On Thu, Mar 05, 2015 at 09:16:36AM +0100, Sumit Bose wrote:
> On Wed, Mar 04, 2015 at 06:14:53PM +0100, Sumit Bose wrote:
> > On Wed, Mar 04, 2015 at 04:17:55PM +0200, Alexander Bokovoy wrote:
> > > On Mon, 02 Mar 2015, Sumit Bose wrote:
> > > >diff --git 
> > > >a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c 
> > > >b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
> > > >index 
> > > >20fdd62b20f28f5384cf83b8be5819f721c6c3db..84aeb28066f25f05a89d0c2d42e8b060e2399501
> > > > 100644
> > > >--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
> > > >+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
> > > >@@ -49,6 +49,220 @@
> > > >
> > > >#define MAX(a,b) (((a)>(b))?(a):(b))
> > > >#define SSSD_DOMAIN_SEPARATOR '@'
> > > >+#define MAX_BUF (1024*1024*1024)
> > > >+
> > > >+
> > > >+
> > > >+static int get_buffer(size_t *_buf_len, char **_buf)
> > > >+{
> > > >+    long pw_max;
> > > >+    long gr_max;
> > > >+    size_t buf_len;
> > > >+    char *buf;
> > > >+
> > > >+    pw_max = sysconf(_SC_GETPW_R_SIZE_MAX);
> > > >+    gr_max = sysconf(_SC_GETGR_R_SIZE_MAX);
> > > >+
> > > >+    if (pw_max == -1 && gr_max == -1) {
> > > >+        buf_len = 16384;
> > > >+    } else {
> > > >+        buf_len = MAX(pw_max, gr_max);
> > > >+    }
> > > Here you'd get buf_len equal to 1024 by default on Linux which is too
> > > low for our use case. I think it would be beneficial to add one more
> > > MAX(buf_len, 16384):
> > > -    if (pw_max == -1 && gr_max == -1) {
> > > -        buf_len = 16384;
> > > -    } else {
> > > -        buf_len = MAX(pw_max, gr_max);
> > > -    }
> > > +    buf_len = MAX(16384, MAX(pw_max, gr_max));
> > > 
> > > with MAX(MAX(),..) you also get rid of if() statement as resulting
> > > rvalue would be guaranteed to be positive.
> > 
> > done
> > 
> > > 
> > > The rest is going along the common lines but would it be better to
> > > allocate memory once per LDAP client request rather than always ask for
> > > it per each NSS call? You can guarantee a sequential use of the buffer
> > > within the LDAP client request processing so there is no problem with
> > > locks but having this memory re-allocated on subsequent
> > > getpwnam()/getpwuid()/... calls within the same request processing seems
> > > suboptimal to me.
> > 
> > ok, makes sense, I moved get_buffer() back to the callers.
> > 
> > New version attached.
> 
> Please ignore this patch, I will send a revised version soon.

Please find attached a revised version which properly reports missing
objects and out-of-memory cases and makes sure buf and buf_len are in
sync.

bye,
Sumit

> 
> bye,
> Sumit
> 
> > 
> > bye,
> > Sumit
> > 
> > > 
> > > -- 
> > > / Alexander Bokovoy
> 
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
From 0b4e302866f734b93176d9104bd78a2e55702c40 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 24 Feb 2015 15:29:00 +0100
Subject: [PATCH 134/136] Add configure check for cwrap libraries

Currently only nss-wrapper is checked, checks for other crwap libraries
can be added e.g. as

AM_CHECK_WRAPPER(uid_wrapper, HAVE_UID_WRAPPER)
---
 daemons/configure.ac | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/daemons/configure.ac b/daemons/configure.ac
index 
97cd25115f371e9e549d209401df9325c7e112c1..7c979fe2d0b91e9d71fe4ca5a50ad78a4de79298
 100644
--- a/daemons/configure.ac
+++ b/daemons/configure.ac
@@ -236,6 +236,30 @@ PKG_CHECK_EXISTS(cmocka,
 )
 AM_CONDITIONAL([HAVE_CMOCKA], [test x$have_cmocka = xyes])
 
+dnl A macro to check presence of a cwrap (http://cwrap.org) wrapper on the 
system
+dnl Usage:
+dnl     AM_CHECK_WRAPPER(name, conditional)
+dnl If the cwrap library is found, sets the HAVE_$name conditional
+AC_DEFUN([AM_CHECK_WRAPPER],
+[
+    FOUND_WRAPPER=0
+
+    AC_MSG_CHECKING([for $1])
+    PKG_CHECK_EXISTS([$1],
+                     [
+                        AC_MSG_RESULT([yes])
+                        FOUND_WRAPPER=1
+                     ],
+                     [
+                        AC_MSG_RESULT([no])
+                        AC_MSG_WARN([cwrap library $1 not found, some tests 
will not run])
+                     ])
+
+    AM_CONDITIONAL($2, [ test x$FOUND_WRAPPER = x1])
+])
+
+AM_CHECK_WRAPPER(nss_wrapper, HAVE_NSS_WRAPPER)
+
 dnl -- dirsrv is needed for the extdom unit tests --
 PKG_CHECK_MODULES([DIRSRV], [dirsrv  >= 1.3.0])
 dnl -- sss_idmap is needed by the extdom exop --
-- 
2.1.0

From 0a5614b12446b69ea8b77a827ce2c7627f0b1ca4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 24 Feb 2015 15:33:39 +0100
Subject: [PATCH 135/136] extdom: handle ERANGE return code for getXXYYY_r()
 calls

The getXXYYY_r() calls require a buffer to store the variable data of
the passwd and group structs. If the provided buffer is too small ERANGE
is returned and the caller can try with a larger buffer again.

Cmocka/cwrap based unit-tests for get*_r_wrapper() are added.

Resolves https://fedorahosted.org/freeipa/ticket/4908
---
 .../ipa-slapi-plugins/ipa-extdom-extop/Makefile.am |  31 ++-
 .../ipa-extdom-extop/ipa_extdom.h                  |   9 +
 .../ipa-extdom-extop/ipa_extdom_cmocka_tests.c     | 226 +++++++++++++++
 .../ipa-extdom-extop/ipa_extdom_common.c           | 309 +++++++++++++++------
 .../ipa-extdom-extop/test_data/group               |   2 +
 .../ipa-extdom-extop/test_data/passwd              |   2 +
 .../ipa-extdom-extop/test_data/test_setup.sh       |   3 +
 7 files changed, 498 insertions(+), 84 deletions(-)
 create mode 100644 
daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
 create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group
 create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd
 create mode 100644 
daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/test_setup.sh

diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am 
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
index 
0008476796f5b20f62f2c32e7b291b787fa7a6fc..a1679812ef3c5de8c6e18433cbb991a99ad0b6c8
 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
@@ -35,9 +35,20 @@ libipa_extdom_extop_la_LIBADD =      \
        $(SSSNSSIDMAP_LIBS)     \
        $(NULL)
 
+TESTS =
+check_PROGRAMS =
+
 if HAVE_CHECK
-TESTS = extdom_tests
-check_PROGRAMS = extdom_tests
+TESTS += extdom_tests
+check_PROGRAMS += extdom_tests
+endif
+
+if HAVE_CMOCKA
+if HAVE_NSS_WRAPPER
+TESTS_ENVIRONMENT = . ./test_data/test_setup.sh;
+TESTS += extdom_cmocka_tests
+check_PROGRAMS += extdom_cmocka_tests
+endif
 endif
 
 extdom_tests_SOURCES =         \
@@ -55,6 +66,22 @@ extdom_tests_LDADD =                 \
        $(SSSNSSIDMAP_LIBS)     \
        $(NULL)
 
