summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/confdb/confdb.c9
-rw-r--r--src/confdb/confdb.h2
-rw-r--r--src/config/SSSDConfig/__init__.py.in1
-rwxr-xr-xsrc/config/SSSDConfigTest.py2
-rw-r--r--src/config/etc/sssd.api.conf1
-rw-r--r--src/man/sssd.conf.5.xml17
-rw-r--r--src/providers/ldap/ldap_id.c9
-rw-r--r--src/providers/ldap/sdap_async_groups.c6
-rw-r--r--src/responder/nss/nsssrv_cmd.c35
9 files changed, 64 insertions, 18 deletions
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 13035a41..3707f18b 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -894,6 +894,15 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
goto done;
}
+ ret = get_entry_as_bool(res->msgs[0], &domain->ignore_group_members,
+ CONFDB_DOMAIN_IGNORE_GROUP_MEMBERS, 0);
+ if(ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ ("Invalid value for %s\n",
+ CONFDB_DOMAIN_IGNORE_GROUP_MEMBERS));
+ goto done;
+ }
+
ret = get_entry_as_uint32(res->msgs[0], &domain->id_min,
CONFDB_DOMAIN_MINID,
confdb_get_min_id(domain));
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 88e80c17..eb16d01e 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -162,6 +162,7 @@
#define CONFDB_DOMAIN_CASE_SENSITIVE "case_sensitive"
#define CONFDB_DOMAIN_SUBDOMAIN_HOMEDIR "subdomain_homedir"
#define CONFDB_DOMAIN_DEFAULT_SUBDOMAIN_HOMEDIR "/home/%d/%u"
+#define CONFDB_DOMAIN_IGNORE_GROUP_MEMBERS "ignore_group_members"
#define CONFDB_DOMAIN_USER_CACHE_TIMEOUT "entry_cache_user_timeout"
#define CONFDB_DOMAIN_GROUP_CACHE_TIMEOUT "entry_cache_group_timeout"
@@ -200,6 +201,7 @@ struct sss_domain_info {
int timeout;
bool enumerate;
bool fqnames;
+ bool ignore_group_members;
uint32_t id_min;
uint32_t id_max;
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 9bd69953..fd54c7b6 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -111,6 +111,7 @@ option_strings = {
'cache_credentials' : _('Cache credentials for offline login'),
'store_legacy_passwords' : _('Store password hashes'),
'use_fully_qualified_names' : _('Display users/groups in fully-qualified form'),
+ 'ignore_group_members' : _('Don\'t include group members in group lookups'),
'entry_cache_timeout' : _('Entry cache timeout length (seconds)'),
'lookup_family_order' : _('Restrict or prefer a specific address family when performing DNS lookups'),
'account_cache_expiration' : _('How long to keep cached entries after last successful login (days)'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 9a05dca3..8f003f55 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -493,6 +493,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'cache_credentials',
'store_legacy_passwords',
'use_fully_qualified_names',
+ 'ignore_group_members',
'filter_users',
'filter_groups',
'entry_cache_timeout',
@@ -833,6 +834,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'cache_credentials',
'store_legacy_passwords',
'use_fully_qualified_names',
+ 'ignore_group_members',
'filter_users',
'filter_groups',
'entry_cache_timeout',
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 48fe7ebf..3ed9d583 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -97,6 +97,7 @@ force_timeout = int, None, false
cache_credentials = bool, None, false
store_legacy_passwords = bool, None, false
use_fully_qualified_names = bool, None, false
+ignore_group_members = bool, None, false
entry_cache_timeout = int, None, false
lookup_family_order = str, None, false
account_cache_expiration = int, None, false
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 9f487faf..1512e68a 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1203,6 +1203,23 @@ override_homedir = /home/%u
</listitem>
</varlistentry>
<varlistentry>
+ <term>ignore_group_members (bool)</term>
+ <listitem>
+ <para>
+ Do not return group members for group lookups.
+ </para>
+ <para>
+ If set to TRUE, the group membership attribute
+ is not requested from the ldap server, and
+ group members are not returned when processing
+ group lookup calls.
+ </para>
+ <para>
+ Default: FALSE
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term>auth_provider (string)</term>
<listitem>
<para>
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index b8520df8..0c2d63d3 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -340,6 +340,7 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx,
enum idmap_error_code err;
char *sid;
bool use_id_mapping = dp_opt_get_bool(ctx->opts->basic, SDAP_ID_MAPPING);
+ const char *member_filter[2];
req = tevent_req_create(memctx, &state, struct groups_get_state);
if (!req) return NULL;
@@ -438,9 +439,15 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx,
goto fail;
}
+ member_filter[0] = (const char *)ctx->opts->group_map[SDAP_AT_GROUP_MEMBER].name;
+ member_filter[1] = NULL;
+
/* TODO: handle attrs_type */
ret = build_attrs_from_map(state, ctx->opts->group_map, SDAP_OPTS_GROUP,
- NULL, &state->attrs, NULL);
+ state->domain->ignore_group_members ?
+ (const char **)member_filter : NULL,
+ &state->attrs, NULL);
+
if (ret != EOK) goto fail;
ret = groups_get_retry(req);
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index f0185e41..67dddae7 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -1648,8 +1648,12 @@ static void sdap_get_groups_done(struct tevent_req *subreq)
if (state->check_count == 0) {
DEBUG(9, ("All groups processed\n"));
+ /* If ignore_group_members is set for the domain, don't update
+ * group memberships in the cache.
+ */
ret = sdap_save_groups(state, state->sysdb, state->dom, state->opts,
- state->groups, state->count, true, NULL,
+ state->groups, state->count,
+ !state->dom->ignore_group_members, NULL,
&state->higher_usn);
if (ret) {
DEBUG(2, ("Failed to store groups.\n"));
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 036e88f4..a453e593 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -2035,24 +2035,27 @@ static int fill_grent(struct sss_packet *packet,
pwfield.str, pwfield.len);
memnum = 0;
- el = ldb_msg_find_element(msg, SYSDB_MEMBERUID);
- if (el) {
- ret = fill_members(packet, dom, nctx, el, &rzero, &rsize, &memnum);
- if (ret != EOK) {
- num = 0;
- goto done;
+ if (!dom->ignore_group_members) {
+ el = ldb_msg_find_element(msg, SYSDB_MEMBERUID);
+ if (el) {
+ ret = fill_members(packet, dom, nctx, el, &rzero, &rsize,
+ &memnum);
+ if (ret != EOK) {
+ num = 0;
+ goto done;
+ }
+ sss_packet_get_body(packet, &body, &blen);
}
- sss_packet_get_body(packet, &body, &blen);
- }
-
- el = ldb_msg_find_element(msg, SYSDB_GHOST);
- if (el) {
- ret = fill_members(packet, dom, nctx, el, &rzero, &rsize, &memnum);
- if (ret != EOK) {
- num = 0;
- goto done;
+ el = ldb_msg_find_element(msg, SYSDB_GHOST);
+ if (el) {
+ ret = fill_members(packet, dom, nctx, el, &rzero, &rsize,
+ &memnum);
+ if (ret != EOK) {
+ num = 0;
+ goto done;
+ }
+ sss_packet_get_body(packet, &body, &blen);
}
- sss_packet_get_body(packet, &body, &blen);
}
if (memnum) {
/* set num of members */