On Thu, Oct 21, 2010 at 11:03:06AM +0200, Jakub Hrozek wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 10/21/2010 10:19 AM, Sumit Bose wrote:
> > Hi,
> > 
> > as requested by ticket #568 this patch adds the option ldap_deref to
> > sssd.conf. This option controls how aliases are dereferenced.
> > 
> > bye,
> > Sumit
> > 
> > 
> 
> Just one comment - I think we usually treat options as case-insensitive
> and compare with strcasecmp.

you are right, new version attached.

bye,
Sumit

> 
> Other than that, looks good to me.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkzAAcoACgkQHsardTLnvCWjswCgwtoCLS/zLZFYjR7gpSWbO3d3
> g2UAoOvssXpCVDXejfCRGzDLY4rvHVNo
> =yuDt
> -----END PGP SIGNATURE-----
> _______________________________________________
> sssd-devel mailing list
> sssd-devel@lists.fedorahosted.org
> https://fedorahosted.org/mailman/listinfo/sssd-devel
From e0bb4dcc33d3a9e43cf76c9627717d53454e71c1 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Thu, 21 Oct 2010 10:13:46 +0200
Subject: [PATCH] Add ldap_deref option

---
 src/config/SSSDConfig.py                   |    1 +
 src/config/etc/sssd.api.d/sssd-ipa.conf    |    1 +
 src/config/etc/sssd.api.d/sssd-ldap.conf   |    1 +
 src/man/sssd-ldap.5.xml                    |   35 ++++++++++++++++++++++++++
 src/providers/ipa/ipa_common.c             |   13 +++++++++-
 src/providers/ipa/ipa_common.h             |    2 +-
 src/providers/ldap/ldap_common.c           |   13 +++++++++-
 src/providers/ldap/sdap.h                  |    1 +
 src/providers/ldap/sdap_async_connection.c |   37 ++++++++++++++++++++++++++++
 src/providers/ldap/sdap_async_private.h    |    2 +
 10 files changed, 103 insertions(+), 3 deletions(-)

diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index f4734b8..d27d2f8 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -129,6 +129,7 @@ option_strings = {
     'ldap_krb5_init_creds' : _('Use Kerberos auth for LDAP connection'),
     'ldap_referrals' : _('Follow LDAP referrals'),
     'ldap_krb5_ticket_lifetime' : _('Lifetime of TGT for LDAP connection'),
+    'ldap_deref' : _('How to dereference aliases'),
 
     # [provider/ldap/id]
     'ldap_search_timeout' : _('Length of time to wait for a search request'),
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf 
b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 001d4fc..04b6632 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -30,6 +30,7 @@ ldap_rootdse_last_usn = str, None, false
 ldap_referrals = bool, None, false
 ldap_krb5_ticket_lifetime = int, None, false
 ldap_dns_service_name = str, None, false
+ldap_deref = str, None, false
 
 [provider/ipa/id]
 ldap_search_timeout = int, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf 
b/src/config/etc/sssd.api.d/sssd-ldap.conf
index 1f5d7ab..1af6b0c 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -23,6 +23,7 @@ ldap_rootdse_last_usn = str, None, false
 ldap_referrals = bool, None, false
 ldap_krb5_ticket_lifetime = int, None, false
 ldap_dns_service_name = str, None, false
+ldap_deref = str, None, false
 
 [provider/ldap/id]
 ldap_search_timeout = int, None, false
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 87d388a..8c38ca7 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -990,6 +990,41 @@ ldap_access_filter = 
memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
                     </listitem>
                 </varlistentry>
 
