Fix for bug 707, getent group for huge ads groups (>1500 members)

This introduces range retrieval of ADS attributes.

I've rewritten most of Günther's patch, partly to remove code duplication and
partly to get the retrieval of members in one rush, not interrupted by the
lookups for the DN.

Andrew, you told me that you would like to see a check whether the AD sequence
number is the same before and after the retrieval to achieve atomicity. This
would be trivial to add, but I'm not sure that we want this, as this adds two
roundtrips to every membership query. We can not know before the first query
whether we get additional range values, and at that point it's too late to ask
for the USN.

Tested with a group of 4000 members along with lots of small groups.

Volker
(This used to be commit 9d8235bf413f931e40bca0c27a25ed62b4f3d226)

1 files changed, 48 insertions, 21 deletions

diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c
index 2fcf02a316..46f3660c49 100644
--- a/source3/nsswitch/winbindd_ads.c
+++ b/source3/nsswitch/winbindd_ads.c
@@ -690,10 +690,11 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
 	char *ldap_exp;
 	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
 	char *sidstr;
-	const char *attrs[] = {"member", NULL};
 	char **members;
 	int i, num_members;
 	fstring sid_string;
+	const char *attr = "member";
+	BOOL more_values;
 
 	DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name, sid_string_static(group_sid)));
 
@@ -710,33 +711,56 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
 
 	/* search for all members of the group */
 	asprintf(&ldap_exp, "(objectSid=%s)",sidstr);
-	rc = ads_search_retry(ads, &res, ldap_exp, attrs);
-	free(ldap_exp);
-	free(sidstr);
 
-	if (!ADS_ERR_OK(rc) || !res) {
-		DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
-		goto done;
-	}
+	members = NULL;
+	num_members = 0;
+	more_values = True;
 
-	count = ads_count_replies(ads, res);
-	if (count == 0) {
-		status = NT_STATUS_OK;
-		goto done;
-	}
+	while (more_values) {
 
-	members = ads_pull_strings(ads, mem_ctx, res, "member");
-	if (!members) {
-		/* no members? ok ... */
-		status = NT_STATUS_OK;
-		goto done;
-	}
+		int num_this_time;
+		char **new_members;
+		const char *attrs[] = {attr, NULL};
+
+		rc = ads_search_retry(ads, &res, ldap_exp, attrs);
 
+		if (!ADS_ERR_OK(rc) || !res) {
+			DEBUG(1,("query_user_list ads_search: %s\n",
+				 ads_errstr(rc)));
+			goto done;
+		}
+
+		count = ads_count_replies(ads, res);
+		if (count == 0)
+			break;
+
+		new_members = ads_pull_strings_range(ads, mem_ctx, res,
+						     "member",
+						     &num_this_time,
+						     &more_values);
+
+		if ((new_members == NULL) || (num_this_time == 0))
+			break;
+
+		members = talloc_realloc(mem_ctx, members,
+					 sizeof(*members) *
+					 (num_members+num_this_time));
+
+		if (members == NULL)
+			break;
+
+		memcpy(members+num_members, new_members,
+		       sizeof(new_members)*num_this_time);
+
+		num_members += num_this_time;
+
+		attr = talloc_asprintf(mem_ctx,
+				       "member;range=%d-*", num_members);
+	}
+		
 	/* now we need to turn a list of members into rids, names and name types 
 	   the problem is that the members are in the form of distinguised names
 	*/
-	for (i=0;members[i];i++) /* noop */ ;
-	num_members = i;
 
 	(*sid_mem) = talloc_zero(mem_ctx, sizeof(**sid_mem) * num_members);
 	(*name_types) = talloc_zero(mem_ctx, sizeof(**name_types) * num_members);
@@ -763,6 +787,9 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
 	status = NT_STATUS_OK;
 	DEBUG(3,("ads lookup_groupmem for sid=%s\n", sid_to_string(sid_string, group_sid)));
 done:
+	SAFE_FREE(ldap_exp);
+	SAFE_FREE(sidstr);
+
 	if (res) 
 		ads_msgfree(ads, res);