diff options
| author | Arthur de Jong <arthur@arthurdejong.org> | 2013-03-24 19:59:34 +0100 |
|---|---|---|
| committer | Arthur de Jong <arthur@arthurdejong.org> | 2013-03-24 22:48:13 +0100 |
| commit | b1b7648169d0f3b3c88dea3e6642422a29ad373c (patch) | |
| tree | 21a74b6cbf580e71683ea810c897dd7e8b231a8e /nslcd | |
| parent | d6a6e8b436fc2b3aabc8a6edd62ad60bd70e0c4c (diff) | |
Implement a nss_nested_groups configuration option
This option can be used in both nslcd and pynslcd to enable recursive group
member lookups. By default the functionality is disabled. This also updates
the documentation.
Diffstat (limited to 'nslcd')
| -rw-r--r-- | nslcd/cfg.c | 7 | ||||
| -rw-r--r-- | nslcd/cfg.h | 1 | ||||
| -rw-r--r-- | nslcd/group.c | 30 |
3 files changed, 26 insertions, 12 deletions
diff --git a/nslcd/cfg.c b/nslcd/cfg.c index c2b9674..056b6e2 100644 --- a/nslcd/cfg.c +++ b/nslcd/cfg.c @@ -1089,6 +1089,7 @@ static void cfg_defaults(struct ldap_config *cfg) cfg->pagesize = 0; cfg->nss_initgroups_ignoreusers = NULL; cfg->nss_min_uid = 0; + cfg->nss_nested_groups = 0; cfg->validnames_str = NULL; handle_validnames(__FILE__, __LINE__, "", "/^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i", @@ -1408,6 +1409,11 @@ static void cfg_read(const char *filename, struct ldap_config *cfg) cfg->nss_min_uid = get_int(filename, lnr, keyword, &line); get_eol(filename, lnr, keyword, &line); } + else if (strcasecmp(keyword, "nss_nested_groups") == 0) + { + cfg->nss_nested_groups = get_boolean(filename, lnr, keyword, &line); + get_eol(filename, lnr, keyword, &line); + } else if (strcasecmp(keyword, "validnames") == 0) { handle_validnames(filename, lnr, keyword, line, cfg); @@ -1671,6 +1677,7 @@ static void cfg_dump(void) log_log(LOG_DEBUG, "CFG: nss_initgroups_ignoreusers %s", buffer); } log_log(LOG_DEBUG, "CFG: nss_min_uid %d", nslcd_cfg->nss_min_uid); + log_log(LOG_DEBUG, "CFG: nss_nested_groups %s", print_boolean(nslcd_cfg->nss_nested_groups)); log_log(LOG_DEBUG, "CFG: validnames %s", nslcd_cfg->validnames_str); log_log(LOG_DEBUG, "CFG: ignorecase %s", print_boolean(nslcd_cfg->ignorecase)); for (i = 0; i < NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES; i++) diff --git a/nslcd/cfg.h b/nslcd/cfg.h index 5acb1d0..7caaa02 100644 --- a/nslcd/cfg.h +++ b/nslcd/cfg.h @@ -119,6 +119,7 @@ struct ldap_config { int pagesize; /* set to a greater than 0 to enable handling of paged results with the specified size */ SET *nss_initgroups_ignoreusers; /* the users for which no initgroups() searches should be done */ uid_t nss_min_uid; /* minimum uid for users retrieved from LDAP */ + int nss_nested_groups; /* maximum group recursion depth */ regex_t validnames; /* the regular expression to determine valid names */ char *validnames_str; /* string version of validnames regexp */ int ignorecase; /* whether or not case should be ignored in lookups */ diff --git a/nslcd/group.c b/nslcd/group.c index c422585..175fceb 100644 --- a/nslcd/group.c +++ b/nslcd/group.c @@ -322,8 +322,11 @@ static int write_group(TFILE *fp, MYLDAP_ENTRY *entry, const char *reqname, set = set_new(); if (set != NULL) { - seen = set_new(); - subgroups = set_new(); + if (nslcd_cfg->nss_nested_groups) + { + seen = set_new(); + subgroups = set_new(); + } /* collect the members from this group */ getmembers(entry, session, set, seen, subgroups); /* add the members of any nested groups */ @@ -420,17 +423,20 @@ int nslcd_group_bymember(TFILE *fp, MYLDAP_SESSION *session) log_log(LOG_WARNING, "nslcd_group_bymember(): filter buffer too small"); return -1; } - seen = set_new(); - tocheck = set_new(); - if ((seen != NULL) && (tocheck == NULL)) - { - set_free(seen); - seen = NULL; - } - else if ((tocheck != NULL) && (seen == NULL)) + if (nslcd_cfg->nss_nested_groups) { - set_free(tocheck); - tocheck = NULL; + seen = set_new(); + tocheck = set_new(); + if ((seen != NULL) && (tocheck == NULL)) + { + set_free(seen); + seen = NULL; + } + else if ((tocheck != NULL) && (seen == NULL)) + { + set_free(tocheck); + tocheck = NULL; + } } /* perform a search for each search base */ for (i = 0; (base = group_bases[i]) != NULL; i++) |