diff options
| author | Stephen Gallagher <sgallagh@redhat.com> | 2012-02-21 21:03:26 -0500 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2012-02-24 09:59:52 -0500 |
| commit | 3828873b48096e6482329bab6da175de3f615ab8 (patch) | |
| tree | fbaa7d1ce903957e5d2392a5aeb2e82d96e19835 | |
| parent | 093acc9d3da388c279815c52adc8b9a99362a6d4 (diff) | |
| download | sssd_unused-3828873b48096e6482329bab6da175de3f615ab8.tar.gz sssd_unused-3828873b48096e6482329bab6da175de3f615ab8.tar.xz sssd_unused-3828873b48096e6482329bab6da175de3f615ab8.zip | |
LDAP: Only use paging control on requests for multiple entries
The paging control can cause issues on servers that put limits on
how many paging controls can be active at one time (on some
servers, it is limited to one per connection). We need to reduce
our usage so that we only activate the paging control when making
a request that may return an arbitrary number of results.
https://fedorahosted.org/sssd/ticket/1202 phase one
| -rw-r--r-- | src/providers/ipa/ipa_config.c | 3 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_hbac_rules.c | 3 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_hbac_services.c | 6 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_hosts.c | 6 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_netgroups.c | 15 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_selinux_maps.c | 3 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_access.c | 3 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_async.c | 45 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_async.h | 3 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_async_autofs.c | 5 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_async_groups.c | 15 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_async_initgroups.c | 18 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_async_netgroups.c | 6 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_async_services.c | 3 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_async_users.c | 3 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_sudo.c | 3 |
16 files changed, 100 insertions, 40 deletions
diff --git a/src/providers/ipa/ipa_config.c b/src/providers/ipa/ipa_config.c index 62a9a485..2afa3d32 100644 --- a/src/providers/ipa/ipa_config.c +++ b/src/providers/ipa/ipa_config.c @@ -88,7 +88,8 @@ ipa_get_config_send(TALLOC_CTX *mem_ctx, LDAP_SCOPE_SUBTREE, IPA_CONFIG_FILTER, state->attrs, NULL, 0, dp_opt_get_int(opts->basic, - SDAP_ENUM_SEARCH_TIMEOUT)); + SDAP_ENUM_SEARCH_TIMEOUT), + false); if (subreq == NULL) { ret = ENOMEM; goto done; diff --git a/src/providers/ipa/ipa_hbac_rules.c b/src/providers/ipa/ipa_hbac_rules.c index c07cf332..49dcdfa0 100644 --- a/src/providers/ipa/ipa_hbac_rules.c +++ b/src/providers/ipa/ipa_hbac_rules.c @@ -233,7 +233,8 @@ ipa_hbac_rule_info_next(struct tevent_req *req, state->cur_filter, state->attrs, NULL, 0, dp_opt_get_int(state->opts->basic, - SDAP_ENUM_SEARCH_TIMEOUT)); + SDAP_ENUM_SEARCH_TIMEOUT), + true); if (subreq == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, ("sdap_get_generic_send failed.