+                <varlistentry>
+                    <term>ldap_deref (string)</term>
+                    <listitem>
+                        <para>
+                            Specifies how alias dereferencing is done when
+                            performing a search. The following options are
+                            allowed:
+                        </para>
+                        <para>
+                            <emphasis>never</emphasis>: Aliases are never
+                            dereferenced.
+                        </para>
+                        <para>
+                            <emphasis>searching</emphasis>: Aliases are
+                            dereferenced in subordinates of the base object,
+                            but not in locating the base object of the search.
+                        </para>
+                        <para>
+                            <emphasis>finding</emphasis>: Aliases are only
+                            dereferenced when locating the base object of the
+                            search.
+                        </para>
+                        <para>
+                            <emphasis>always</emphasis>: Aliases are
+                            dereferenced both in searching and in locating the
+                            base object of the search.
+                        </para>
+                        <para>
+                            Default: Empty (this is handled as
+                            <emphasis>never</emphasis> by the LDAP client
+                            libraries)
+                        </para>
+                    </listitem>
+                </varlistentry>
+
             </variablelist>
         </para>
     </refsect1>
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 758bf9d..aee8b65 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -27,6 +27,7 @@
 #include <arpa/inet.h>
 
 #include "providers/ipa/ipa_common.h"
+#include "providers/ldap/sdap_async_private.h"
 
 struct dp_option ipa_basic_opts[] = {
     { "ipa_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
@@ -75,7 +76,8 @@ struct dp_option ipa_def_ldap_opts[] = {
     { "ldap_krb5_ticket_lifetime", DP_OPT_NUMBER, { .number = (24 * 60 * 60) 
}, NULL_NUMBER },
     { "ldap_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_netgroup_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
-    { "ldap_group_nesting_level", DP_OPT_NUMBER, { .number = 2 }, NULL_NUMBER }
+    { "ldap_group_nesting_level", DP_OPT_NUMBER, { .number = 2 }, NULL_NUMBER 
},
+    { "ldap_deref", DP_OPT_STRING, NULL_STRING, NULL_STRING }
 };
 
 struct sdap_attr_map ipa_attr_map[] = {
@@ -359,6 +361,15 @@ int ipa_get_id_options(struct ipa_options *ipa_opts,
                                     SDAP_NETGROUP_SEARCH_BASE)));
     }
 
+    value = dp_opt_get_string(ipa_opts->id->basic, SDAP_DEREF);
+    if (value != NULL) {
+        ret = deref_string_to_val(value, &i);
+        if (ret != EOK) {
+            DEBUG(1, ("Failed to verify ldap_deref option.\n"));
+            goto done;
+        }
+    }
+
     ret = sdap_get_map(ipa_opts->id, cdb, conf_path,
                        ipa_attr_map,
                        SDAP_AT_GENERAL,
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 8cbcaeb..ef1cac2 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -35,7 +35,7 @@ struct ipa_service {
 /* the following defines are used to keep track of the options in the ldap
  * module, so that if they change and ipa is not updated correspondingly
  * this will trigger a runtime abort error */
-#define IPA_OPTS_BASIC_TEST 38
+#define IPA_OPTS_BASIC_TEST 39
 
 /* the following define is used to keep track of the options in the krb5
  * module, so that if they change and ipa is not updated correspondingly
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index ea5f957..543774b 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -71,7 +71,8 @@ struct dp_option default_basic_opts[] = {
     { "ldap_krb5_ticket_lifetime", DP_OPT_NUMBER, { .number = (24 * 60 * 60) 
}, NULL_NUMBER },
     { "ldap_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_netgroup_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
-    { "ldap_group_nesting_level", DP_OPT_NUMBER, { .number = 2 }, NULL_NUMBER }
+    { "ldap_group_nesting_level", DP_OPT_NUMBER, { .number = 2 }, NULL_NUMBER 
},
+    { "ldap_deref", DP_OPT_STRING, NULL_STRING, NULL_STRING }
 };
 
 struct sdap_attr_map generic_attr_map[] = {
@@ -188,6 +189,8 @@ int ldap_get_options(TALLOC_CTX *memctx,
     int ret;
     int account_cache_expiration;
     int offline_credentials_expiration;
+    const char *ldap_deref;
+    int ldap_deref_val;
 
     opts = talloc_zero(memctx, struct sdap_options);
     if (!opts) return ENOMEM;
@@ -293,6 +296,14 @@ int ldap_get_options(TALLOC_CTX *memctx,
         goto done;
     }
 