+extdom_cmocka_tests_SOURCES =          \
+       ipa_extdom_cmocka_tests.c       \
+       ipa_extdom_common.c             \
+       $(NULL)
+extdom_cmocka_tests_CFLAGS = $(CMOCKA_CFLAGS)
+extdom_cmocka_tests_LDFLAGS =  \
+       -rpath $(shell pkg-config --libs-only-L dirsrv | sed -e 's/-L//') \
+       $(NULL)
+extdom_cmocka_tests_LDADD =    \
+       $(CMOCKA_LIBS)          \
+       $(LDAP_LIBS)            \
+       $(DIRSRV_LIBS)          \
+       $(SSSNSSIDMAP_LIBS)     \
+       $(NULL)
+
+
 appdir = $(IPA_DATA_DIR)
 app_DATA =                             \
        ipa-extdom-extop-conf.ldif      \
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h 
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
index 
56ca5009b1aa427f6c059b78ac392c768e461e2e..40bf933920fdd2ca19e5ef195aaa8fb820446cc5
 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
@@ -174,4 +174,13 @@ int check_request(struct extdom_req *req, enum 
extdom_version version);
 int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req,
                    struct berval **berval);
 int pack_response(struct extdom_res *res, struct berval **ret_val);
+int get_buffer(size_t *_buf_len, char **_buf);
+int getpwnam_r_wrapper(size_t buf_max, const char *name,
+                       struct passwd *pwd, char **_buf, size_t *_buf_len);
+int getpwuid_r_wrapper(size_t buf_max, uid_t uid,
+                       struct passwd *pwd, char **_buf, size_t *_buf_len);
+int getgrnam_r_wrapper(size_t buf_max, const char *name,
+                       struct group *grp, char **_buf, size_t *_buf_len);
+int getgrgid_r_wrapper(size_t buf_max, gid_t gid,
+                       struct group *grp, char **_buf, size_t *_buf_len);
 #endif /* _IPA_EXTDOM_H_ */
diff --git 
a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c 
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
new file mode 100644
index 
0000000000000000000000000000000000000000..d5bacd7e8c9dc0a71eea70162406c7e5b67384ad
--- /dev/null
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
@@ -0,0 +1,226 @@
+/*
+    Authors:
+        Sumit Bose <sb...@redhat.com>
+
+    Copyright (C) 2015 Red Hat
+
+    Extdom tests
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <errno.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include <sys/types.h>
+#include <pwd.h>
+
+
+#include "ipa_extdom.h"
+
+#define MAX_BUF (1024*1024*1024)
+
+void test_getpwnam_r_wrapper(void **state)
+{
+    int ret;
+    struct passwd pwd;
+    char *buf;
+    size_t buf_len;
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getpwnam_r_wrapper(MAX_BUF, "non_exisiting_user", &pwd, &buf,
+                             &buf_len);
+    assert_int_equal(ret, ENOENT);
+
+    ret = getpwnam_r_wrapper(MAX_BUF, "user", &pwd, &buf, &buf_len);
+    assert_int_equal(ret, 0);
+    assert_string_equal(pwd.pw_name, "user");
+    assert_string_equal(pwd.pw_passwd, "x");
+    assert_int_equal(pwd.pw_uid, 12345);
+    assert_int_equal(pwd.pw_gid, 23456);
+    assert_string_equal(pwd.pw_gecos, "gecos");
+    assert_string_equal(pwd.pw_dir, "/home/user");
+    assert_string_equal(pwd.pw_shell, "/bin/shell");
+    free(buf);
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getpwnam_r_wrapper(MAX_BUF, "user_big", &pwd, &buf, &buf_len);
+    assert_int_equal(ret, 0);
+    assert_string_equal(pwd.pw_name, "user_big");
+    assert_string_equal(pwd.pw_passwd, "x");
+    assert_int_equal(pwd.pw_uid, 12346);
+    assert_int_equal(pwd.pw_gid, 23457);
+    assert_int_equal(strlen(pwd.pw_gecos), 4000 * strlen("gecos"));
+    assert_string_equal(pwd.pw_dir, "/home/user_big");
+    assert_string_equal(pwd.pw_shell, "/bin/shell");
+    free(buf);
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getpwnam_r_wrapper(1024, "user_big", &pwd, &buf, &buf_len);
+    assert_int_equal(ret, ERANGE);
+    free(buf);
+}
+
+void test_getpwuid_r_wrapper(void **state)
+{
+    int ret;
+    struct passwd pwd;
+    char *buf;
+    size_t buf_len;
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getpwuid_r_wrapper(MAX_BUF, 99999, &pwd, &buf, &buf_len);
+    assert_int_equal(ret, ENOENT);
+
+    ret = getpwuid_r_wrapper(MAX_BUF, 12345, &pwd, &buf, &buf_len);
+    assert_int_equal(ret, 0);
+    assert_string_equal(pwd.pw_name, "user");
+    assert_string_equal(pwd.pw_passwd, "x");
+    assert_int_equal(pwd.pw_uid, 12345);
+    assert_int_equal(pwd.pw_gid, 23456);
+    assert_string_equal(pwd.pw_gecos, "gecos");
+    assert_string_equal(pwd.pw_dir, "/home/user");
+    assert_string_equal(pwd.pw_shell, "/bin/shell");
+    free(buf);
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getpwuid_r_wrapper(MAX_BUF, 12346, &pwd, &buf, &buf_len);
+    assert_int_equal(ret, 0);
+    assert_string_equal(pwd.pw_name, "user_big");
+    assert_string_equal(pwd.pw_passwd, "x");
+    assert_int_equal(pwd.pw_uid, 12346);
+    assert_int_equal(pwd.pw_gid, 23457);
+    assert_int_equal(strlen(pwd.pw_gecos), 4000 * strlen("gecos"));
+    assert_string_equal(pwd.pw_dir, "/home/user_big");
+    assert_string_equal(pwd.pw_shell, "/bin/shell");
+    free(buf);
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getpwuid_r_wrapper(1024, 12346, &pwd, &buf, &buf_len);
+    assert_int_equal(ret, ERANGE);
+    free(buf);
+}
+
+void test_getgrnam_r_wrapper(void **state)
+{
+    int ret;
+    struct group grp;
+    char *buf;
+    size_t buf_len;
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getgrnam_r_wrapper(MAX_BUF, "non_exisiting_group", &grp, &buf, 
&buf_len);
+    assert_int_equal(ret, ENOENT);
+
+    ret = getgrnam_r_wrapper(MAX_BUF, "group", &grp, &buf, &buf_len);
+    assert_int_equal(ret, 0);
+    assert_string_equal(grp.gr_name, "group");
+    assert_string_equal(grp.gr_passwd, "x");
+    assert_int_equal(grp.gr_gid, 11111);
+    assert_string_equal(grp.gr_mem[0], "member0001");
+    assert_string_equal(grp.gr_mem[1], "member0002");
+    assert_null(grp.gr_mem[2]);
+    free(buf);
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getgrnam_r_wrapper(MAX_BUF, "group_big", &grp, &buf, &buf_len);
+    assert_int_equal(ret, 0);
+    assert_string_equal(grp.gr_name, "group_big");
+    assert_string_equal(grp.gr_passwd, "x");
+    assert_int_equal(grp.gr_gid, 22222);
+    assert_string_equal(grp.gr_mem[0], "member0001");
+    assert_string_equal(grp.gr_mem[1], "member0002");
+    free(buf);
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getgrnam_r_wrapper(1024, "group_big", &grp, &buf, &buf_len);
+    assert_int_equal(ret, ERANGE);
+    free(buf);
+}
+
+void test_getgrgid_r_wrapper(void **state)
+{
+    int ret;
+    struct group grp;
+    char *buf;
+    size_t buf_len;
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getgrgid_r_wrapper(MAX_BUF, 99999, &grp, &buf, &buf_len);
+    assert_int_equal(ret, ENOENT);
+
+    ret = getgrgid_r_wrapper(MAX_BUF, 11111, &grp, &buf, &buf_len);
+    assert_int_equal(ret, 0);
+    assert_string_equal(grp.gr_name, "group");
+    assert_string_equal(grp.gr_passwd, "x");
+    assert_int_equal(grp.gr_gid, 11111);
+    assert_string_equal(grp.gr_mem[0], "member0001");
+    assert_string_equal(grp.gr_mem[1], "member0002");
+    assert_null(grp.gr_mem[2]);
+    free(buf);
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getgrgid_r_wrapper(MAX_BUF, 22222, &grp, &buf, &buf_len);
+    assert_int_equal(ret, 0);
+    assert_string_equal(grp.gr_name, "group_big");
+    assert_string_equal(grp.gr_passwd, "x");
+    assert_int_equal(grp.gr_gid, 22222);
+    assert_string_equal(grp.gr_mem[0], "member0001");
+    assert_string_equal(grp.gr_mem[1], "member0002");
+    free(buf);
+
+    ret = get_buffer(&buf_len, &buf);
+    assert_int_equal(ret, 0);
+
+    ret = getgrgid_r_wrapper(1024, 22222, &grp, &buf, &buf_len);
+    assert_int_equal(ret, ERANGE);
+    free(buf);
+}
+
+int main(int argc, const char *argv[])
+{
+    const UnitTest tests[] = {
+        unit_test(test_getpwnam_r_wrapper),
+        unit_test(test_getpwuid_r_wrapper),
+        unit_test(test_getgrnam_r_wrapper),
+        unit_test(test_getgrgid_r_wrapper),
+    };
+
+    return run_tests(tests);
+}
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c 
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index 
20fdd62b20f28f5384cf83b8be5819f721c6c3db..cbe336963ffbafadd5a7b8029a65fafe506f75e8
 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -49,6 +49,188 @@
 
