summaryrefslogtreecommitdiff
path: root/source3/libads
diff options
context:
space:
mode:
authorVolker Lendecke <vlendec@samba.org>2004-01-01 20:30:50 +0000
committerVolker Lendecke <vlendec@samba.org>2004-01-01 20:30:50 +0000
commit31ff56fd3ef310c1fab557cf26c65ab96d38fb39 (patch)
treef3849f073590e0e5894a4031dafe4776d2717060 /source3/libads
parent5d55674b52a516536a03e7f6d710a53efe7f5b8d (diff)
downloadsamba-31ff56fd3ef310c1fab557cf26c65ab96d38fb39.tar.gz
samba-31ff56fd3ef310c1fab557cf26c65ab96d38fb39.tar.bz2
samba-31ff56fd3ef310c1fab557cf26c65ab96d38fb39.zip
Fix for bug 707, getent group for huge ads groups (>1500 members)
This introduces range retrieval of ADS attributes. I've rewritten most of Günther's patch, partly to remove code duplication and partly to get the retrieval of members in one rush, not interrupted by the lookups for the DN. Andrew, you told me that you would like to see a check whether the AD sequence number is the same before and after the retrieval to achieve atomicity. This would be trivial to add, but I'm not sure that we want this, as this adds two roundtrips to every membership query. We can not know before the first query whether we get additional range values, and at that point it's too late to ask for the USN. Tested with a group of 4000 members along with lots of small groups. Volker (This used to be commit 9d8235bf413f931e40bca0c27a25ed62b4f3d226)
Diffstat (limited to 'source3/libads')
-rw-r--r--source3/libads/ldap.c100
1 files changed, 92 insertions, 8 deletions
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index ce0341b72c..f47645c7e7 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -1579,27 +1579,26 @@ char *ads_pull_string(ADS_STRUCT *ads,
* @return Result strings in talloc context
**/
char **ads_pull_strings(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx, void *msg, const char *field)
+ TALLOC_CTX *mem_ctx, void *msg, const char *field,
+ int *num_values)
{
char **values;
char **ret = NULL;
- int i, n;
+ int i;
values = ldap_get_values(ads->ld, msg, field);
if (!values)
return NULL;
- for (i=0;values[i];i++)
- /* noop */ ;
- n = i;
+ *num_values = ldap_count_values(values);
- ret = talloc(mem_ctx, sizeof(char *) * (n+1));
+ ret = talloc(mem_ctx, sizeof(char *) * (*num_values+1));
if (!ret) {
ldap_value_free(values);
return NULL;
}
- for (i=0;i<n;i++) {
+ for (i=0;i<*num_values;i++) {
if (pull_utf8_talloc(mem_ctx, &ret[i], values[i]) == -1) {
ldap_value_free(values);
return NULL;
@@ -1611,6 +1610,89 @@ char **ads_pull_strings(ADS_STRUCT *ads,
return ret;
}
+/**
+ * pull an array of strings from a ADS result
+ * (handle large multivalue attributes with range retrieval)
+ * @param ads connection to ads server
+ * @param mem_ctx TALLOC_CTX to use for allocating result string
+ * @param msg Results of search
+ * @param field Attribute to retrieve
+ * @param num_values How many values did we get this time?
+ * @param more_values Are there more values to get?
+ * @return Result strings in talloc context
+ **/
+char **ads_pull_strings_range(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ void *msg, const char *field,
+ int *num_values,
+ BOOL *more_values)
+{
+ char *first_attr, *second_attr;
+ char *expected_range_attrib, *range_attr;
+ BerElement *ptr = NULL;
+ char **result;
+
+ /* Get the first and second attributes. This assumes that the LDAP msg
+ * contains the requested attributes first and then a possible
+ * range-augmented attribute. This is the case for the group
+ * membership query we do against windows AD, but a general
+ * range-based value retrieval would have to be modified. */
+
+ first_attr = ldap_first_attribute(ads->ld, (LDAPMessage *)msg, &ptr);
+
+ if (first_attr == NULL)
+ return NULL;
+
+ expected_range_attrib = talloc_asprintf(mem_ctx, "%s;Range=", field);
+
+ if (!strequal(first_attr, field) &&
+ !strnequal(first_attr, expected_range_attrib,
+ strlen(expected_range_attrib)))
+ {
+ DEBUG(1, ("Expected attribute [%s], got [%s]\n",
+ field, first_attr));
+ return NULL;
+ }
+
+ second_attr = ldap_next_attribute(ads->ld, (LDAPMessage *)msg, ptr);
+ ber_free(ptr, 0);
+
+ DEBUG(10,("attr: [%s], first_attr: [%s], second_attr: [%s]\n",
+ field, first_attr, second_attr));
+
+ if ((second_attr != NULL) &&
+ (strnequal(second_attr, expected_range_attrib,
+ strlen(expected_range_attrib)))) {
+
+ /* This is the first in a row of range results. We can not ask
+ * for the attribute we wanted, as this is empty in the LDAP
+ * msg, the delivered values are in the second range-augmented
+ * attribute. */
+ range_attr = second_attr;
+
+ } else {
+
+ /* Upon second and subsequent requests to get attribute
+ * values, first_attr carries the Range= specifier. */
+ range_attr = first_attr;
+
+ }
+
+ /* We have to ask for more if we have a range specifier in the
+ * attribute and the attribute does not end in "*". */
+
+ *more_values = ( (strnequal(range_attr, expected_range_attrib,
+ strlen(expected_range_attrib))) &&
+ (range_attr[strlen(range_attr)-1] != '*') );
+
+ result = ads_pull_strings(ads, mem_ctx, msg, range_attr, num_values);
+
+ ldap_memfree(first_attr);
+ if (second_attr != NULL)
+ ldap_memfree(second_attr);
+
+ return result;
+}
/**
* pull a single uint32 from a ADS result
@@ -1960,6 +2042,7 @@ ADS_STATUS ads_workgroup_name(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *
int i;
void *res;
const char *attrs[] = {"servicePrincipalName", NULL};
+ int num_principals;
(*workgroup) = NULL;
@@ -1972,7 +2055,8 @@ ADS_STATUS ads_workgroup_name(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *
return rc;
}
- principles = ads_pull_strings(ads, mem_ctx, res, "servicePrincipalName");
+ principles = ads_pull_strings(ads, mem_ctx, res,
+ "servicePrincipalName", &num_principals);
ads_msgfree(ads, res);