The branch, master has been updated
via b6eb17e... s4:auth/sam.c - "authsam_expand_nested_groups" - small
performance improvement
via a782eaa... s4:auth/sam.c - "authsam_expand_nested_groups" -
cosmetic/comments
via 03ffed7... s4:auth/sam.c - "authsam_expand_nested_groups" - use
"dsdb_search_dn" where possible
from 5f9a053... selftest: Remove accidentally committed dummy test.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit b6eb17eb1eb23461149b6c8cbefc41f5265a77d9
Author: Matthias Dieter Wallnöfer <[email protected]>
Date: Mon Jun 28 20:26:16 2010 +0200
s4:auth/sam.c - "authsam_expand_nested_groups" - small performance
improvement
We can save one search operation if "only_childs" is false and when we had
no
SID passed as extended DN component.
commit a782eaa2fd6f9b7e7b1ebdab0e0b53e4123cca43
Author: Matthias Dieter Wallnöfer <[email protected]>
Date: Mon Jun 28 20:25:47 2010 +0200
s4:auth/sam.c - "authsam_expand_nested_groups" - cosmetic/comments
commit 03ffed73db41e9433ddc41a6fddf79c2a632a043
Author: Matthias Dieter Wallnöfer <[email protected]>
Date: Mon Jun 28 19:57:12 2010 +0200
s4:auth/sam.c - "authsam_expand_nested_groups" - use "dsdb_search_dn" where
possible
And always catch LDB errors
-----------------------------------------------------------------------
Summary of changes:
source4/auth/sam.c | 40 +++++++++++++++++++++++++++-------------
1 files changed, 27 insertions(+), 13 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index b0fc9ca..d0487ce 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -279,16 +279,16 @@ static bool sids_contains_sid(const struct dom_sid **sids,
/*
- * This function generates the transitive closure of a given SID "sid" (it
- * basically expands nested groups of a SID).
- * If the SID isn't located in the "res_sids" structure yet and the
- * "only_childs" flag is negative, we add it to "res_sids".
+ * This function generates the transitive closure of a given SAM object
"dn_val"
+ * (it basically expands nested memberships).
+ * If the object isn't located in the "res_sids" structure yet and the
+ * "only_childs" flag is false, we add it to "res_sids".
* Then we've always to consider the "memberOf" attributes. We invoke the
- * function recursively on each item of it with the "only_childs" flag set to
+ * function recursively on each of it with the "only_childs" flag set to
* "false".
- * The "only_childs" flag is particularly useful if you have a user SID and
- * want to include all his groups (referenced with "memberOf") without his SID
- * itself, or considering if that SID matches the filter
+ * The "only_childs" flag is particularly useful if you have a user object and
+ * want to include all it's groups (referenced with "memberOf") but not itself
+ * or considering if that object matches the filter.
*
* At the beginning "res_sids" should reference to a NULL pointer.
*/
@@ -304,7 +304,7 @@ NTSTATUS authsam_expand_nested_groups(struct ldb_context
*sam_ctx,
struct ldb_dn *dn;
struct dom_sid sid;
TALLOC_CTX *tmp_ctx;
- struct ldb_result *res;
+ struct ldb_result *res = NULL;
NTSTATUS status;
const struct ldb_message_element *el;
@@ -320,15 +320,22 @@ NTSTATUS authsam_expand_nested_groups(struct ldb_context
*sam_ctx,
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
+ /* We expect an extended DN with the SID included but we can fallback
+ * to search the extended components if they weren't provided. */
status = dsdb_get_extended_dn_sid(dn, &sid, "SID");
if (!NT_STATUS_IS_OK(status)) {
- ret = dsdb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, NULL);
+ ret = dsdb_search_dn(sam_ctx, tmp_ctx, &res, dn, attrs,
+ DSDB_SEARCH_SHOW_EXTENDED_DN);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
dn = res->msgs[0]->dn;
status = dsdb_get_extended_dn_sid(dn, &sid, "SID");
}
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, (__location__ ": when parsing DN %s we failed to find
or parse SID component, so we cannot calculate the group token: %s\n",
+ DEBUG(0, (__location__ ": when parsing DN %s we failed to find
or SID component, so we cannot calculate the group token: %s\n",
ldb_dn_get_extended_linearized(tmp_ctx, dn, 1),
nt_errstr(status)));
talloc_free(tmp_ctx);
@@ -336,7 +343,12 @@ NTSTATUS authsam_expand_nested_groups(struct ldb_context
*sam_ctx,
}
if (only_childs) {
- ret = dsdb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, NULL);
+ /* If we didn't get the SID as extended DN then we already have
+ * performed exactly this search. */
+ if (res == NULL) {
+ ret = dsdb_search_dn(sam_ctx, tmp_ctx, &res, dn, attrs,
+ DSDB_SEARCH_SHOW_EXTENDED_DN);
+ }
} else {
/* This is an O(n^2) linear search */
already_there = sids_contains_sid((const struct dom_sid**)
*res_sids,
@@ -345,7 +357,9 @@ NTSTATUS authsam_expand_nested_groups(struct ldb_context
*sam_ctx,
return NT_STATUS_OK;
}
- ret = dsdb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "%s", filter);
+ ret = dsdb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
+ attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "%s",
+ filter);
}
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
--
Samba Shared Repository