 #define MAX(a,b) (((a)>(b))?(a):(b))
 #define SSSD_DOMAIN_SEPARATOR '@'
+#define MAX_BUF (1024*1024*1024)
+
+
+
+int get_buffer(size_t *_buf_len, char **_buf)
+{
+    long pw_max;
+    long gr_max;
+    size_t buf_len;
+    char *buf;
+
+    pw_max = sysconf(_SC_GETPW_R_SIZE_MAX);
+    gr_max = sysconf(_SC_GETGR_R_SIZE_MAX);
+
+    buf_len = MAX(16384, MAX(pw_max, gr_max));
+
+    buf = malloc(sizeof(char) * buf_len);
+    if (buf == NULL) {
+        return LDAP_OPERATIONS_ERROR;
+    }
+
+    *_buf_len = buf_len;
+    *_buf = buf;
+
+    return LDAP_SUCCESS;
+}
+
+static int inc_buffer(size_t buf_max, size_t *_buf_len, char **_buf)
+{
+    size_t tmp_len;
+    char *tmp_buf;
+
+    tmp_buf = *_buf;
+    tmp_len = *_buf_len;
+
+    tmp_len *= 2;
+    if (tmp_len > buf_max) {
+        return ERANGE;
+    }
+
+    tmp_buf = realloc(tmp_buf, tmp_len);
+    if (tmp_buf == NULL) {
+        return ENOMEM;
+    }
+
+    *_buf_len = tmp_len;
+    *_buf = tmp_buf;
+
+    return 0;
+}
+
+int getpwnam_r_wrapper(size_t buf_max, const char *name,
+                       struct passwd *pwd, char **_buf, size_t *_buf_len)
+{
+    char *buf = NULL;
+    size_t buf_len = 0;
+    int ret;
+    struct passwd *result = NULL;
+
+    buf = *_buf;
+    buf_len = *_buf_len;
+
+    while (buf != NULL
+            && (ret = getpwnam_r(name, pwd, buf, buf_len, &result)) == ERANGE) 
{
+        ret = inc_buffer(buf_max, &buf_len, &buf);
+        if (ret != 0) {
+            if (ret == ERANGE) {
+                LOG("Buffer too small, increase ipaExtdomMaxNssBufSize.\n");
+            }
+            goto done;
+        }
+    }
+
+    if (ret == 0 && result == NULL) {
+        ret = ENOENT;
+    }
+
+done:
+    *_buf = buf;
+    *_buf_len = buf_len;
+
+    return ret;
+}
+
+int getpwuid_r_wrapper(size_t buf_max, uid_t uid,
+                       struct passwd *pwd, char **_buf, size_t *_buf_len)
+{
+    char *buf = NULL;
+    size_t buf_len = 0;
+    int ret;
+    struct passwd *result = NULL;
+
+    buf = *_buf;
+    buf_len = *_buf_len;
+
+    while (buf != NULL
+            && (ret = getpwuid_r(uid, pwd, buf, buf_len, &result)) == ERANGE) {
+        ret = inc_buffer(buf_max, &buf_len, &buf);
+        if (ret != 0) {
+            if (ret == ERANGE) {
+                LOG("Buffer too small, increase ipaExtdomMaxNssBufSize.\n");
+            }
+            goto done;
+        }
+    }
+
+    if (ret == 0 && result == NULL) {
+        ret = ENOENT;
+    }
+
+done:
+    *_buf = buf;
+    *_buf_len = buf_len;
+
+    return ret;
+}
+
+int getgrnam_r_wrapper(size_t buf_max, const char *name,
+                       struct group *grp, char **_buf, size_t *_buf_len)
+{
+    char *buf = NULL;
+    size_t buf_len = 0;
+    int ret;
+    struct group *result = NULL;
+
+    buf = *_buf;
+    buf_len = *_buf_len;
+
+    while (buf != NULL
+            && (ret = getgrnam_r(name, grp, buf, buf_len, &result)) == ERANGE) 
{
+        ret = inc_buffer(buf_max, &buf_len, &buf);
+        if (ret != 0) {
+            if (ret == ERANGE) {
+                LOG("Buffer too small, increase ipaExtdomMaxNssBufSize.\n");
+            }
+            goto done;
+        }
+    }
+
+    if (ret == 0 && result == NULL) {
+        ret = ENOENT;
+    }
+
+done:
+    *_buf = buf;
+    *_buf_len = buf_len;
+
+    return ret;
+}
+
+int getgrgid_r_wrapper(size_t buf_max, gid_t gid,
+                       struct group *grp, char **_buf, size_t *_buf_len)
+{
+    char *buf = NULL;
+    size_t buf_len = 0;
+    int ret;
+    struct group *result = NULL;
+
+    buf = *_buf;
+    buf_len = *_buf_len;
+
+    while (buf != NULL
+            && (ret = getgrgid_r(gid, grp, buf, buf_len, &result)) == ERANGE) {
+        ret = inc_buffer(buf_max, &buf_len, &buf);
+        if (ret != 0) {
+            if (ret == ERANGE) {
+                LOG("Buffer too small, increase ipaExtdomMaxNssBufSize.\n");
+            }
+            goto done;
+        }
+    }
+
+    if (ret == 0 && result == NULL) {
+        ret = ENOENT;
+    }
+
+done:
+    *_buf = buf;
+    *_buf_len = buf_len;
+
+    return ret;
+}
 
 int parse_request_data(struct berval *req_val, struct extdom_req **_req)
 {
@@ -191,33 +373,6 @@ int check_request(struct extdom_req *req, enum 
extdom_version version)
     return LDAP_SUCCESS;
 }
 
-static int get_buffer(size_t *_buf_len, char **_buf)
-{
-    long pw_max;
-    long gr_max;
-    size_t buf_len;
-    char *buf;
-
-    pw_max = sysconf(_SC_GETPW_R_SIZE_MAX);
-    gr_max = sysconf(_SC_GETGR_R_SIZE_MAX);
-
-    if (pw_max == -1 && gr_max == -1) {
-        buf_len = 16384;
-    } else {
-        buf_len = MAX(pw_max, gr_max);
-    }
-
-    buf = malloc(sizeof(char) * buf_len);
-    if (buf == NULL) {
-        return LDAP_OPERATIONS_ERROR;
-    }
-
-    *_buf_len = buf_len;
-    *_buf = buf;
-
-    return LDAP_SUCCESS;
-}
-
 static int get_user_grouplist(const char *name, gid_t gid,
                               size_t *_ngroups, gid_t **_groups )
 {
@@ -323,7 +478,6 @@ static int pack_ber_user(enum response_types response_type,
     size_t buf_len;
     char *buf = NULL;
     struct group grp;
-    struct group *grp_result;
     size_t c;
     char *locat;
     char *short_user_name = NULL;
@@ -375,13 +529,13 @@ static int pack_ber_user(enum response_types 
response_type,
         }
 
         for (c = 0; c < ngroups; c++) {
-            ret = getgrgid_r(groups[c], &grp, buf, buf_len, &grp_result);
+            ret = getgrgid_r_wrapper(MAX_BUF, groups[c], &grp, &buf, &buf_len);
             if (ret != 0) {
-                ret = LDAP_NO_SUCH_OBJECT;
-                goto done;
-            }
-            if (grp_result == NULL) {
-                ret = LDAP_NO_SUCH_OBJECT;
+                if (ret == ENOMEM || ret == ERANGE) {
+                    ret = LDAP_OPERATIONS_ERROR;
+                } else {
+                    ret = LDAP_NO_SUCH_OBJECT;
+                }
                 goto done;
             }
 
