c
+++ b/src/providers/ipa/ipa_auth.c
@@ -155,7 +155,8 @@ static void get_password_migration_flag_auth_done(struct tevent_req *subreq)
state->sh, search_base, LDAP_SCOPE_SUBTREE,
IPA_CONFIG_FILTER, attrs, NULL, 0,
dp_opt_get_int(state->sdap_auth_ctx->opts->basic,
- SDAP_SEARCH_TIMEOUT));
+ SDAP_SEARCH_TIMEOUT),
+ false);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
diff --git a/src/providers/ipa/ipa_hbac_hosts.c b/src/providers/ipa/ipa_hbac_hosts.c
index 5626bd22..667cf906 100644
--- a/src/providers/ipa/ipa_hbac_hosts.c
+++ b/src/providers/ipa/ipa_hbac_hosts.c
@@ -125,7 +125,8 @@ ipa_hbac_host_info_send(TALLOC_CTX *mem_ctx,
LDAP_SCOPE_SUB, host_filter,
state->attrs, NULL, 0,
dp_opt_get_int(opts->basic,
- SDAP_ENUM_SEARCH_TIMEOUT));
+ SDAP_ENUM_SEARCH_TIMEOUT),
+ true);
if (subreq == NULL) {
DEBUG(1, ("Error requesting host info\n"));
ret = EIO;
@@ -211,7 +212,8 @@ ipa_hbac_host_info_done(struct tevent_req *subreq)
hostgroup_filter, state->attrs, hostgroup_map,
HOSTGROUP_MAP_ATTRS_COUNT,
dp_opt_get_int(state->opts->basic,
- SDAP_ENUM_SEARCH_TIMEOUT));
+ SDAP_ENUM_SEARCH_TIMEOUT),
+ true);
if (subreq == NULL) {
DEBUG(1, ("Error requesting host info\n"));
goto error;
@@ -372,7 +374,8 @@ ipa_hbac_get_hostgroups_send(TALLOC_CTX *mem_ctx,
LDAP_SCOPE_BASE, NULL, state->attrs,
hostgroup_map, HOSTGROUP_MAP_ATTRS_COUNT,
dp_opt_get_int(state->opts->basic,
- SDAP_ENUM_SEARCH_TIMEOUT));
+ SDAP_ENUM_SEARCH_TIMEOUT),
+ false);
if (!subreq) {
ret = ENOMEM;
goto error;
@@ -437,7 +440,8 @@ next:
LDAP_SCOPE_BASE, NULL, state->attrs,
hostgroup_map, HOSTGROUP_MAP_ATTRS_COUNT,
dp_opt_get_int(state->opts->basic,
- SDAP_ENUM_SEARCH_TIMEOUT));
+ SDAP_ENUM_SEARCH_TIMEOUT),
+ false);
if (!subreq) {
ret = ENOMEM;
goto done;
diff --git a/src/providers/ipa/ipa_hbac_rules.c b/src/providers/ipa/ipa_hbac_rules.c
index 43e1e426..1818a5c1 100644
--- a/src/providers/ipa/ipa_hbac_rules.c
+++ b/src/providers/ipa/ipa_hbac_rules.c
@@ -162,7 +162,8 @@ ipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,
LDAP_SCOPE_SUB, rule_filter, rule_attrs,
NULL, 0,
dp_opt_get_int(state->opts->basic,
- SDAP_ENUM_SEARCH_TIMEOUT));
+ SDAP_ENUM_SEARCH_TIMEOUT),
+ true);
if (subreq == NULL) {
DEBUG(1, ("sdap_get_generic_send failed.\n"));
ret = ENOMEM;
diff --git a/src/providers/ipa/ipa_hbac_services.c b/src/providers/ipa/ipa_hbac_services.c
index d5390e51..b636576a 100644
--- a/src/providers/ipa/ipa_hbac_services.c
+++ b/src/providers/ipa/ipa_hbac_services.c
@@ -98,7 +98,8 @@ ipa_hbac_service_info_send(TALLOC_CTX *mem_ctx,
LDAP_SCOPE_SUB, service_filter,
state->attrs, NULL, 0,
dp_opt_get_int(opts->basic,
- SDAP_ENUM_SEARCH_TIMEOUT));
+ SDAP_ENUM_SEARCH_TIMEOUT),
+ true);
if (subreq == NULL) {
DEBUG(1, ("Error requesting service info\n"));
ret = EIO;
@@ -170,7 +171,8 @@ ipa_hbac_service_info_done(struct tevent_req *subreq)
state->search_base, LDAP_SCOPE_SUB,
servicegroup_filter, state->attrs, NULL, 0,
dp_opt_get_int(state->opts->basic,
- SDAP_ENUM_SEARCH_TIMEOUT));
+ SDAP_ENUM_SEARCH_TIMEOUT),
+ true);
if (subreq == NULL) {
DEBUG(1, ("Error requesting host info\n"));
ret = EIO;
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index 709f2ca0..02f55d8b 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -171,7 +171,8 @@ static void users_get_connect_done(struct tevent_req *subreq)
sdap_id_op_handle(state->op),
state->attrs, state->filter,
dp_opt_get_int(state->ctx->opts->basic,
- SDAP_SEARCH_TIMEOUT));