+    ldap_deref = dp_opt_get_string(opts->basic, SDAP_DEREF);
+    if (ldap_deref != NULL) {
+        ret = deref_string_to_val(ldap_deref, &ldap_deref_val);
+        if (ret != EOK) {
+            DEBUG(1, ("Failed to verify ldap_deref option.\n"));
+            goto done;
+        }
+    }
 
 #ifndef HAVE_LDAP_CONNCB
     bool ldap_referrals;
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 4506085..be4cf8a 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -178,6 +178,7 @@ enum sdap_basic_opt {
     SDAP_ACCESS_FILTER,
     SDAP_NETGROUP_SEARCH_BASE,
     SDAP_NESTING_LEVEL,
+    SDAP_DEREF,
 
     SDAP_OPTS_BASIC /* opts counter */
 };
diff --git a/src/providers/ldap/sdap_async_connection.c 
b/src/providers/ldap/sdap_async_connection.c
index b620505..e4ca962 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -28,6 +28,24 @@
 
 #define LDAP_X_SSSD_PASSWORD_EXPIRED 0x555D
 
+errno_t deref_string_to_val(const char *str, int *val)
+{
+    if (strcasecmp(str, "never") == 0) {
+        *val = LDAP_DEREF_NEVER;
+    } else if (strcasecmp(str, "searching") == 0) {
+        *val = LDAP_DEREF_SEARCHING;
+    } else if (strcasecmp(str, "finding") == 0) {
+        *val = LDAP_DEREF_FINDING;
+    } else if (strcasecmp(str, "always") == 0) {
+        *val = LDAP_DEREF_ALWAYS;
+    } else {
+        DEBUG(1, ("Illegal deref option [%s].\n", str));
+        return EINVAL;
+    }
+
+    return EOK;
+}
+
 /* ==Connect-to-LDAP-Server=============================================== */
 
 struct sdap_connect_state {
@@ -61,6 +79,8 @@ struct tevent_req *sdap_connect_send(TALLOC_CTX *memctx,
     int msgid;
     char *errmsg = NULL;
     bool ldap_referrals;
+    const char *ldap_deref;
+    int ldap_deref_val;
 
     req = tevent_req_create(memctx, &state, struct sdap_connect_state);
     if (!req) return NULL;
@@ -130,6 +150,23 @@ struct tevent_req *sdap_connect_send(TALLOC_CTX *memctx,
         goto fail;
     }
 
+    /* Set alias dereferencing */
+    ldap_deref = dp_opt_get_string(opts->basic, SDAP_DEREF);
+    if (ldap_deref != NULL) {
+        ret = deref_string_to_val(ldap_deref, &ldap_deref_val);
+        if (ret != EOK) {
+            DEBUG(1, ("deref_string_to_val failed.\n"));
+            goto fail;
+        }
+
+        lret = ldap_set_option(state->sh->ldap, LDAP_OPT_DEREF, 
&ldap_deref_val);
+        if (lret != LDAP_OPT_SUCCESS) {
+            DEBUG(1, ("Failed to set deref option to %d\n", ldap_deref_val));
+            goto fail;
+        }
+
+    }
+
     ret = setup_ldap_connection_callbacks(state->sh, state->ev);
     if (ret != EOK) {
         DEBUG(1, ("setup_ldap_connection_callbacks failed.\n"));
diff --git a/src/providers/ldap/sdap_async_private.h 
b/src/providers/ldap/sdap_async_private.h
index 10ed446..f049fa6 100644
--- a/src/providers/ldap/sdap_async_private.h
+++ b/src/providers/ldap/sdap_async_private.h
@@ -53,6 +53,8 @@ int sdap_get_rootdse_recv(struct tevent_req *req,
                           TALLOC_CTX *memctx,
                           struct sysdb_attrs **rootdse);
 
+errno_t deref_string_to_val(const char *str, int *val);
+
 /* from sdap_child_helpers.c */
 
 struct tevent_req *sdap_get_tgt_send(TALLOC_CTX *mem_ctx,
-- 
1.7.2.3

_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to