@@ -542,7 +696,6 @@ static int handle_uid_request(enum request_types 
request_type, uid_t uid,
 {
     int ret;
     struct passwd pwd;
-    struct passwd *pwd_result = NULL;
     char *sid_str = NULL;
     enum sss_id_type id_type;
     size_t buf_len;
@@ -568,13 +721,13 @@ static int handle_uid_request(enum request_types 
request_type, uid_t uid,
 
         ret = pack_ber_sid(sid_str, berval);
     } else {
-        ret = getpwuid_r(uid, &pwd, buf, buf_len, &pwd_result);
+        ret = getpwuid_r_wrapper(MAX_BUF, uid, &pwd, &buf, &buf_len);
         if (ret != 0) {
-            ret = LDAP_NO_SUCH_OBJECT;
-            goto done;
-        }
-        if (pwd_result == NULL) {
-            ret = LDAP_NO_SUCH_OBJECT;
+            if (ret == ENOMEM || ret == ERANGE) {
+                ret = LDAP_OPERATIONS_ERROR;
+            } else {
+                ret = LDAP_NO_SUCH_OBJECT;
+            }
             goto done;
         }
 
@@ -610,7 +763,6 @@ static int handle_gid_request(enum request_types 
request_type, gid_t gid,
 {
     int ret;
     struct group grp;
-    struct group *grp_result = NULL;
     char *sid_str = NULL;
     enum sss_id_type id_type;
     size_t buf_len;
@@ -635,13 +787,13 @@ static int handle_gid_request(enum request_types 
request_type, gid_t gid,
 
         ret = pack_ber_sid(sid_str, berval);
     } else {
-        ret = getgrgid_r(gid, &grp, buf, buf_len, &grp_result);
+        ret = getgrgid_r_wrapper(MAX_BUF, gid, &grp, &buf, &buf_len);
         if (ret != 0) {
-            ret = LDAP_NO_SUCH_OBJECT;
-            goto done;
-        }
-        if (grp_result == NULL) {
-            ret = LDAP_NO_SUCH_OBJECT;
+            if (ret == ENOMEM || ret == ERANGE) {
+                ret = LDAP_OPERATIONS_ERROR;
+            } else {
+                ret = LDAP_NO_SUCH_OBJECT;
+            }
             goto done;
         }
 
@@ -676,9 +828,7 @@ static int handle_sid_request(enum request_types 
request_type, const char *sid,
 {
     int ret;
     struct passwd pwd;
-    struct passwd *pwd_result = NULL;
     struct group grp;
-    struct group *grp_result = NULL;
     char *domain_name = NULL;
     char *fq_name = NULL;
     char *object_name = NULL;
@@ -724,14 +874,13 @@ static int handle_sid_request(enum request_types 
request_type, const char *sid,
     switch(id_type) {
     case SSS_ID_TYPE_UID:
     case SSS_ID_TYPE_BOTH:
-        ret = getpwnam_r(fq_name, &pwd, buf, buf_len, &pwd_result);
+        ret = getpwnam_r_wrapper(MAX_BUF, fq_name, &pwd, &buf, &buf_len);
         if (ret != 0) {
-            ret = LDAP_NO_SUCH_OBJECT;
-            goto done;
-        }
-
-        if (pwd_result == NULL) {
-            ret = LDAP_NO_SUCH_OBJECT;
+            if (ret == ENOMEM || ret == ERANGE) {
+                ret = LDAP_OPERATIONS_ERROR;
+            } else {
+                ret = LDAP_NO_SUCH_OBJECT;
+            }
             goto done;
         }
 
@@ -755,14 +904,13 @@ static int handle_sid_request(enum request_types 
request_type, const char *sid,
                             pwd.pw_shell, kv_list, berval);
         break;
     case SSS_ID_TYPE_GID:
-        ret = getgrnam_r(fq_name, &grp, buf, buf_len, &grp_result);
+        ret = getgrnam_r_wrapper(MAX_BUF, fq_name, &grp, &buf, &buf_len);
         if (ret != 0) {
-            ret = LDAP_NO_SUCH_OBJECT;
-            goto done;
-        }
-
-        if (grp_result == NULL) {
-            ret = LDAP_NO_SUCH_OBJECT;
+            if (ret == ENOMEM || ret == ERANGE) {
+                ret = LDAP_OPERATIONS_ERROR;
+            } else {
+                ret = LDAP_NO_SUCH_OBJECT;
+            }
             goto done;
         }
 
@@ -806,9 +954,7 @@ static int handle_name_request(enum request_types 
request_type,
     int ret;
     char *fq_name = NULL;
     struct passwd pwd;
-    struct passwd *pwd_result = NULL;
     struct group grp;
-    struct group *grp_result = NULL;
     char *sid_str = NULL;
     enum sss_id_type id_type;
     size_t buf_len;
@@ -842,15 +988,8 @@ static int handle_name_request(enum request_types 
request_type,
             goto done;
         }
 
-        ret = getpwnam_r(fq_name, &pwd, buf, buf_len, &pwd_result);
-        if (ret != 0) {
-            /* according to the man page there are a couple of error codes
-             * which can indicate that the user was not found. To be on the
-             * safe side we fail back to the group lookup on all errors. */
-            pwd_result = NULL;
-        }
-
-        if (pwd_result != NULL) {
+        ret = getpwnam_r_wrapper(MAX_BUF, fq_name, &pwd, &buf, &buf_len);
+        if (ret == 0) {
             if (request_type == REQ_FULL_WITH_GROUPS) {
                 ret = sss_nss_getorigbyname(pwd.pw_name, &kv_list, &id_type);
                 if (ret != 0 || !(id_type == SSS_ID_TYPE_UID
@@ -868,15 +1007,21 @@ static int handle_name_request(enum request_types 
request_type,
                                 domain_name, pwd.pw_name, pwd.pw_uid,
                                 pwd.pw_gid, pwd.pw_gecos, pwd.pw_dir,
                                 pwd.pw_shell, kv_list, berval);
+        } else if (ret == ENOMEM || ret == ERANGE) {
+            ret = LDAP_OPERATIONS_ERROR;
+            goto done;
         } else { /* no user entry found */
-            ret = getgrnam_r(fq_name, &grp, buf, buf_len, &grp_result);
+            /* according to the getpwnam() man page there are a couple of
+             * error codes which can indicate that the user was not found. To
+             * be on the safe side we fail back to the group lookup on all
+             * errors. */
+            ret = getgrnam_r_wrapper(MAX_BUF, fq_name, &grp, &buf, &buf_len);
             if (ret != 0) {
-                ret = LDAP_NO_SUCH_OBJECT;
-                goto done;
-            }
-
-            if (grp_result == NULL) {
-                ret = LDAP_NO_SUCH_OBJECT;
+                if (ret == ENOMEM || ret == ERANGE) {
+                    ret = LDAP_OPERATIONS_ERROR;
+                } else {
+                    ret = LDAP_NO_SUCH_OBJECT;
+                }
                 goto done;
             }
 