+ SDAP_SEARCH_TIMEOUT),
+ false); /* No enumeration */
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
@@ -407,7 +408,8 @@ static void groups_get_connect_done(struct tevent_req *subreq)
state->ctx->opts, sdap_id_op_handle(state->op),
state->attrs, state->filter,
dp_opt_get_int(state->ctx->opts->basic,
- SDAP_SEARCH_TIMEOUT));
+ SDAP_SEARCH_TIMEOUT),
+ false); /* No enumeration */
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
diff --git a/src/providers/ldap/ldap_id_enum.c b/src/providers/ldap/ldap_id_enum.c
index 2e47722a..58177658 100644
--- a/src/providers/ldap/ldap_id_enum.c
+++ b/src/providers/ldap/ldap_id_enum.c
@@ -479,7 +479,8 @@ static struct tevent_req *enum_users_send(TALLOC_CTX *memctx,
sdap_id_op_handle(state->op),
state->attrs, state->filter,
dp_opt_get_int(state->ctx->opts->basic,
- SDAP_ENUM_SEARCH_TIMEOUT));
+ SDAP_ENUM_SEARCH_TIMEOUT),
+ true); /* Enumeration */
if (!subreq) {
ret = ENOMEM;
goto fail;
@@ -589,7 +590,8 @@ static struct tevent_req *enum_groups_send(TALLOC_CTX *memctx,
state->ctx->opts, sdap_id_op_handle(state->op),
state->attrs, state->filter,
dp_opt_get_int(state->ctx->opts->basic,
- SDAP_ENUM_SEARCH_TIMEOUT));
+ SDAP_ENUM_SEARCH_TIMEOUT),
+ true); /* Enumeration */
if (!subreq) {
ret = ENOMEM;
goto fail;
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index 8757510c..712c76f5 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -745,7 +745,8 @@ static void sdap_access_filter_connect_done(struct tevent_req *subreq)
state->filter, NULL,
NULL, 0,
dp_opt_get_int(state->sdap_ctx->opts->basic,
- SDAP_SEARCH_TIMEOUT));
+ SDAP_SEARCH_TIMEOUT),
+ false);
if (subreq == NULL) {
DEBUG(1, ("Could not start LDAP communication\n"));
state->pam_status = PAM_SYSTEM_ERR;
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index 6412666d..1547e885 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -681,7 +681,8 @@ struct tevent_req *sdap_get_rootdse_send(TALLOC_CTX *memctx,
"", LDAP_SCOPE_BASE,
"(objectclass=*)", attrs, NULL, 0,
dp_opt_get_int(state->opts->basic,
- SDAP_SEARCH_TIMEOUT));
+ SDAP_SEARCH_TIMEOUT),
+ false);
if (!subreq) {
talloc_zfree(req);
return NULL;
@@ -757,6 +758,7 @@ struct sdap_get_generic_state {
struct sdap_attr_map *map;
int map_num_attrs;
int timeout;
+ bool allow_paging;
struct sdap_op *op;
@@ -784,7 +786,8 @@ struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx,
const char **attrs,
struct sdap_attr_map *map,
int map_num_attrs,
- int timeout)
+ int timeout,
+ bool allow_paging)
{
errno_t ret;
struct sdap_get_generic_state *state;
@@ -810,6 +813,15 @@ struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx,
state->cookie.bv_len = 0;
state->cookie.bv_val = NULL;
+ /* Be extra careful and never allow paging for BASE searches,
+ * even if requested.
+ */
+ if (scope == LDAP_SCOPE_BASE) {
+ state->allow_paging = false;
+ } else {
+ state->allow_paging = allow_paging;
+ }
+
ret = sdap_get_generic_step(req);
if (ret != EOK) {
tevent_req_error(req, ret);
@@ -854,9 +866,9 @@ static errno_t sdap_get_generic_step(struct tevent_req *req)
disable_paging = dp_opt_get_bool(state->opts->basic, SDAP_DISABLE_PAGING);
- if (!disable_paging
- && sdap_is_control_supported(state->sh,
- LDAP_CONTROL_PAGEDRESULTS)) {
+ if (!disable_paging && state->allow_paging &&
+ sdap_is_control_supported(state->sh,
+ LDAP_CONTROL_PAGEDRESULTS)) {
lret = ldap_create_page_control(state->sh->ldap,
state->sh->page_size,
state->cookie.bv_val ?
