diff options
Diffstat (limited to 'src/providers/ldap')
-rw-r--r-- | src/providers/ldap/sdap_access.c | 3 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async.c | 45 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async.h | 3 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_autofs.c | 5 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_groups.c | 15 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_initgroups.c | 18 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_netgroups.c | 6 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_services.c | 3 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_users.c | 3 | ||||
-rw-r--r-- | src/providers/ldap/sdap_sudo.c | 3 |
10 files changed, 79 insertions, 25 deletions
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c index 287ba125..1e923fd3 100644 --- a/src/providers/ldap/sdap_access.c +++ b/src/providers/ldap/sdap_access.c @@ -940,7 +940,8 @@ static void sdap_access_filter_connect_done(struct tevent_req *subreq) state->filter, NULL, NULL, 0, dp_opt_get_int(state->sdap_ctx->opts->basic, - SDAP_SEARCH_TIMEOUT)); + SDAP_SEARCH_TIMEOUT), + false); if (subreq == NULL) { DEBUG(1, ("Could not start LDAP communication\n")); state->pam_status = PAM_SYSTEM_ERR; diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c index 2b9268de..306d7622 100644 --- a/src/providers/ldap/sdap_async.c +++ b/src/providers/ldap/sdap_async.c @@ -870,7 +870,8 @@ struct tevent_req *sdap_get_rootdse_send(TALLOC_CTX *memctx, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, NULL, 0, dp_opt_get_int(state->opts->basic, - SDAP_SEARCH_TIMEOUT)); + SDAP_SEARCH_TIMEOUT), + false); if (!subreq) { talloc_zfree(req); return NULL; @@ -1023,6 +1024,7 @@ struct sdap_get_generic_ext_state { sdap_parse_cb parse_cb; void *cb_data; + bool allow_paging; }; static errno_t sdap_get_generic_ext_step(struct tevent_req *req); @@ -1045,6 +1047,7 @@ sdap_get_generic_ext_send(TALLOC_CTX *memctx, LDAPControl **clientctrls, int sizelimit, int timeout, + bool allow_paging, sdap_parse_cb parse_cb, void *cb_data) { @@ -1052,6 +1055,7 @@ sdap_get_generic_ext_send(TALLOC_CTX *memctx, struct sdap_get_generic_ext_state *state; struct tevent_req *req; int i; + LDAPControl *control; req = tevent_req_create(memctx, &state, struct sdap_get_generic_ext_state); if (!req) return NULL; @@ -1073,6 +1077,35 @@ sdap_get_generic_ext_send(TALLOC_CTX *memctx, state->cb_data = cb_data; state->clientctrls = clientctrls; + + /* Be extra careful and never allow paging for BASE searches, + * even if requested. + */ + if (scope == LDAP_SCOPE_BASE) { + state->allow_paging = false; + } else { + state->allow_paging = allow_paging; + } + + /* Also check for deref/asq requests and force + * paging on for those requests + */ + /* X-DEREF */ + control = ldap_control_find(LDAP_CONTROL_X_DEREF, + serverctrls, + NULL); + if (control) { + state->allow_paging = true; + } + + /* ASQ */ + control = ldap_control_find(LDAP_SERVER_ASQ_OID, + serverctrls, + NULL); + if (control) { + state->allow_paging = true; + } + for (state->nserverctrls=0; serverctrls && serverctrls[state->nserverctrls]; state->nserverctrls++) ; @@ -1135,6 +1168,7 @@ static errno_t sdap_get_generic_ext_step(struct tevent_req *req) disable_paging = dp_opt_get_bool(state->opts->basic, SDAP_DISABLE_PAGING); if (!disable_paging + && state->allow_paging && sdap_is_control_supported(state->sh, LDAP_CONTROL_PAGEDRESULTS)) { lret = ldap_create_page_control(state->sh->ldap, @@ -1347,7 +1381,8 @@ struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx, const char **attrs, struct sdap_attr_map *map, int map_num_attrs, - int timeout) + int timeout, + bool allow_paging) { struct tevent_req *req = NULL; struct tevent_req *subreq = NULL; @@ -1361,7 +1396,7 @@ struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx, subreq = sdap_get_generic_ext_send(state, ev, opts, sh, search_base, scope, filter, attrs, false, NULL, - NULL, 