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group 
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group
new file mode 100644
index 
0000000000000000000000000000000000000000..8d1b012871b21cc9d5ffdba2168f35ef3e8a5f81
--- /dev/null
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group
@@ -0,0 +1,2 @@
+group:x:11111:member0001,member0002
+group_big:x:22222:member0001,member0002,member0003,member0004,member0005,member0006,member0007,member0008,member0009,member0010,member0011,member0012,member0013,member0014,member0015,member0016,member0017,member0018,member0019,member0020,member0021,member0022,member0023,member0024,member0025,member0026,member0027,member0028,member0029,member0030,member0031,member0032,member0033,member0034,member0035,member0036,member0037,member0038,member0039,member0040,member0041,member0042,member0043,member0044,member0045,member0046,member0047,member0048,member0049,member0050,member0051,member0052,member0053,member0054,member0055,member0056,member0057,member0058,member0059,member0060,member0061,member0062,member0063,member0064,member0065,member0066,member0067,member0068,member0069,member0070,member0071,member0072,member0073,member0074,member0075,member0076,member0077,member0078,member0079,member0080,member0081,member0082,member0083,member0084,member0085,member0086,member0087,member0088,member0089,member0090,member0091,member0092,member0093,member0094,member0095,member0096,member0097,member0098,member0099,member0100,member0101,member0102,member0103,member0104,member0105,member0106,member0107,member0108,member0109,member0110,member0111,member0112,member0113,member0114,member0115,member0116,member0117,member0118,member0119,member0120,member0121,member0122,member0123,member0124,member0125,member0126,member0127,member0128,member0129,member0130,member0131,member0132,member0133,member0134,member0135,member0136,member0137,member0138,member0139,member0140,member0141,member0142,member0143,member0144,member0145,member0146,member0147,member0148,member0149,member0150,member0151,member0152,member0153,member0154,member0155,member0156,member0157,member0158,member0159,member0160,member0161,member0162,member0163,member0164,member0165,member0166,member0167,member0168,member0169,member0170,member0171,member0172,member0173,member0174,member0175,member0176,member0177,member0178,member0179,member0180,member0181,member0182,member0183,member0184,member0185,member0186,member0187,member0188,member0189,member0190,member0191,member0192,member0193,member0194,member0195,member0196,member0197,member0198,member0199,member0200,member0201,member0202,member0203,member0204,member0205,member0206,member0207,member0208,member0209,member0210,member0211,member0212,member0213,member0214,member0215,member0216,member0217,member0218,member0219,member0220,member0221,member0222,member0223,member0224,member0225,member0226,member0227,member0228,member0229,member0230,member0231,member0232,member0233,member0234,member0235,member0236,member0237,member0238,member0239,member0240,member0241,member0242,member0243,member0244,member0245,member0246,member0247,member0248,member0249,member0250,member0251,member0252,member0253,member0254,member0255,member0256,member0257,member0258,member0259,member0260,member0261,member0262,member0263,member0264,member0265,member0266,member0267,member0268,member0269,member0270,member0271,member0272,member0273,member0274,member0275,member0276,member0277,member0278,member0279,member0280,member0281,member0282,member0283,member0284,member0285,member0286,member0287,member0288,member0289,member0290,member0291,member0292,member0293,member0294,member0295,member0296,member0297,member0298,member0299,member0300,member0301,member0302,member0303,member0304,member0305,member0306,member0307,member0308,member0309,member0310,member0311,member0312,member0313,member0314,member0315,member0316,member0317,member0318,member0319,member0320,member0321,member0322,member0323,member0324,member0325,member0326,member0327,member0328,member0329,member0330,member0331,member0332,member0333,member0334,member0335,member0336,member0337,member0338,member0339,member0340,member0341,member0342,member0343,member0344,member0345,member0346,member0347,member0348,member0349,member0350,member0351,member0352,member0353,member0354,member0355,member0356,member0357,member0358,member0359,member0360,member0361,member0362,member0363,member0364,member0365,member0366,member0367,member0368,member0369,member0370,member0371,member0372,member0373,member0374,member0375,member0376,member0377,member0378,member0379,member0380,member0381,member0382,member0383,member0384,member0385,member0386,member0387,member0388,member0389,member0390,member0391,member0392,member0393,member0394,member0395,member0396,member0397,member0398,member0399,member0400,member0401,member0402,member0403,member0404,member0405,member0406,member0407,member0408,member0409,member0410,member0411,member0412,member0413,member0414,member0415,member0416,member0417,member0418,member0419,member0420,member0421,member0422,member0423,member0424,member0425,member0426,member0427,member0428,member0429,member0430,member0431,member0432,member0433,member0434,member0435,member0436,member0437,member0438,member0439,member0440,member0441,member0442,member0443,member0444,member0445,member0446,member0447,member0448,member0449,member0450,member0451,member0452,member0453,member0454,member0455,member0456,member0457,member0458,member0459,member0460,member0461,member0462,member0463,member0464,member0465,member0466,member0467,member0468,member0469,member0470,member0471,member0472,member0473,member0474,member0475,member0476,member0477,member0478,member0479,member0480,member0481,member0482,member0483,member0484,member0485,member0486,member0487,member0488,member0489,member0490,member0491,member0492,member0493,member0494,member0495,member0496,member0497,member0498,member0499,member0500,member0501,member0502,member0503,member0504,member0505,member0506,member0507,member0508,member0509,member0510,member0511,member0512,member0513,member0514,member0515,member0516,member0517,member0518,member0519,member0520,member0521,member0522,member0523,member0524,member0525,member0526,member0527,member0528,member0529,member0530,member0531,member0532,member0533,member0534,member0535,member0536,member0537,member0538,member0539,member0540,member0541,member0542,member0543,member0544,member0545,member0546,member0547,member0548,member0549,member0550,member0551,member0552,member0553,member0554,member0555,member0556,member0557,member0558,member0559,member0560,member0561,member0562,member0563,member0564,member0565,member0566,member0567,member0568,member0569,member0570,member0571,member0572,member0573,member0574,member0575,member0576,member0577,member0578,member0579,member0580,member0581,member0582,member0583,member0584,member0585,member0586,member0587,member0588,member0589,member0590,member0591,member0592,member0593,member0594,member0595,member0596,member0597,member0598,member0599,member0600,member0601,member0602,member0603,member0604,member0605,member0606,member0607,member0608,member0609,member0610,member0611,member0612,member0613,member0614,member0615,member0616,member0617,member0618,member0619,member0620,member0621,member0622,member0623,member0624,member0625,member0626,member0627,member0628,member0629,member0630,member0631,member0632,member0633,member0634,member0635,member0636,member0637,member0638,member0639,member0640,member0641,member0642,member0643,member0644,member0645,member0646,member0647,member0648,member0649,member0650,member0651,member0652,member0653,member0654,member0655,member0656,member0657,member0658,member0659,member0660,member0661,member0662,member0663,member0664,member0665,member0666,member0667,member0668,member0669,member0670,member0671,member0672,member0673,member0674,member0675,member0676,member0677,member0678,member0679,member0680,member0681,member0682,member0683,member0684,member0685,member0686,member0687,member0688,member0689,member0690,member0691,member0692,member0693,member0694,member0695,member0696,member0697,member0698,member0699,member0700,member0701,member0702,member0703,member0704,member0705,member0706,member0707,member0708,member0709,member0710,member0711,member0712,member0713,member0714,member0715,member0716,member0717,member0718,member0719,member0720,member0721,member0722,member0723,member0724,member0725,member0726,member0727,member0728,member0729,member0730,member0731,member0732,member0733,member0734,member0735,member0736,member0737,member0738,member0739,member0740,member0741,member0742,member0743,member0744,member0745,member0746,member0747,member0748,member0749,member0750,member0751,member0752,member0753,member0754,member0755,member0756,member0757,member0758,member0759,member0760,member0761,member0762,member0763,member0764,member0765,member0766,member0767,member0768,member0769,member0770,member0771,member0772,member0773,member0774,member0775,member0776,member0777,member0778,member0779,member0780,member0781,member0782,member0783,member0784,member0785,member0786,member0787,member0788,member0789,member0790,member0791,member0792,member0793,member0794,member0795,member0796,member0797,member0798,member0799,member0800,member0801,member0802,member0803,member0804,member0805,member0806,member0807,member0808,member0809,member0810,member0811,member0812,member0813,member0814,member0815,member0816,member0817,member0818,member0819,member0820,member0821,member0822,member0823,member0824,member0825,member0826,member0827,member0828,member0829,member0830,member0831,member0832,member0833,member0834,member0835,member0836,member0837,member0838,member0839,member0840,member0841,member0842,member0843,member0844,member0845,member0846,member0847,member0848,member0849,member0850,member0851,member0852,member0853,member0854,member0855,member0856,member0857,member0858,member0859,member0860,member0861,member0862,member0863,member0864,member0865,member0866,member0867,member0868,member0869,member0870,member0871,member0872,member0873,member0874,member0875,member0876,member0877,member0878,member0879,member0880,member0881,member0882,member0883,member0884,member0885,member0886,member0887,member0888,member0889,member0890,member0891,member0892,member0893,member0894,member0895,member0896,member0897,member0898,member0899,member0900,member0901,member0902,member0903,member0904,member0905,member0906,member0907,member0908,member0909,member0910,member0911,member0912,member0913,member0914,member0915,member0916,member0917,member0918,member0919,member0920,member0921,member0922,member0923,member0924,member0925,member0926,member0927,member0928,member0929,member0930,member0931,member0932,member0933,member0934,member0935,member0936,member0937,member0938,member0939,member0940,member0941,member0942,member0943,member0944,member0945,member0946,member0947,member0948,member0949,member0950,member0951,member0952,member0953,member0954,member0955,member0956,member0957,member0958,member0959,member0960,member0961,member0962,member0963,member0964,member0965,member0966,member0967,member0968,member0969,member0970,member0971,member0972,member0973,member0974,member0975,member0976,member0977,member0978,member0979,member0980,member0981,member0982,member0983,member0984,member0985,member0986,member0987,member0988,member0989,member0990,member0991,member0992,member0993,member0994,member0995,member0996,member0997,member0998,member0999,member1000,member1001,member1002,member1003,member1004,member1005,member1006,member1007,member1008,member1009,member1010,member1011,member1012,member1013,member1014,member1015,member1016,member1017,member1018,member1019,member1020,member1021,member1022,member1023,member1024,member1025,member1026,member1027