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index 346940b0..5c011b30 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -48,7 +48,8 @@ struct tevent_req *sdap_get_users_send(TALLOC_CTX *memctx,
struct sdap_handle *sh,
const char **attrs,
const char *wildcard,
- int timeout);
+ int timeout,
+ bool enumeration);
int sdap_get_users_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx, char **timestamp);
@@ -60,7 +61,8 @@ struct tevent_req *sdap_get_groups_send(TALLOC_CTX *memctx,
struct sdap_handle *sh,
const char **attrs,
const char *wildcard,
- int timeout);
+ int timeout,
+ bool enumeration);
int sdap_get_groups_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx, char **timestamp);
@@ -147,7 +149,8 @@ struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx,
const char **attrs,
struct sdap_attr_map *map,
int map_num_attrs,
- int timeout);
+ int timeout,
+ bool allow_paging);
int sdap_get_generic_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx, size_t *reply_count,
struct sysdb_attrs ***reply_list);
diff --git a/src/providers/ldap/sdap_async_accounts.c b/src/providers/ldap/sdap_async_accounts.c
index 8fdadb1b..f4a460af 100644
--- a/src/providers/ldap/sdap_async_accounts.c
+++ b/src/providers/ldap/sdap_async_accounts.c
@@ -428,6 +428,7 @@ struct sdap_get_users_state {
struct sysdb_ctx *sysdb;
const char **attrs;
const char *filter;
+ bool enumeration;
char *higher_usn;
struct sysdb_attrs **users;
@@ -444,7 +445,8 @@ struct tevent_req *sdap_get_users_send(TALLOC_CTX *memctx,
struct sdap_handle *sh,
const char **attrs,
const char *filter,
- int timeout)
+ int timeout,
+ bool enumeration)
{
struct tevent_req *req, *subreq;
struct sdap_get_users_state *state;
@@ -462,6 +464,7 @@ struct tevent_req *sdap_get_users_send(TALLOC_CTX *memctx,
state->higher_usn = NULL;
state->users = NULL;
state->count = 0;
+ state->enumeration = enumeration;
subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh,
dp_opt_get_string(state->opts->basic,
@@ -469,7 +472,7 @@ struct tevent_req *sdap_get_users_send(TALLOC_CTX *memctx,
LDAP_SCOPE_SUBTREE,
state->filter, state->attrs,
state->opts->user_map, SDAP_OPTS_USER,
- timeout);
+ timeout, state->enumeration);
if (!subreq) {
talloc_zfree(req);
return NULL;
@@ -1458,7 +1461,8 @@ sdap_process_missing_member_2307bis(struct tevent_req *req,
grp_state->opts->user_map,
SDAP_OPTS_USER,
dp_opt_get_int(grp_state->opts->basic,
- SDAP_SEARCH_TIMEOUT));
+ SDAP_SEARCH_TIMEOUT),
+ false);
if (!subreq) {
return ENOMEM;
}
@@ -1659,7 +1663,8 @@ next:
state->opts->user_map,
SDAP_OPTS_USER,
dp_opt_get_int(state->opts->basic,
- SDAP_SEARCH_TIMEOUT));
+ SDAP_SEARCH_TIMEOUT),
+ false);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
@@ -1711,6 +1716,7 @@ struct sdap_get_groups_state {
struct sysdb_ctx *sysdb;
const char **attrs;
const char *filter;
+ bool enumeration;
char *higher_usn;
struct sysdb_attrs **groups;
@@ -1732,7 +1738,8 @@ struct tevent_req *sdap_get_groups_send(TALLOC_CTX *memctx,
struct sdap_handle *sh,
const char **attrs,
const char *filter,
- int timeout)
+ int timeout,
+ bool enumeration)
{
struct tevent_req *req, *subreq;
struct sdap_get_groups_state *state;
@@ -1750,6 +1757,7 @@ struct tevent_req *sdap_get_groups_send(TALLOC_CTX *memctx,
state->higher_usn = NULL;
state->groups = NULL;
state->count = 0;
+ state->enumeration = enumeration;
subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh,