\n")); return ENOMEM; diff --git a/src/providers/ipa/ipa_hbac_services.c b/src/providers/ipa/ipa_hbac_services.c index 3bbdc8ba..4f0f5f7b 100644 --- a/src/providers/ipa/ipa_hbac_services.c +++ b/src/providers/ipa/ipa_hbac_services.c @@ -154,7 +154,8 @@ static errno_t ipa_hbac_service_info_next(struct tevent_req *req, state->cur_filter, state->attrs, NULL, 0, dp_opt_get_int(state->opts->basic, - SDAP_ENUM_SEARCH_TIMEOUT)); + SDAP_ENUM_SEARCH_TIMEOUT), + true); if (subreq == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, ("Error requesting service info\n")); return EIO; @@ -267,7 +268,8 @@ ipa_hbac_servicegroup_info_next(struct tevent_req *req, base->basedn, base->scope, state->cur_filter, state->attrs, NULL, 0, dp_opt_get_int(state->opts->basic, - SDAP_ENUM_SEARCH_TIMEOUT)); + SDAP_ENUM_SEARCH_TIMEOUT), + true); if (subreq == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, ("Error requesting servicegroup info\n")); return EIO; diff --git a/src/providers/ipa/ipa_hosts.c b/src/providers/ipa/ipa_hosts.c index e939ab7f..5e41c1ee 100644 --- a/src/providers/ipa/ipa_hosts.c +++ b/src/providers/ipa/ipa_hosts.c @@ -169,7 +169,8 @@ static errno_t ipa_host_info_next(struct tevent_req *req, state->attrs, state->map, state->map_num_attrs, dp_opt_get_int(state->opts->basic, - SDAP_ENUM_SEARCH_TIMEOUT)); + SDAP_ENUM_SEARCH_TIMEOUT), + true); if (subreq == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, ("Error requesting host info\n")); talloc_zfree(state->cur_filter); @@ -311,7 +312,8 @@ static errno_t ipa_hostgroup_info_next(struct tevent_req *req, state->cur_filter, state->attrs, hostgroup_map, HOSTGROUP_MAP_ATTRS_COUNT, dp_opt_get_int(state->opts->basic, - SDAP_ENUM_SEARCH_TIMEOUT)); + SDAP_ENUM_SEARCH_TIMEOUT), + true); if (subreq == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, ("Error requesting hostgroup info\n")); talloc_zfree(state->cur_filter); diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c index 647818fa..5acab31f 100644 --- a/src/providers/ipa/ipa_netgroups.c +++ b/src/providers/ipa/ipa_netgroups.c @@ -269,7 +269,8 @@ static errno_t ipa_netgr_next_base(struct tevent_req *req) netgr_bases[state->netgr_base_iter]->scope, state->filter, state->attrs, state->opts->netgroup_map, IPA_OPTS_NETGROUP, - state->timeout); + state->timeout, + true); if (!subreq) { return ENOMEM; } @@ -449,7 +450,7 @@ static int ipa_netgr_fetch_netgroups(struct ipa_get_netgroups_state *state, bases[state->netgr_base_iter]->basedn, bases[state->netgr_base_iter]->scope, filter, state->attrs, state->opts->netgroup_map, - IPA_OPTS_NETGROUP, state->timeout); + IPA_OPTS_NETGROUP, state->timeout, true); state->current_entity = ENTITY_NG; if (subreq == NULL) { @@ -489,9 +490,8 @@ static int ipa_netgr_fetch_users(struct ipa_get_netgroups_state *state, dp_opt_get_string(state->opts->basic, SDAP_USER_SEARCH_BASE), LDAP_SCOPE_SUBTREE, - filter, attrs, - state->opts->user_map, - SDAP_OPTS_USER, state->timeout); + filter, attrs, state->opts->user_map, + SDAP_OPTS_USER, state->timeout, true); state->current_entity = ENTITY_USER; if (subreq == NULL) { @@ -537,9 +537,8 @@ static int ipa_netgr_fetch_hosts(struct ipa_get_netgroups_state *state, subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, bases[state->host_base_iter]->basedn, bases[state->host_base_iter]->scope, - filter, attrs, - state->opts->host_map, - IPA_OPTS_HOST, state->timeout); + filter, attrs, state->opts->host_map, + IPA_OPTS_HOST, state->timeout, true); state->current_entity = ENTITY_HOST; if (subreq == NULL) { diff --git a/src/providers/ipa/ipa_selinux_maps.c b/src/providers/ipa/ipa_selinux_maps.c index 87650f6c..d642da7d 100644 --- a/src/providers/ipa/ipa_selinux_maps.c +++ b/src/providers/ipa/ipa_selinux_maps.c @@ -133,7 +133,8 @@ ipa_selinux_get_maps_next(struct tevent_req *req, state->opts->selinuxuser_map, IPA_OPTS_SELINUX_USERMAP, dp_opt_get_int(state->opts->basic, - SDAP_ENUM_SEARCH_TIMEOUT)); + SDAP_ENUM_SEARCH_TIMEOUT), + true); if (subreq == NULL) { return ENOMEM; } diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c index 287ba125..1e923fd3 100644 --- a/src/providers/ldap/sdap_access.c +++ b/src/providers/ldap/sdap_access.c @@ -940,7 +940,8 @@ static void sdap_access_filter_connect_done(struct tevent_req *subreq) state->filter, NULL, NULL, 0, dp_opt_get_int(state->sdap_ctx->opts->basic, - SDAP_SEARCH_TIMEOUT)); + SDAP_SEARCH_TIMEOUT), + false); if (subreq == NULL) { DEBUG(1, ("Could not start LDAP communication\n")); state->pam_status = PAM_SYSTEM_ERR; diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c index 2b9268de..306d7622 100644 --- a/src/providers/ldap/sdap_async.c +++ b/src/providers/ldap/sdap_async.c @@ -870,7 +870,8 @@ struct tevent_req *sdap_get_rootdse_send(TALLOC_CTX *memctx, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, NULL, 0, dp_opt_get_int(state->opts->basic, - SDAP_SEARCH_TIMEOUT)); + SDAP_SEARCH_TIMEOUT), + false); if (!subreq) { talloc_zfree(req); return NULL; @@ -1023,6 +1024,7 @@ struct sdap_get_generic_ext_state { sdap_parse_cb parse_cb; void *cb_data; + bool allow_paging; }; static errno_t sdap_get_generic_ext_step(struct tevent_req *req); @@ -1045,6 +1047,7 @@ sdap_get_generic_ext_send(TALLOC_CTX *memctx, LDAPControl **clientctrls, int sizelimit, int timeout, + bool allow_paging, sdap_parse_cb parse_cb, void *cb_data) { @@ -1052,6 +1055,7 @@ sdap_get_generic_ext_send(TALLOC_CTX *memctx, struct sdap_get_generic_ext_state *state; struct tevent_req *req; int i; + LDAPControl *control; req = tevent_req_create(memctx, &state, struct sdap_get_generic_ext_state); if (!req) return NULL; @@ -1073,6 +1077,35 @@ sdap_get_generic_ext_send(TALLOC_CTX *memctx, state->cb_data = cb_data; state->clientctrls = clientctrls; + + /* Be extra careful and never allow paging for BASE searches, + * even if requested. + */ + if (scope == LDAP_SCOPE_BASE) { + state->allow_paging = false; + } else { + state->allow_paging = allow_paging; + } + + /* Also check for deref/asq requests and force + * paging on for those requests + */ + /* X-DEREF */ + control = ldap_control_find(LDAP_CONTROL_X_DEREF, + serverctrls, + NULL); + if (control) { + state->allow_paging = true; + } + + /* ASQ */ + control = ldap_control_find(LDAP_SERVER_ASQ_OID, + serverctrls, + NULL); + if (control) { + state->allow_paging = true; + } + for (state->nserverctrls=0; serverctrls && serverctrls[state->nserverctrls]; state->nserverctrls++) ; @@ -1135,6 +1168,7 @@ static errno_t sdap_get_generic_ext_step(struct tevent_req *req) disable_paging = dp_opt_get_bool(state->opts->basic, SDAP_DISABLE_PAGING); if (!disable_paging + && state->allow_paging && sdap_is_control_supported(state->sh, LDAP_CONTROL_PAGEDRESULTS)) { lret = ldap_create_page_control(state->sh->ldap, @@ -1347,7 +1381,8 @@ struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx, const char **attrs, struct sdap_attr_map *map, int map_num_attrs, - int timeout) + int timeout, + bool allow_paging) { struct tevent_req *req = NULL; struct tevent_req *subreq = NULL; @@ -1361,7 +1396,7 @@ struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx, subreq = sdap_get_generic_ext_send(state, ev, opts, sh, search_base, scope, filter, attrs, false, NULL, - NULL, 0, timeout, + NULL, 0, timeout, allow_paging, sdap_get_generic_parse_entry, state); if (!subreq) { talloc_zfree(req); @@ -1495,7 +1530,7 @@ sdap_x_deref_search_send(TALLOC_CTX *memctx, struct tevent_context *ev, subreq = sdap_get_generic_ext_send(state, ev, opts, sh, base_dn, LDAP_SCOPE_BASE, NULL, attrs, false, state->ctrls, NULL, 0, timeout, - sdap_x_deref_parse_entry, + true, sdap_x_deref_parse_entry, state); if (!subreq) { talloc_zfree(req); @@ -1720,7 +1755,7 @@ sdap_asq_search_send(TALLOC_CTX *memctx, struct