,member1028,member1029,member1030,member1031,member1032,member1033,member1034,member1035,member1036,member1037,member1038,member1039,member1040,member1041,member1042,member1043,member1044,member1045,member1046,member1047,member1048,member1049,member1050,member1051,member1052,member1053,member1054,member1055,member1056,member1057,member1058,member1059,member1060,member1061,member1062,member1063,member1064,member1065,member1066,member1067,member1068,member1069,member1070,member1071,member1072,member1073,member1074,member1075,member1076,member1077,member1078,member1079,member1080,member1081,member1082,member1083,member1084,member1085,member1086,member1087,member1088,member1089,member1090,member1091,member1092,member1093,member1094,member1095,member1096,member1097,member1098,member1099,member1100,member1101,member1102,member1103,member1104,member1105,member1106,member1107,member1108,member1109,member1110,member1111,member1112,member1113,member1114,member1115,member1116,member1117,member1118,member1119,member1120,member1121,member1122,member1123,member1124,member1125,member1126,member1127,member1128,member1129,member1130,member1131,member1132,member1133,member1134,member1135,member1136,member1137,member1138,member1139,member1140,member1141,member1142,member1143,member1144,member1145,member1146,member1147,member1148,member1149,member1150,member1151,member1152,member1153,member1154,member1155,member1156,member1157,member1158,member1159,member1160,member1161,member1162,member1163,member1164,member1165,member1166,member1167,member1168,member1169,member1170,member1171,member1172,member1173,member1174,member1175,member1176,member1177,member1178,member1179,member1180,member1181,member1182,member1183,member1184,member1185,member1186,member1187,member1188,member1189,member1190,member1191,member1192,member1193,member1194,member1195,member1196,member1197,member1198,member1199,member1200,member1201,member1202,member1203,member1204,member1205,member1206,member1207,member1208,member1209,member1210,member1211,member1212,member1213,member1214,member1215,member1216,member1217,member1218,member1219,member1220,member1221,member1222,member1223,member1224,member1225,member1226,member1227,member1228,member1229,member1230,member1231,member1232,member1233,member1234,member1235,member1236,member1237,member1238,member1239,member1240,member1241,member1242,member1243,member1244,member1245,member1246,member1247,member1248,member1249,member1250,member1251,member1252,member1253,member1254,member1255,member1256,member1257,member1258,member1259,member1260,member1261,member1262,member1263,member1264,member1265,member1266,member1267,member1268,member1269,member1270,member1271,member1272,member1273,member1274,member1275,member1276,member1277,member1278,member1279,member1280,member1281,member1282,member1283,member1284,member1285,member1286,member1287,member1288,member1289,member1290,member1291,member1292,member1293,member1294,member1295,member1296,member1297,member1298,member1299,member1300,member1301,member1302,member1303,member1304,member1305,member1306,member1307,member1308,member1309,member1310,member1311,member1312,member1313,member1314,member1315,member1316,member1317,member1318,member1319,member1320,member1321,member1322,member1323,member1324,member1325,member1326,member1327,member1328,member1329,member1330,member1331,member1332,member1333,member1334,member1335,member1336,member1337,member1338,member1339,member1340,member1341,member1342,member1343,member1344,member1345,member1346,member1347,member1348,member1349,member1350,member1351,member1352,member1353,member1354,member1355,member1356,member1357,member1358,member1359,member1360,member1361,member1362,member1363,member1364,member1365,member1366,member1367,member1368,member1369,member1370,member1371,member1372,member1373,member1374,member1375,member1376,member1377,member1378,member1379,member1380,member1381,member1382,member1383,member1384,member1385,member1386,member1387,member1388,member1389,member1390,member1391,member1392,member1393,member1394,member1395,member1396,member1397,member1398,member1399,member1400,member1401,member1402,member1403,member1404,member1405,member1406,member1407,member1408,member1409,member1410,member1411,member1412,member1413,member1414,member1415,member1416,member1417,member1418,member1419,member1420,member1421,member1422,member1423,member1424,member1425,member1426,member1427,member1428,member1429,member1430,member1431,member1432,member1433,member1434,member1435,member1436,member1437,member1438,member1439,member1440,member1441,member1442,member1443,member1444,member1445,member1446,member1447,member1448,member1449,member1450,member1451,member1452,member1453,member1454,member1455,member1456,member1457,member1458,member1459,member1460,member1461,member1462,member1463,member1464,member1465,member1466,member1467,member1468,member1469,member1470,member1471,member1472,member1473,member1474,member1475,member1476,member1477,member1478,member1479,member1480,member1481,member1482,member1483,member1484,member1485,member1486,member1487,member1488,member1489,member1490,member1491,member1492,member1493,member1494,member1495,member1496,member1497,member1498,member1499,member1500,member1501,member1502,member1503,member1504,member1505,member1506,member1507,member1508,member1509,member1510,member1511,member1512,member1513,member1514,member1515,member1516,member1517,member1518,member1519,member1520,member1521,member1522,member1523,member1524,member1525,member1526,member1527,member1528,member1529,member1530,member1531,member1532,member1533,member1534,member1535,member1536,member1537,member1538,member1539,member1540,member1541,member1542,member1543,member1544,member1545,member1546,member1547,member1548,member1549,member1550,member1551,member1552,member1553,member1554,member1555,member1556,member1557,member1558,member1559,member1560,member1561,member1562,member1563,member1564,member1565,member1566,member1567,member1568,member1569,member1570,member1571,member1572,member1573,member1574,member1575,member1576,member1577,member1578,member1579,member1580,member1581,member1582,member1583,member1584,member1585,member1586,member1587,member1588,member1589,member1590,member1591,member1592,member1593,member1594,member1595,member1596,member1597,member1598,member1599,member1600,member1601,member1602,member1603,member1604,member1605,member1606,member1607,member1608,member1609,member1610,member1611,member1612,member1613,member1614,member1615,member1616,member1617,member1618,member1619,member1620,member1621,member1622,member1623,member1624,member1625,member1626,member1627,member1628,member1629,member1630,member1631,member1632,member1633,member1634,member1635,member1636,member1637,member1638,member1639,member1640,member1641,member1642,member1643,member1644,member1645,member1646,member1647,member1648,member1649,member1650,member1651,member1652,member1653,member1654,member1655,member1656,member1657,member1658,member1659,member1660,member1661,member1662,member1663,member1664,member1665,member1666,member1667,member1668,member1669,member1670,member1671,member1672,member1673,member1674,member1675,member1676,member1677,member1678,member1679,member1680,member1681,member1682,member1683,member1684,member1685,member1686,member1687,member1688,member1689,member1690,member1691,member1692,member1693,member1694,member1695,member1696,member1697,member1698,member1699,member1700,member1701,member1702,member1703,member1704,member1705,member1706,member1707,member1708,member1709,member1710,member1711,member1712,member1713,member1714,member1715,member1716,member1717,member1718,member1719,member1720,member1721,member1722,member1723,member1724,member1725,member1726,member1727,member1728,member1729,member1730,member1731,member1732,member1733,member1734,member1735,member1736,member1737,member1738,member1739,member1740,member1741,member1742,member1743,member1744,member1745,member1746,member1747,member1748,member1749,member1750,member1751,member1752,member1753,member1754,member1755,member1756,member1757,member1758,member1759,member1760,member1761,member1762,member1763,member1764,member1765,member1766,member1767,member1768,member1769,member1770,member1771,member1772,member1773,member1774,member1775,member1776,member1777,member1778,member1779,member1780,member1781,member1782,member1783,member1784,member1785,member1786,member1787,member1788,member1789,member1790,member1791,member1792,member1793,member1794,member1795,member1796,member1797,member1798,member1799,member1800,member1801,member1802,member1803,member1804,member1805,member1806,member1807,member1808,member1809,member1810,member1811,member1812,member1813,member1814,member1815,member1816,member1817,member1818,member1819,member1820,member1821,member1822,member1823,member1824,member1825,member1826,member1827,member1828,member1829,member1830,member1831,member1832,member1833,member1834,member1835,member1836,member1837,member1838,member1839,member1840,member1841,member1842,member1843,member1844,member1845,member1846,member1847,member1848,member1849,member1850,member1851,member1852,member1853,member1854,member1855,member1856,member1857,member1858,member1859,member1860,member1861,member1862,member1863,member1864,member1865,member1866,member1867,member1868,member1869,member1870,member1871,member1872,member1873,member1874,member1875,member1876,member1877,member1878,member1879,member1880,member1881,member1882,member1883,member1884,member1885,member1886,member1887,member1888,member1889,member1890,member1891,member1892,member1893,member1894,member1895,member1896,member1897,member1898,member1899,member1900,member1901,member1902,member1903,member1904,member1905,member1906,member1907,member1908,member1909,member1910,member1911,member1912,member1913,member1914,member1915,member1916,member1917,member1918,member1919,member1920,member1921,member1922,member1923,member1924,member1925,member1926,member1927,member1928,member1929,member1930,member1931,member1932,member1933,member1934,member1935,member1936,member1937,member1938,member1939,member1940,member1941,member1942,member1943,member1944,member1945,member1946,member1947,member1948,member1949,member1950,member1951,member1952,member1953,member1954,member1955,member1956,member1957,member1958,member1959,member1960,member1961,member1962,member1963,member1964,member1965,member1966,member1967,member1968,member1969,member1970,member1971,member1972,member1973,member1974,member1975,member1976,member1977,member1978,member1979,member1980,member1981,member1982,member1983,member1984,member1985,member1986,member1987,member1988,member1989,member1990,member1991,member1992,member1993,member1994,member1995,member1996,member1997,member1998,member1999,member2000,
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd 
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd
new file mode 100644
index 
0000000000000000000000000000000000000000..971e9bdb8a5d43d915ce0adc42ac29f2f95ade52
--- /dev/null
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd
@@ -0,0 +1,2 @@
+user:x:12345:23456:gecos:/home/user:/bin/shell
+user_big:x:12346:23457:gecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecos:/home/user_big:/bin/shell
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/test_setup.sh 
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/test_setup.sh
new file mode 100644
index 
0000000000000000000000000000000000000000..ad839f340efe989a91cd6902f59c9a41483f68e0
--- /dev/null
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/test_setup.sh
@@ -0,0 +1,3 @@
+export LD_PRELOAD=$(pkg-config --libs nss_wrapper)
+export NSS_WRAPPER_PASSWD=./test_data/passwd
+export NSS_WRAPPER_GROUP=./test_data/group
-- 
2.1.0

