summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/man/sssd-ldap.5.xml4
-rw-r--r--src/providers/ldap/sdap_async.c8
-rw-r--r--src/providers/ldap/sdap_async.h2
-rw-r--r--src/providers/ldap/sdap_async_groups.c2
4 files changed, 13 insertions, 3 deletions
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index be1d333a..2e374ea1 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -934,6 +934,10 @@
they are looked up individually.
</para>
<para>
+ You can turn off dereference lookups completely by
+ setting the value to 0.
+ </para>
+ <para>
A dereference lookup is a means of fetching all
group members in a single LDAP call.
Different LDAP servers may implement different
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index c3fe2ac5..2edc7597 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -1819,13 +1819,19 @@ int sdap_deref_search_recv(struct tevent_req *req,
return EOK;
}
-bool sdap_has_deref_support(struct sdap_handle *sh)
+bool sdap_has_deref_support(struct sdap_handle *sh, struct sdap_options *opts)
{
const char *deref_oids[][2] = { { LDAP_SERVER_ASQ_OID, "ASQ" },
{ LDAP_CONTROL_X_DEREF, "OpenLDAP" },
{ NULL, NULL }
};
int i;
+ int deref_threshold;
+
+ deref_threshold = dp_opt_get_int(opts->basic, SDAP_DEREF_THRESHOLD);
+ if (deref_threshold == 0) {
+ return false;
+ }
for (i=0; deref_oids[i][0]; i++) {
if (sdap_is_control_supported(sh, deref_oids[i][0])) {
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index 4115f621..9b5a3079 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -152,7 +152,7 @@ int sdap_get_generic_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx, size_t *reply_count,
struct sysdb_attrs ***reply_list);
-bool sdap_has_deref_support(struct sdap_handle *sh);
+bool sdap_has_deref_support(struct sdap_handle *sh, struct sdap_options *opts);
struct tevent_req *
sdap_deref_search_send(TALLOC_CTX *memctx,
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index b3f6bb70..f887651d 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -1751,7 +1751,7 @@ static struct tevent_req *sdap_nested_group_process_send(
state->member_index = 0;
- if (sdap_has_deref_support(state->sh)) {
+ if (sdap_has_deref_support(state->sh, state->opts)) {
state->derefctx = talloc_zero(state, struct sdap_deref_ctx);
if (!state->derefctx) goto immediate;