dp_opt_get_string(state->opts->basic,
@@ -1757,7 +1765,7 @@ struct tevent_req *sdap_get_groups_send(TALLOC_CTX *memctx,
LDAP_SCOPE_SUBTREE,
state->filter, state->attrs,
state->opts->group_map, SDAP_OPTS_GROUP,
- timeout);
+ timeout, state->enumeration);
if (!subreq) {
talloc_zfree(req);
return NULL;
@@ -2320,7 +2328,8 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx,
filter, attrs,
state->opts->group_map, SDAP_OPTS_GROUP,
dp_opt_get_int(state->opts->basic,
- SDAP_SEARCH_TIMEOUT));
+ SDAP_SEARCH_TIMEOUT),
+ true);
if (!subreq) {
talloc_zfree(req);
return NULL;
@@ -2646,7 +2655,8 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
state->filter, state->grp_attrs,
state->opts->group_map, SDAP_OPTS_GROUP,
dp_opt_get_int(state->opts->basic,
- SDAP_SEARCH_TIMEOUT));
+ SDAP_SEARCH_TIMEOUT),
+ false);
if (!subreq) {
talloc_zfree(req);
return NULL;
@@ -2696,7 +2706,8 @@ static void sdap_initgr_nested_search(struct tevent_req *subreq)
state->opts->group_map,
SDAP_OPTS_GROUP,
dp_opt_get_int(state->opts->basic,
- SDAP_SEARCH_TIMEOUT));
+ SDAP_SEARCH_TIMEOUT),
+ false);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
@@ -3243,7 +3254,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
filter, state->ldap_attrs,
state->opts->user_map, SDAP_OPTS_USER,
dp_opt_get_int(state->opts->basic,
- SDAP_SEARCH_TIMEOUT));
+ SDAP_SEARCH_TIMEOUT),
+ false);
if (!subreq) {
talloc_zfree(req);
return NULL;
@@ -3835,7 +3847,8 @@ static errno_t sdap_nested_group_lookup_user(struct tevent_req *req,
state->opts->user_map,
SDAP_OPTS_USER,
dp_opt_get_int(state->opts->basic,
- SDAP_SEARCH_TIMEOUT));
+ SDAP_SEARCH_TIMEOUT),
+ false);
if (!subreq) {
talloc_free(sdap_attrs);
return EIO;
@@ -3878,7 +3891,8 @@ static errno_t sdap_nested_group_lookup_group(struct tevent_req *req)
state->opts->group_map,
SDAP_OPTS_GROUP,
dp_opt_get_int(state->opts->basic,
- SDAP_SEARCH_TIMEOUT));
+ SDAP_SEARCH_TIMEOUT),
+ false);
if (!subreq) {
talloc_free(sdap_attrs);
return EIO;
@@ -4242,7 +4256,8 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send(
filter, attrs,
state->opts->group_map, SDAP_OPTS_GROUP,
dp_opt_get_int(state->opts->basic,
- SDAP_SEARCH_TIMEOUT));
+ SDAP_SEARCH_TIMEOUT),
+ true);
if (!subreq) {
talloc_zfree(req);
return NULL;
@@ -4820,7 +4835,8 @@ static errno_t rfc2307bis_nested_groups_step(struct tevent_req *req)
filter, attrs,
state->opts->group_map, SDAP_OPTS_GROUP,
dp_opt_get_int(state->opts->basic,
- SDAP_SEARCH_TIMEOUT));
+ SDAP_SEARCH_TIMEOUT),
+ true);
if (!subreq) {
ret = EIO;
goto error;
diff --git a/src/providers/ldap/sdap_async_netgroups.c b/src/providers/ldap/sdap_async_netgroups.c
index 1f6c6d06..36dcd40d 100644
--- a/src/providers/ldap/sdap_async_netgroups.c
+++ b/src/providers/ldap/sdap_async_netgroups.c
@@ -469,7 +469,8 @@ static errno_t netgr_translate_members_ldap_step(struct tevent_req *req)
cn_attr, state->opts->netgroup_map,
SDAP_OPTS_NETGROUP,
dp_opt_get_int(state->opts->basic,
- SDAP_SEARCH_TIMEOUT));
+ SDAP_SEARCH_TIMEOUT),
+ false);
if (!subreq) {
DEBUG(1, ("sdap_get_generic_send failed.\n"));
return ENOMEM;
@@ -610,7 +611,7 @@ struct tevent_req *sdap_get_netgroups_send(TALLOC_CTX *memctx,
LDAP_SCOPE_SUBTREE,
state->filter, state->attrs,
state->opts->netgroup_map,
- SDAP_OPTS_NETGROUP, timeout);
+ SDAP_OPTS_NETGROUP, timeout, false);
if (!subreq) {
talloc_zfree(req);
return NULL;
generated by cgit (git 2.34.1) at 2024-05-04 06:18:00 +0000