From 5048f230deb4ff93b04a459ed7dd6216233ee0d8 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Mon, 2 Mar 2015 10:59:34 +0100
Subject: [PATCH 136/136] extdom: make nss buffer configurable

The get*_r_wrapper() calls expect a maximum buffer size to avoid memory
shortage if too many threads try to allocate buffers e.g. for large
groups. With this patch this size can be configured by setting
ipaExtdomMaxNssBufSize in the plugin config object
cn=ipa_extdom_extop,cn=plugins,cn=config.

Related to https://fedorahosted.org/freeipa/ticket/4908
---
 .../ipa-extdom-extop/ipa_extdom.h                  |  1 +
 .../ipa-extdom-extop/ipa_extdom_common.c           | 59 ++++++++++++++--------
 .../ipa-extdom-extop/ipa_extdom_extop.c            | 10 ++++
 3 files changed, 48 insertions(+), 22 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h 
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
index 
40bf933920fdd2ca19e5ef195aaa8fb820446cc5..d4c851169ddadc869a59c53075f9fc7f33321085
 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
@@ -150,6 +150,7 @@ struct extdom_res {
 struct ipa_extdom_ctx {
     Slapi_ComponentId *plugin_id;
     char *base_dn;
+    size_t max_nss_buf_size;
 };
 
 struct domain_info {
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c 
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index 
cbe336963ffbafadd5a7b8029a65fafe506f75e8..47bcb179f04e08c64d92f55809b84f2d59622344
 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -49,9 +49,6 @@
 
 #define MAX(a,b) (((a)>(b))?(a):(b))
 #define SSSD_DOMAIN_SEPARATOR '@'
-#define MAX_BUF (1024*1024*1024)
-
-
 
 int get_buffer(size_t *_buf_len, char **_buf)
 {
@@ -464,7 +461,8 @@ static int pack_ber_sid(const char *sid, struct berval 
**berval)
 
 #define SSSD_SYSDB_SID_STR "objectSIDString"
 
-static int pack_ber_user(enum response_types response_type,
+static int pack_ber_user(struct ipa_extdom_ctx *ctx,
+                         enum response_types response_type,
                          const char *domain_name, const char *user_name,
                          uid_t uid, gid_t gid,
                          const char *gecos, const char *homedir,
@@ -529,7 +527,8 @@ static int pack_ber_user(enum response_types response_type,
         }
 
         for (c = 0; c < ngroups; c++) {
-            ret = getgrgid_r_wrapper(MAX_BUF, groups[c], &grp, &buf, &buf_len);
+            ret = getgrgid_r_wrapper(ctx->max_nss_buf_size,
+                                     groups[c], &grp, &buf, &buf_len);
             if (ret != 0) {
                 if (ret == ENOMEM || ret == ERANGE) {
                     ret = LDAP_OPERATIONS_ERROR;
@@ -691,7 +690,8 @@ static int pack_ber_name(const char *domain_name, const 
char *name,
     return LDAP_SUCCESS;
 }
 
-static int handle_uid_request(enum request_types request_type, uid_t uid,
+static int handle_uid_request(struct ipa_extdom_ctx *ctx,
+                              enum request_types request_type, uid_t uid,
                               const char *domain_name, struct berval **berval)
 {
     int ret;
@@ -721,7 +721,8 @@ static int handle_uid_request(enum request_types 
request_type, uid_t uid,
 
         ret = pack_ber_sid(sid_str, berval);
     } else {
-        ret = getpwuid_r_wrapper(MAX_BUF, uid, &pwd, &buf, &buf_len);
+        ret = getpwuid_r_wrapper(ctx->max_nss_buf_size, uid, &pwd, &buf,
+                                 &buf_len);
         if (ret != 0) {
             if (ret == ENOMEM || ret == ERANGE) {
                 ret = LDAP_OPERATIONS_ERROR;
@@ -744,7 +745,8 @@ static int handle_uid_request(enum request_types 
request_type, uid_t uid,
             }
         }
 
