On 11/12/2012 4:12 AM, Jakub Hrozek wrote:
Thank you for the contribution! I will take a look at the patch..can
you just send the patch as output of git format-patch in the future?
It's easier for us to handle that way.
As per the documentation and the configAPI -- you can either let us
Sorry; the diff was just a quickie to get some initial feedback. I've
attached a patch that should include everything except possible changes
to cache handling.
Yes, that's my understanding, too. I think the way the code is built
now would treat the attributes as missing and delete them during a
getgrnam or getgrgid call.
[...]
The SSSD always retrieves initgroups data during an authentication
request that comes through the PAM stack for exactly the reason you
cited. For lookups that only occur through the name-service-switch
module, the SSSD caches the data for entry_cache_user_timeout by
default.
I'm not completely clear on what you mean about retrieving initgroups
data via the PAM stack. My understanding is that the supplementary
groups are set via the initgroups(3) call, which uses nss to look up
what groups a particular user belongs to and then calls setgroups to set
them. Or are you talking about access control in the pam stack provided
for example by simple_allow_groups/simple_deny_groups?
So maybe the code could be modifed to read the existing group
memberships and fake the results it got from LDAP to also include
these memberships?
Hmm, look up the current cached groups and spoof them in the response so
the cache handling code won't delete them? That sounds a bit kludgy :).
The mechanism mentioned in the original ticket of having the cache
update code only activate for initgroups lookups and not getgr lookups
seems cleaner.
I guess I need to dig a bit deeper in the code and try to understand the
scenario where not adding this additional cache handling exception will
cause a problem. With the new option enabled, it would seem the only
time group membership is relevant is for initgroups() calls.
Hmm, okay, I found an anomaly:
# id -a henson
uid=1000(henson) gid=1000(henson)
groups=1000(henson),1866(cppnet-admin),1402(iit),3285(iit_staff),14988(iit_operations),18445(nt-mgr),22212(iit_ex_spam_out-admin),1865(cppnet),1020(intranet),14528(iit_systems),17730(unxadmin),21016(eoc_essential),23306(iit_vmware_admin),23380(netadmin),1406(staff),15379(noc),23358(employees),23359(members),19289(idm_sysadmin),19295(idm_restricted),19317(iit_systems_staff),20795(campus_techs),23668(iit_ops_systems)
# id -a henson
uid=1000(henson) gid=1000(henson) groups=1000(henson)
With the new option enabled, the first time I do an 'id -a', it lists
all of my groups; the next time (and subsequent times), they're gone
8-/. Presumably the getgr lookups of each individual group after my
group list was obtained wiped out the memberships as warned about in the
ticket.
I'll see about fixing it up so this doesn't happen.
Thanks
From 35a9682c10c490d021dbc6b4b509d232a7119d87 Mon Sep 17 00:00:00 2001
From: "Paul B. Henson" <hen...@acm.org>
Date: Tue, 13 Nov 2012 03:31:43 -0800
Subject: [PATCH] Add ignore_group_members option.
---
src/confdb/confdb.c | 7 +++++++
src/confdb/confdb.h | 2 ++
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/etc/sssd.api.conf | 1 +
src/man/sssd.conf.5.xml | 17 +++++++++++++++++
src/providers/ldap/ldap_id.c | 8 +++++++-
src/responder/nss/nsssrv_cmd.c | 33 +++++++++++++++++----------------
7 files changed, 52 insertions(+), 17 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 13035a4..f097f63 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -894,6 +894,13 @@ static int confdb_get_domain_internal(struct confdb_ctx
*cdb,
goto done;
}
+ ret = get_entry_as_bool(res->msgs[0], &domain->ignore_group_members,
+ CONFDB_DOMAIN_IGNORE_GROUP_MEMBERS, 0);
+ if(ret != EOK) {
+ DEBUG(0, ("Invalid value for %s\n",
CONFDB_DOMAIN_IGNORE_GROUP_MEMBERS));
+ goto done;
+ }
+
ret = get_entry_as_uint32(res->msgs[0], &domain->id_min,
CONFDB_DOMAIN_MINID,
confdb_get_min_id(domain));
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 88e80c1..eb16d01 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -162,6 +162,7 @@
#define CONFDB_DOMAIN_CASE_SENSITIVE "case_sensitive"
#define CONFDB_DOMAIN_SUBDOMAIN_HOMEDIR "subdomain_homedir"
#define CONFDB_DOMAIN_DEFAULT_SUBDOMAIN_HOMEDIR "/home/%d/%u"
