>From 387ce8cafcb875168a4a23fe58ee880b25238911 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 19 Aug 2011 18:06:41 +0200
Subject: [PATCH] Allow turning dereference off by setting the threshold to 0

---
 src/man/sssd-ldap.5.xml                |    4 ++++
 src/providers/ldap/sdap_async.c        |    8 +++++++-
 src/providers/ldap/sdap_async.h        |    2 +-
 src/providers/ldap/sdap_async_groups.c |    2 +-
 4 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 7c364ab..57b91d3 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -934,6 +934,10 @@
                             they are looked up individually.
                         </para>
                         <para>
+                            You can turn off dereference lookups completely by
+                            setting the value to 0.
+                        </para>
+                        <para>
                             A dereference lookup is a means of fetching all
                             group members in a single LDAP call.
                             Different LDAP servers may implement different
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index 5594dd5..0b546c4 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -1819,13 +1819,19 @@ int sdap_deref_search_recv(struct tevent_req *req,
     return EOK;
 }
 
-bool sdap_has_deref_support(struct sdap_handle *sh)
+bool sdap_has_deref_support(struct sdap_handle *sh, struct sdap_options *opts)
 {
     const char *deref_oids[][2] = { { LDAP_SERVER_ASQ_OID, "ASQ" },
                                     { LDAP_CONTROL_X_DEREF, "OpenLDAP" },
                                     { NULL, NULL }
                                   };
     int i;
+    int deref_threshold;
+
+    deref_threshold = dp_opt_get_int(opts->basic, SDAP_DEREF_THRESHOLD);
+    if (deref_threshold == 0) {
+        return false;
+    }
 
     for (i=0; deref_oids[i][0]; i++) {
         if (sdap_is_control_supported(sh, deref_oids[i][0])) {
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index 4115f62..9b5a307 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -152,7 +152,7 @@ int sdap_get_generic_recv(struct tevent_req *req,
                          TALLOC_CTX *mem_ctx, size_t *reply_count,
                          struct sysdb_attrs ***reply_list);
 
-bool sdap_has_deref_support(struct sdap_handle *sh);
+bool sdap_has_deref_support(struct sdap_handle *sh, struct sdap_options *opts);
 
 struct tevent_req *
 sdap_deref_search_send(TALLOC_CTX *memctx,
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index 7b9f0cd..426b6f2 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -1751,7 +1751,7 @@ static struct tevent_req *sdap_nested_group_process_send(
 
     state->member_index = 0;
 
-    if (sdap_has_deref_support(state->sh)) {
+    if (sdap_has_deref_support(state->sh, state->opts)) {
         state->derefctx = talloc_zero(state, struct sdap_deref_ctx);
         if (!state->derefctx) goto immediate;
 
-- 
1.7.6