-        ret = pack_ber_user((request_type == REQ_FULL ? RESP_USER
+        ret = pack_ber_user(ctx,
+                            (request_type == REQ_FULL ? RESP_USER
                                                       : RESP_USER_GROUPLIST),
                             domain_name, pwd.pw_name, pwd.pw_uid,
                             pwd.pw_gid, pwd.pw_gecos, pwd.pw_dir,
@@ -758,7 +760,8 @@ done:
     return ret;
 }
 
-static int handle_gid_request(enum request_types request_type, gid_t gid,
+static int handle_gid_request(struct ipa_extdom_ctx *ctx,
+                              enum request_types request_type, gid_t gid,
                               const char *domain_name, struct berval **berval)
 {
     int ret;
@@ -787,7 +790,8 @@ static int handle_gid_request(enum request_types 
request_type, gid_t gid,
 
         ret = pack_ber_sid(sid_str, berval);
     } else {
-        ret = getgrgid_r_wrapper(MAX_BUF, gid, &grp, &buf, &buf_len);
+        ret = getgrgid_r_wrapper(ctx->max_nss_buf_size, gid, &grp, &buf,
+                                 &buf_len);
         if (ret != 0) {
             if (ret == ENOMEM || ret == ERANGE) {
                 ret = LDAP_OPERATIONS_ERROR;
@@ -823,7 +827,8 @@ done:
     return ret;
 }
 
-static int handle_sid_request(enum request_types request_type, const char *sid,
+static int handle_sid_request(struct ipa_extdom_ctx *ctx,
+                              enum request_types request_type, const char *sid,
                               struct berval **berval)
 {
     int ret;
@@ -874,7 +879,8 @@ static int handle_sid_request(enum request_types 
request_type, const char *sid,
     switch(id_type) {
     case SSS_ID_TYPE_UID:
     case SSS_ID_TYPE_BOTH:
-        ret = getpwnam_r_wrapper(MAX_BUF, fq_name, &pwd, &buf, &buf_len);
+        ret = getpwnam_r_wrapper(ctx->max_nss_buf_size, fq_name, &pwd, &buf,
+                                 &buf_len);
         if (ret != 0) {
             if (ret == ENOMEM || ret == ERANGE) {
                 ret = LDAP_OPERATIONS_ERROR;
@@ -897,14 +903,16 @@ static int handle_sid_request(enum request_types 
request_type, const char *sid,
             }
         }
 
-        ret = pack_ber_user((request_type == REQ_FULL ? RESP_USER
+        ret = pack_ber_user(ctx,
+                            (request_type == REQ_FULL ? RESP_USER
                                                       : RESP_USER_GROUPLIST),
                             domain_name, pwd.pw_name, pwd.pw_uid,
                             pwd.pw_gid, pwd.pw_gecos, pwd.pw_dir,
                             pwd.pw_shell, kv_list, berval);
         break;
     case SSS_ID_TYPE_GID:
-        ret = getgrnam_r_wrapper(MAX_BUF, fq_name, &grp, &buf, &buf_len);
+        ret = getgrnam_r_wrapper(ctx->max_nss_buf_size, fq_name, &grp, &buf,
+                                 &buf_len);
         if (ret != 0) {
             if (ret == ENOMEM || ret == ERANGE) {
                 ret = LDAP_OPERATIONS_ERROR;
@@ -947,7 +955,8 @@ done:
     return ret;
 }
 
-static int handle_name_request(enum request_types request_type,
+static int handle_name_request(struct ipa_extdom_ctx *ctx,
+                               enum request_types request_type,
                                const char *name, const char *domain_name,
                                struct berval **berval)
 {
@@ -988,7 +997,8 @@ static int handle_name_request(enum request_types 
request_type,
             goto done;
         }
 
-        ret = getpwnam_r_wrapper(MAX_BUF, fq_name, &pwd, &buf, &buf_len);
+        ret = getpwnam_r_wrapper(ctx->max_nss_buf_size, fq_name, &pwd, &buf,
+                                 &buf_len);
         if (ret == 0) {
             if (request_type == REQ_FULL_WITH_GROUPS) {
                 ret = sss_nss_getorigbyname(pwd.pw_name, &kv_list, &id_type);
@@ -1002,7 +1012,8 @@ static int handle_name_request(enum request_types 
request_type,
                     goto done;
                 }
             }
-            ret = pack_ber_user((request_type == REQ_FULL ? RESP_USER
+            ret = pack_ber_user(ctx,
+                                (request_type == REQ_FULL ? RESP_USER
                                                           : 
RESP_USER_GROUPLIST),
                                 domain_name, pwd.pw_name, pwd.pw_uid,
                                 pwd.pw_gid, pwd.pw_gecos, pwd.pw_dir,
@@ -1015,7 +1026,8 @@ static int handle_name_request(enum request_types 
request_type,
              * error codes which can indicate that the user was not found. To
              * be on the safe side we fail back to the group lookup on all
              * errors. */
-            ret = getgrnam_r_wrapper(MAX_BUF, fq_name, &grp, &buf, &buf_len);
+            ret = getgrnam_r_wrapper(ctx->max_nss_buf_size, fq_name, &grp, 
&buf,
+                                     &buf_len);
             if (ret != 0) {
                 if (ret == ENOMEM || ret == ERANGE) {
                     ret = LDAP_OPERATIONS_ERROR;
@@ -1061,20 +1073,23 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct 
extdom_req *req,
 
     switch (req->input_type) {
     case INP_POSIX_UID:
-        ret = handle_uid_request(req->request_type, req->data.posix_uid.uid,
+        ret = handle_uid_request(ctx, req->request_type,
+                                 req->data.posix_uid.uid,
                                  req->data.posix_uid.domain_name, berval);
 
         break;
     case INP_POSIX_GID:
-        ret = handle_gid_request(req->request_type, req->data.posix_gid.gid,
+        ret = handle_gid_request(ctx, req->request_type,
+                                 req->data.posix_gid.gid,
                                  req->data.posix_uid.domain_name, berval);
 
         break;
     case INP_SID:
-        ret = handle_sid_request(req->request_type, req->data.sid, berval);
+        ret = handle_sid_request(ctx, req->request_type, req->data.sid, 
berval);
         break;
     case INP_NAME:
-        ret = handle_name_request(req->request_type, 
req->data.name.object_name,
+        ret = handle_name_request(ctx, req->request_type,
+                                  req->data.name.object_name,
                                   req->data.name.domain_name, berval);
 
         break;
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c 
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
index 
aa66c145bc6cf2b77fdfe37be18da67588dc0439..e53f968db040a37fbd6a193f87b3671eeabda89d
 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
@@ -40,6 +40,8 @@
 #include "ipa_extdom.h"
 #include "util.h"
 
+#define DEFAULT_MAX_NSS_BUFFER (128*1024*1024)
+
 Slapi_PluginDesc ipa_extdom_plugin_desc = {
     IPA_EXTDOM_FEATURE_DESC,
     "FreeIPA project",
@@ -185,6 +187,14 @@ static int ipa_extdom_init_ctx(Slapi_PBlock *pb, struct 
ipa_extdom_ctx **_ctx)
         goto done;
     }
 
+    ctx->max_nss_buf_size = slapi_entry_attr_get_uint(e,
+                                                      
"ipaExtdomMaxNssBufSize");
+    if (ctx->max_nss_buf_size == 0) {
+        ctx->max_nss_buf_size = DEFAULT_MAX_NSS_BUFFER;
+    }
+    LOG("Maximal nss buffer size set to [%d]!\n", ctx->max_nss_buf_size);
+
+    ret = 0;
 
 done:
     if (ret) {
-- 
2.1.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to