>From 4e14020590d82ffb0f0796a3ac407725f5f743c6 Mon Sep 17 00:00:00 2001 From: "Paul B. Henson" Date: Tue, 13 Nov 2012 03:31:43 -0800 Subject: [PATCH] Add ignore_group_members option. --- src/confdb/confdb.c | 7 +++++++ src/confdb/confdb.h | 2 ++ src/config/SSSDConfig/__init__.py.in | 1 + src/config/etc/sssd.api.conf | 1 + src/man/sssd.conf.5.xml | 17 +++++++++++++++++ src/providers/ldap/ldap_id.c | 8 +++++++- src/providers/ldap/sdap_async_groups.c | 5 +++-- src/responder/nss/nsssrv_cmd.c | 33 +++++++++++++++++---------------- 8 files changed, 55 insertions(+), 19 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index 13035a4..f097f63 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -894,6 +894,13 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, goto done; } + ret = get_entry_as_bool(res->msgs[0], &domain->ignore_group_members, + CONFDB_DOMAIN_IGNORE_GROUP_MEMBERS, 0); + if(ret != EOK) { + DEBUG(0, ("Invalid value for %s\n", CONFDB_DOMAIN_IGNORE_GROUP_MEMBERS)); + goto done; + } + ret = get_entry_as_uint32(res->msgs[0], &domain->id_min, CONFDB_DOMAIN_MINID, confdb_get_min_id(domain)); diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 88e80c1..eb16d01 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -162,6 +162,7 @@ #define CONFDB_DOMAIN_CASE_SENSITIVE "case_sensitive" #define CONFDB_DOMAIN_SUBDOMAIN_HOMEDIR "subdomain_homedir" #define CONFDB_DOMAIN_DEFAULT_SUBDOMAIN_HOMEDIR "/home/%d/%u" +#define CONFDB_DOMAIN_IGNORE_GROUP_MEMBERS "ignore_group_members" #define CONFDB_DOMAIN_USER_CACHE_TIMEOUT "entry_cache_user_timeout" #define CONFDB_DOMAIN_GROUP_CACHE_TIMEOUT "entry_cache_group_timeout" @@ -200,6 +201,7 @@ struct sss_domain_info { int timeout; bool enumerate; bool fqnames; + bool ignore_group_members; uint32_t id_min; uint32_t id_max; diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 9bd6995..fd54c7b 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -111,6 +111,7 @@ option_strings = { 'cache_credentials' : _('Cache credentials for offline login'), 'store_legacy_passwords' : _('Store password hashes'), 'use_fully_qualified_names' : _('Display users/groups in fully-qualified form'), + 'ignore_group_members' : _('Don\'t include group members in group lookups'), 'entry_cache_timeout' : _('Entry cache timeout length (seconds)'), 'lookup_family_order' : _('Restrict or prefer a specific address family when performing DNS lookups'), 'account_cache_expiration' : _('How long to keep cached entries after last successful login (days)'), diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index 48fe7eb..3ed9d58 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -97,6 +97,7 @@ force_timeout = int, None, false cache_credentials = bool, None, false store_legacy_passwords = bool, None, false use_fully_qualified_names = bool, None, false +ignore_group_members = bool, None, false entry_cache_timeout = int, None, false lookup_family_order = str, None, false account_cache_expiration = int, None, false diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 33d99c7..985397d 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -1203,6 +1203,23 @@ override_homedir = /home/%u + ignore_group_members (bool) + + + Do not return group members for group lookups. + + + If set to TRUE, the group membership attribute + is not requested from the ldap server, and + group members are not returned when processing + group lookup calls. + + + Default: FALSE + + + + auth_provider (string) diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index b8520df..7e7f630 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -340,6 +340,7 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx, enum idmap_error_code err; char *sid; bool use_id_mapping = dp_opt_get_bool(ctx->opts->basic, SDAP_ID_MAPPING); + char *member_filter[2]; req = tevent_req_create(memctx, &state, struct groups_get_state); if (!req) return NULL; @@ -438,9 +439,14 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx, goto fail; } + member_filter[0] = ctx->opts->group_map[SDAP_AT_GROUP_MEMBER].name; + member_filter[1] = NULL; + /* TODO: handle attrs_type */ ret = build_attrs_from_map(state, ctx->opts->group_map, SDAP_OPTS_GROUP, - NULL, &state->attrs, NULL); + state->domain->ignore_group_members ? + member_filter : NULL, &state->attrs, NULL); + if (ret != EOK) goto fail; ret = groups_get_retry(req); diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index f0185e4..b15ba90 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -1649,8 +1649,9 @@ static void sdap_get_groups_done(struct tevent_req *subreq) DEBUG(9, ("All groups processed\n")); ret = sdap_save_groups(state, state->sysdb, state->dom, state->opts, - state->groups, state->count, true, NULL, - &state->higher_usn); + state->groups, state->count, + state->dom->ignore_group_members ? false : true, + NULL, &state->higher_usn); if (ret) { DEBUG(2, ("Failed to store groups.\n")); tevent_req_error(req, ret); diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index 036e88f..1182532 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -2035,24 +2035,25 @@ static int fill_grent(struct sss_packet *packet, pwfield.str, pwfield.len); memnum = 0; - el = ldb_msg_find_element(msg, SYSDB_MEMBERUID); - if (el) { - ret = fill_members(packet, dom, nctx, el, &rzero, &rsize, &memnum); - if (ret != EOK) { - num = 0; - goto done; + if (!dom->ignore_group_members) { + el = ldb_msg_find_element(msg, SYSDB_MEMBERUID); + if (el) { + ret = fill_members(packet, dom, nctx, el, &rzero, &rsize, &memnum); + if (ret != EOK) { + num = 0; + goto done; + } + sss_packet_get_body(packet, &body, &blen); } - sss_packet_get_body(packet, &body, &blen); - } - - el = ldb_msg_find_element(msg, SYSDB_GHOST); - if (el) { - ret = fill_members(packet, dom, nctx, el, &rzero, &rsize, &memnum); - if (ret != EOK) { - num = 0; - goto done; + el = ldb_msg_find_element(msg, SYSDB_GHOST); + if (el) { + ret = fill_members(packet, dom, nctx, el, &rzero, &rsize, &memnum); + if (ret != EOK) { + num = 0; + goto done; + } + sss_packet_get_body(packet, &body, &blen); } - sss_packet_get_body(packet, &body, &blen); } if (memnum) { /* set num of members */ -- 1.7.11.7