0, timeout, + NULL, 0, timeout, allow_paging, sdap_get_generic_parse_entry, state); if (!subreq) { talloc_zfree(req); @@ -1495,7 +1530,7 @@ sdap_x_deref_search_send(TALLOC_CTX *memctx, struct tevent_context *ev, subreq = sdap_get_generic_ext_send(state, ev, opts, sh, base_dn, LDAP_SCOPE_BASE, NULL, attrs, false, state->ctrls, NULL, 0, timeout, - sdap_x_deref_parse_entry, + true, sdap_x_deref_parse_entry, state); if (!subreq) { talloc_zfree(req); @@ -1720,7 +1755,7 @@ sdap_asq_search_send(TALLOC_CTX *memctx, struct tevent_context *ev, subreq = sdap_get_generic_ext_send(state, ev, opts, sh, base_dn, LDAP_SCOPE_BASE, NULL, attrs, false, state->ctrls, NULL, 0, timeout, - sdap_asq_search_parse_entry, + true, sdap_asq_search_parse_entry, state); if (!subreq) { talloc_zfree(req); diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h index 47d10149..870f1531 100644 --- a/src/providers/ldap/sdap_async.h +++ b/src/providers/ldap/sdap_async.h @@ -171,7 +171,8 @@ struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx, const char **attrs, struct sdap_attr_map *map, int map_num_attrs, - int timeout); + int timeout, + bool allow_paging); int sdap_get_generic_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, size_t *reply_count, struct sysdb_attrs ***reply_list); diff --git a/src/providers/ldap/sdap_async_autofs.c b/src/providers/ldap/sdap_async_autofs.c index 9025fe99..ea034c2f 100644 --- a/src/providers/ldap/sdap_async_autofs.c +++ b/src/providers/ldap/sdap_async_autofs.c @@ -309,7 +309,7 @@ automntmaps_process_members_next_base(struct tevent_req *req) state->filter, state->attrs, state->opts->autofs_entry_map, SDAP_OPTS_AUTOFS_ENTRY, - state->timeout); + state->timeout, true); if (!subreq) { DEBUG(SSSDBG_CRIT_FAILURE, ("Cannot start search for entries\n")); return EIO; @@ -492,7 +492,8 @@ sdap_get_automntmap_next_base(struct tevent_req *req) state->search_bases[state->base_iter]->scope, state->filter, state->attrs, state->opts->autofs_mobject_map, SDAP_OPTS_AUTOFS_MAP, - state->timeout); + state->timeout, + false); if (!subreq) { return EIO; } diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index aefe3538..d58ed468 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -746,7 +746,8 @@ sdap_process_missing_member_2307bis(struct tevent_req *req, grp_state->opts->user_map, SDAP_OPTS_USER, dp_opt_get_int(grp_state->opts->basic, - SDAP_SEARCH_TIMEOUT)); + SDAP_SEARCH_TIMEOUT), + false); if (!subreq) { return ENOMEM; } @@ -1109,7 +1110,8 @@ next: state->opts->user_map, SDAP_OPTS_USER, dp_opt_get_int(state->opts->basic, - SDAP_SEARCH_TIMEOUT)); + SDAP_SEARCH_TIMEOUT), + false); if (!subreq) { tevent_req_error(req, ENOMEM); return; @@ -1258,7 +1260,8 @@ static errno_t sdap_get_groups_next_base(struct tevent_req *req) state->search_bases[state->base_iter]->scope, state->filter, state->attrs, state->opts->group_map, SDAP_OPTS_GROUP, - state->timeout); + state->timeout, + state->enumeration); /* If we're enumerating, we need paging */ if (!subreq) { return ENOMEM; } @@ -2537,7 +2540,8 @@ static errno_t sdap_nested_group_lookup_user(struct tevent_req *req, state->opts->user_map, SDAP_OPTS_USER, dp_opt_get_int(state->opts->basic, - SDAP_SEARCH_TIMEOUT)); + SDAP_SEARCH_TIMEOUT), + false); if (!subreq) { talloc_free(sdap_attrs); return EIO; @@ -2618,7 +2622,8 @@ static errno_t sdap_nested_group_lookup_group(struct tevent_req *req) state->opts->group_map, SDAP_OPTS_GROUP, dp_opt_get_int(state->opts->basic, - SDAP_SEARCH_TIMEOUT)); + SDAP_SEARCH_TIMEOUT), + false); if (!subreq) { talloc_free(sdap_attrs); return EIO; diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index 683e5116..2f8e1ef6 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -380,7 +380,8 @@ static errno_t sdap_initgr_rfc2307_next_base(struct tevent_req *req) state->search_bases[state->base_iter]->scope, state->filter, state->attrs, state->opts->group_map, SDAP_OPTS_GROUP, - state->timeout); + state->timeout, + true); if (!subreq) { return ENOMEM; } @@ -774,7 +775,8 @@ static errno_t sdap_initgr_nested_noderef_search(struct tevent_req *req) state->filter, state->grp_attrs, state->opts->group_map, SDAP_OPTS_GROUP, dp_opt_get_int(state->opts->basic, - SDAP_SEARCH_TIMEOUT)); + SDAP_SEARCH_TIMEOUT), + false); if (!subreq) { return ENOMEM; } @@ -904,7 +906,8 @@ static void sdap_initgr_nested_search(struct tevent_req *subreq) state->opts->group_map, SDAP_OPTS_GROUP, dp_opt_get_int(state->opts->basic, - SDAP_SEARCH_TIMEOUT)); + SDAP_SEARCH_TIMEOUT), + false); if (!subreq) { tevent_req_error(req, ENOMEM); return; @@ -1510,7 +1513,8 @@ static errno_t sdap_initgr_rfc2307bis_next_base(struct tevent_req *req) state->search_bases[state->base_iter]->scope, state->filter, state->attrs, state->opts->group_map, SDAP_OPTS_GROUP, - state->timeout); + state->timeout, + true); if (!subreq) { talloc_zfree(req); return ENOMEM; @@ -2154,7 +2158,8 @@ static errno_t rfc2307bis_nested_groups_next_base(struct tevent_req *req) state->search_bases[state->base_iter]->scope, state->filter, state->attrs, state->opts->group_map, SDAP_OPTS_GROUP, - state->timeout); + state->timeout, + true); if (!subreq) { return ENOMEM; } @@ -2472,7 +2477,8 @@ static errno_t sdap_get_initgr_next_base(struct tevent_req *req) state->user_search_bases[state->user_base_iter]->scope, state->filter, state->user_attrs, state->opts->user_map, SDAP_OPTS_USER, - state->timeout); + state->timeout, + false); if (!subreq) { return ENOMEM; } diff --git a/src/providers/ldap/sdap_async_netgroups.c b/src/providers/ldap/sdap_async_netgroups.c index 37aa2f11..931a1f86 100644 --- a/src/providers/ldap/sdap_async_netgroups.c +++ b/src/providers/ldap/sdap_async_netgroups.c @@ -432,7 +432,8 @@ static errno_t netgr_translate_members_ldap_step(struct tevent_req *req) cn_attr, state->opts->netgroup_map, SDAP_OPTS_NETGROUP, dp_opt_get_int(state->opts->basic, - SDAP_SEARCH_TIMEOUT)); + SDAP_SEARCH_TIMEOUT), + false); if (!subreq) { DEBUG(1, ("sdap_get_generic_send failed.\n")); return ENOMEM; @@ -621,7 +622,8 @@ static errno_t sdap_get_netgroups_next_base(struct tevent_req *req) state->search_bases[state->base_iter]->scope, state->filter, state->attrs, state->opts->netgroup_map, SDAP_OPTS_NETGROUP, - state->timeout); + state->timeout, + false); if (!subreq) { return ENOMEM; } diff --git a/src/providers/ldap/sdap_async_services.c b/src/providers/ldap/sdap_async_services.c index 5bc04463..783861c7 100644 --- a/src/providers/ldap/sdap_async_services.c +++ b/src/providers/ldap/sdap_async_services.c @@ -148,7 +148,8 @@ sdap_get_services_next_base(struct tevent_req *req) state->search_bases[state->base_iter]->scope, state->filter, state->attrs, state->opts->service_map, SDAP_OPTS_SERVICES, - state->timeout); + state->timeout, + state->enumeration); /* If we're enumerating, we need paging */ if (!subreq) { return ENOMEM; } diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c index a8595ac8..57540749 100644 --- a/src/providers/ldap/sdap_async_users.c +++ b/src/providers/ldap/sdap_async_users.c @@ -477,7 +477,8 @@ static errno_t sdap_get_users_next_base(struct tevent_req *req) state->search_bases[state->base_iter]->scope, state->filter, state->attrs, state->opts->user_map, SDAP_OPTS_USER, - state->timeout); + state->timeout, + state->enumeration); /* If we're enumerating, we need paging */ if (!subreq) { return ENOMEM; } diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c index 4aaf04ce..02d4f17b 100644 --- a/src/providers/ldap/sdap_sudo.c +++ b/src/providers/ldap/sdap_sudo.c @@ -514,7 +514,8 @@ static errno_t sdap_sudo_load_sudoers_next_base(struct tevent_req *req) state->attrs, state->opts->sudorule_map, SDAP_OPTS_SUDO, - state->timeout); + state->timeout, + true); if (subreq == NULL) { return ENOMEM; } |