From 3963d3fa9e3099bc02d612b5051d8b769d6e3a75 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Sun, 10 Jun 2012 13:06:57 -0400 Subject: LDAP: Add ldap_*_use_matching_rule_in_chain options --- src/config/SSSDConfig/__init__.py.in | 3 ++ src/config/etc/sssd.api.d/sssd-ipa.conf | 2 ++ src/config/etc/sssd.api.d/sssd-ldap.conf | 2 ++ src/man/sssd-ldap.5.xml | 47 ++++++++++++++++++++++++++++++++ src/providers/ipa/ipa_opts.h | 2 ++ src/providers/ldap/ldap_opts.h | 2 ++ src/providers/ldap/sdap.h | 2 ++ src/providers/ldap/sdap_async.h | 5 ++++ 8 files changed, 65 insertions(+) diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 74bdde1d..d7895b49 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -273,6 +273,9 @@ option_strings = { 'ldap_idmap_default_domain' : _('Name of the default domain for ID-mapping'), 'ldap_idmap_default_domain_sid' : _('SID of the default domain for ID-mapping'), + 'ldap_groups_use_matching_rule_in_chain' : _('Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups'), + 'ldap_initgroups_use_matching_rule_in_chain' : _('Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups'), + # [provider/ldap/auth] 'ldap_pwd_policy' : _('Policy to evaluate the password expiration'), diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index 6094a47d..24f3c688 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -118,6 +118,8 @@ ldap_idmap_range_size = int, None, false ldap_idmap_autorid_compat = bool, None, false ldap_idmap_default_domain = str, None, false ldap_idmap_default_domain_sid = str, None, false +ldap_groups_use_matching_rule_in_chain = bool, None, false +ldap_initgroups_use_matching_rule_in_chain = bool, None, false [provider/ipa/auth] krb5_ccachedir = str, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf index a0694c70..cfd47e5e 100644 --- a/src/config/etc/sssd.api.d/sssd-ldap.conf +++ b/src/config/etc/sssd.api.d/sssd-ldap.conf @@ -111,6 +111,8 @@ ldap_idmap_range_size = int, None, false ldap_idmap_autorid_compat = bool, None, false ldap_idmap_default_domain = str, None, false ldap_idmap_default_domain_sid = str, None, false +ldap_groups_use_matching_rule_in_chain = bool, None, false +ldap_initgroups_use_matching_rule_in_chain = bool, None, false [provider/ldap/auth] ldap_pwd_policy = str, None, false diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index de0fb5f6..e04befdb 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -830,6 +830,53 @@ + + ldap_groups_use_matching_rule_in_chain + + + This option tells SSSD to take advantage of an + Active Directory-specific feature which may speed + up group lookup operations on deployments with + complex or deep nested groups. + + + In most common cases, it is best to leave this + option disabled. It generally only provides a + performance increase on very complex nestings. + + + Note: This feature is currently known to work only + with Active Directory 2008 R1 and later. See + + MSDN(TM) documentation for more details. + + + Default: False + + + + + + ldap_initgroups_use_matching_rule_in_chain + + + This option tells SSSD to take advantage of an + Active Directory-specific feature which will speed + up initgroups operations (most notably when + dealing with complex or deep nested groups). + + + Note: This feature is currently known to work only + with Active Directory 2008 R1 and later. See + + MSDN(TM) documentation for more details. + + + Default: False + + + + ldap_netgroup_object_class (string) diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h index 770406cf..a0714cb4 100644 --- a/src/providers/ipa/ipa_opts.h +++ b/src/providers/ipa/ipa_opts.h @@ -121,6 +121,8 @@ struct dp_option ipa_def_ldap_opts[] = { { "ldap_idmap_autorid_compat", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_idmap_default_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, DP_OPTION_TERMINATOR }; diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h index 62b03713..1c21bea9 100644 --- a/src/providers/ldap/ldap_opts.h +++ b/src/providers/ldap/ldap_opts.h @@ -102,6 +102,8 @@ struct dp_option default_basic_opts[] = { { "ldap_idmap_autorid_compat", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_idmap_default_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, DP_OPTION_TERMINATOR }; diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index 90558221..a92305ff 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -217,6 +217,8 @@ enum sdap_basic_opt { SDAP_IDMAP_AUTORID_COMPAT, SDAP_IDMAP_DEFAULT_DOMAIN, SDAP_IDMAP_DEFAULT_DOMAIN_SID, + SDAP_AD_MATCHING_RULE_GROUPS, + SDAP_AD_MATCHING_RULE_INITGROUPS, SDAP_OPTS_BASIC /* opts counter */ }; diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h index 34fb40da..7b5dba7b 100644 --- a/src/providers/ldap/sdap_async.h +++ b/src/providers/ldap/sdap_async.h @@ -243,4 +243,9 @@ enum_services_send(TALLOC_CTX *memctx, errno_t enum_services_recv(struct tevent_req *req); +/* OID documented in + * http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx + */ +#define SDAP_MATCHING_RULE_IN_CHAIN "1.2.840.113556.1.4.1941" + #endif /* _SDAP_ASYNC_H_ */ -- cgit