tevent_context *ev, subreq = sdap_get_generic_ext_send(state, ev, opts, sh, base_dn, LDAP_SCOPE_BASE, NULL, attrs, false, state->ctrls, NULL, 0, timeout, - sdap_asq_search_parse_entry, + true, sdap_asq_search_parse_entry, state); if (!subreq) { talloc_zfree(req); diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h index 47d10149..870f1531 100644 --- a/src/providers/ldap/sdap_async.h +++ b/src/providers/ldap/sdap_async.h @@ -171,7 +171,8 @@ struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx, const char **attrs, struct sdap_attr_map *map, int map_num_attrs, - int timeout); + int timeout, + bool allow_paging); int sdap_get_generic_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, size_t *reply_count, struct sysdb_attrs ***reply_list); diff --git a/src/providers/ldap/sdap_async_autofs.c b/src/providers/ldap/sdap_async_autofs.c index 9025fe99..ea034c2f 100644 --- a/src/providers/ldap/sdap_async_autofs.c +++ b/src/providers/ldap/sdap_async_autofs.c @@ -309,7 +309,7 @@ automntmaps_process_members_next_base(struct tevent_req *req) state->filter, state->attrs, state->opts->autofs_entry_map, SDAP_OPTS_AUTOFS_ENTRY, - state->timeout); + state->timeout, true); if (!subreq) { DEBUG(SSSDBG_CRIT_FAILURE, ("Cannot start search for entries\n")); return EIO; @@ -492,7 +492,8 @@ sdap_get_automntmap_next_base(struct tevent_req *req) state->search_bases[state->base_iter]->scope, state->filter, state->attrs, state->opts->autofs_mobject_map, SDAP_OPTS_AUTOFS_MAP, - state->timeout); + state->timeout, + false); if (!subreq) { return EIO; } diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index aefe3538..d58ed468 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -746,7 +746,8 @@ sdap_process_missing_member_2307bis(struct tevent_req *req, grp_state->opts->user_map, SDAP_OPTS_USER, dp_opt_get_int(grp_state->opts->basic, - SDAP_SEARCH_TIMEOUT)); + SDAP_SEARCH_TIMEOUT), + false); if (!subreq) { return ENOMEM; } @@ -1109,7 +1110,8 @@ next: state->opts->user_map, SDAP_OPTS_USER, dp_opt_get_int(state->opts->basic, - SDAP_SEARCH_TIMEOUT)); + SDAP_SEARCH_TIMEOUT), + false); if (!subreq) { tevent_req_error(req, ENOMEM); return; @@ -1258,7 +1260,8 @@ static errno_t sdap_get_groups_next_base(struct tevent_req *req) state->search_bases[state->base_iter]->scope, state->filter, state->attrs, state->opts->group_map, SDAP_OPTS_GROUP, - state->timeout); + state->timeout, + state->enumeration); /* If we're enumerating, we need paging */ if (!subreq) { return ENOMEM; } @@ -2537,7 +2540,8 @@ static errno_t sdap_nested_group_lookup_user(struct tevent_req *req, state->opts->user_map, SDAP_OPTS_USER, dp_opt_get_int(state->opts->basic, - SDAP_SEARCH_TIMEOUT)); + SDAP_SEARCH_TIMEOUT), + false); if (!subreq) { talloc_free(sdap_attrs); return EIO; @@ -2618,7 +2622,8 @@ static errno_t sdap_nested_group_lookup_group(struct tevent_req *req) state->opts->group_map, SDAP_OPTS_GROUP, dp_opt_get_int(state->opts->basic, - SDAP_SEARCH_TIMEOUT)); + SDAP_SEARCH_TIMEOUT), + false); if (!subreq) { talloc_free(sdap_attrs); return EIO; diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index 683e5116..2f8e1ef6 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -380,7 +380,8 @@ static errno_t sdap_initgr_rfc2307_next_base(struct tevent_req *req) state->search_bases[state->base_iter]->scope, state->filter, state->attrs, state->opts->group_map, SDAP_OPTS_GROUP, - state->timeout); + state->timeout, + true); if (!subreq) { return ENOMEM; } @@ -774,7 +775,8 @@ static errno_t sdap_initgr_nested_noderef_search(struct tevent_req *req) state->filter, state->grp_attrs, state->opts->group_map, SDAP_OPTS_GROUP, dp_opt_get_int(state->opts->basic, - SDAP_SEARCH_TIMEOUT)); + SDAP_SEARCH_TIMEOUT), + false); if (!subreq) { return ENOMEM; } @@ -904,7 +906,8 @@ static void sdap_initgr_nested_search(struct tevent_req *subreq) state->opts->group_map, SDAP_OPTS_GROUP, dp_opt_get_int(state->opts->basic, - SDAP_SEARCH_TIMEOUT)); + SDAP_SEARCH_TIMEOUT), + false); if (!subreq) { tevent_req_error(req, ENOMEM); return; @@ -1510,7 +1513,8 @@ static errno_t sdap_initgr_rfc2307bis_next_base(struct tevent_req *req) state->search_bases[state->base_iter]->scope, state->filter, state->attrs, state->opts->group_map, SDAP_OPTS_GROUP, - state->timeout); + state->timeout, + true); if (!subreq) { talloc_zfree(req); return ENOMEM; @@ -2154,7 +2158,8 @@ static errno_t rfc2307bis_nested_groups_next_base(struct tevent_req *req) state->search_bases[state->base_iter]->scope, state->filter, state->attrs, state->opts->group_map, SDAP_OPTS_GROUP, - state->timeout); + state->timeout, + true); if (!subreq) { return ENOMEM; } @@ -2472,7 +2477,8 @@ static errno_t sdap_get_initgr_next_base(struct tevent_req *req) state->user_search_bases[state->user_base_iter]->scope, state->filter, state->user_attrs, state->opts->user_map, SDAP_OPTS_USER, - state->timeout); + state->timeout, + false); if (!subreq) { return ENOMEM; } diff --git a/src/providers/ldap/sdap_async_netgroups.c b/src/providers/ldap/sdap_async_netgroups.c index 37aa2f11..931a1f86 100644 --- a/src/providers/ldap/sdap_async_netgroups.c +++ b/src/providers/ldap/sdap_async_netgroups.c @@ -432,7 +432,8 @@ static errno_t netgr_translate_members_ldap_step(struct tevent_req *req) cn_attr, state->opts->netgroup_map, SDAP_OPTS_NETGROUP, dp_opt_get_int(state->opts->basic, - SDAP_SEARCH_TIMEOUT)); + SDAP_SEARCH_TIMEOUT), + false); if (!subreq) { DEBUG(1, ("sdap_get_generic_send failed.\n")); return ENOMEM; @@ -621,7 +622,8 @@ static errno_t sdap_get_netgroups_next_base(struct tevent_req *req) state->search_bases[state->base_iter]->scope, state->filter, state->attrs, state->opts->netgroup_map, SDAP_OPTS_NETGROUP, - state->timeout); + state->timeout, + false); if (!subreq) { return ENOMEM; } diff --git a/src/providers/ldap/sdap_async_services.c b/src/providers/ldap/sdap_async_services.c index 5bc04463..783861c7 100644 --- a/src/providers/ldap/sdap_async_services.c +++ b/src/providers/ldap/sdap_async_services.c @@ -148,7 +148,8 @@ sdap_get_services_next_base(struct tevent_req *req) state->search_bases[state->base_iter]->scope, state->filter, state->attrs, state->opts->service_map, SDAP_OPTS_SERVICES, - state->timeout); + state->timeout, + state->enumeration); /* If we're enumerating, we need paging */ if (!subreq) { return ENOMEM; } diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c index a8595ac8..57540749 100644 --- a/src/providers/ldap/sdap_async_users.c +++ b/src/providers/ldap/sdap_async_users.c @@ -477,7 +477,8 @@ static errno_t sdap_get_users_next_base(struct tevent_req *req) state->search_bases[state->base_iter]->scope, state->filter, state->attrs, state->opts->user_map, SDAP_OPTS_USER, - state->timeout); + state->timeout, + state->enumeration); /* If we're enumerating, we need paging */ if (!subreq) { return ENOMEM; } diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c index 4aaf04ce..02d4f17b 100644 --- a/src/providers/ldap/sdap_sudo.c +++ b/src/providers/ldap/sdap_sudo.c @@ -514,7 +514,8 @@ static errno_t sdap_sudo_load_sudoers_next_base(struct tevent_req *req) state->attrs, state->opts->sudorule_map, SDAP_OPTS_SUDO, - state->timeout); + state->timeout, + true); if (subreq == NULL) { return ENOMEM; } |