+#define CONFDB_DOMAIN_IGNORE_GROUP_MEMBERS "ignore_group_members"
#define CONFDB_DOMAIN_USER_CACHE_TIMEOUT "entry_cache_user_timeout"
#define CONFDB_DOMAIN_GROUP_CACHE_TIMEOUT "entry_cache_group_timeout"
@@ -200,6 +201,7 @@ struct sss_domain_info {
int timeout;
bool enumerate;
bool fqnames;
+ bool ignore_group_members;
uint32_t id_min;
uint32_t id_max;
diff --git a/src/config/SSSDConfig/__init__.py.in
b/src/config/SSSDConfig/__init__.py.in
index 9bd6995..fd54c7b 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -111,6 +111,7 @@ option_strings = {
'cache_credentials' : _('Cache credentials for offline login'),
'store_legacy_passwords' : _('Store password hashes'),
'use_fully_qualified_names' : _('Display users/groups in fully-qualified
form'),
+ 'ignore_group_members' : _('Don\'t include group members in group
lookups'),
'entry_cache_timeout' : _('Entry cache timeout length (seconds)'),
'lookup_family_order' : _('Restrict or prefer a specific address family
when performing DNS lookups'),
'account_cache_expiration' : _('How long to keep cached entries after last
successful login (days)'),
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 48fe7eb..3ed9d58 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -97,6 +97,7 @@ force_timeout = int, None, false
cache_credentials = bool, None, false
store_legacy_passwords = bool, None, false
use_fully_qualified_names = bool, None, false
+ignore_group_members = bool, None, false
entry_cache_timeout = int, None, false
lookup_family_order = str, None, false
account_cache_expiration = int, None, false
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 33d99c7..985397d 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1203,6 +1203,23 @@ override_homedir = /home/%u
</listitem>
</varlistentry>
<varlistentry>
+ <term>ignore_group_members (bool)</term>
+ <listitem>
+ <para>
+ Do not return group members for group lookups.
+ </para>
+ <para>
+ If set to TRUE, the group membership attribute
+ is not requested from the ldap server, and
+ group members are not returned when processing
+ group lookup calls.
+ </para>
+ <para>
+ Default: FALSE
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term>auth_provider (string)</term>
<listitem>
<para>
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index b8520df..7e7f630 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -340,6 +340,7 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx,
enum idmap_error_code err;
char *sid;
bool use_id_mapping = dp_opt_get_bool(ctx->opts->basic, SDAP_ID_MAPPING);
+ char *member_filter[2];
req = tevent_req_create(memctx, &state, struct groups_get_state);
if (!req) return NULL;
@@ -438,9 +439,14 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx,
goto fail;
}
+ member_filter[0] = ctx->opts->group_map[SDAP_AT_GROUP_MEMBER].name;
+ member_filter[1] = NULL;
+
/* TODO: handle attrs_type */
ret = build_attrs_from_map(state, ctx->opts->group_map, SDAP_OPTS_GROUP,
- NULL, &state->attrs, NULL);
+ state->domain->ignore_group_members ?
+ member_filter : NULL, &state->attrs, NULL);
+
if (ret != EOK) goto fail;
ret = groups_get_retry(req);
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 036e88f..1182532 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -2035,24 +2035,25 @@ static int fill_grent(struct sss_packet *packet,
pwfield.str, pwfield.len);
memnum = 0;
- el = ldb_msg_find_element(msg, SYSDB_MEMBERUID);
- if (el) {
- ret = fill_members(packet, dom, nctx, el, &rzero, &rsize, &memnum);
- if (ret != EOK) {
- num = 0;
- goto done;
+ if (!dom->ignore_group_members) {
+ el = ldb_msg_find_element(msg, SYSDB_MEMBERUID);
+ if (el) {
+ ret = fill_members(packet, dom, nctx, el, &rzero, &rsize,
&memnum);
+ if (ret != EOK) {
+ num = 0;
+ goto done;
+ }
+ sss_packet_get_body(packet, &body, &blen);
}
- sss_packet_get_body(packet, &body, &blen);
- }
-
- el = ldb_msg_find_element(msg, SYSDB_GHOST);
- if (el) {
- ret = fill_members(packet, dom, nctx, el, &rzero, &rsize, &memnum);
- if (ret != EOK) {
- num = 0;
- goto done;
+ el = ldb_msg_find_element(msg, SYSDB_GHOST);
+ if (el) {
+ ret = fill_members(packet, dom, nctx, el, &rzero, &rsize,
&memnum);
+ if (ret != EOK) {
+ num = 0;
+ goto done;
+ }
+ sss_packet_get_body(packet, &body, &blen);
}
- sss_packet_get_body(packet, &body, &blen);
}
if (memnum) {
/* set num of members */
--
1.7.11.7
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
