From b1b7648169d0f3b3c88dea3e6642422a29ad373c Mon Sep 17 00:00:00 2001 From: Arthur de Jong Date: Sun, 24 Mar 2013 19:59:34 +0100 Subject: Implement a nss_nested_groups configuration option This option can be used in both nslcd and pynslcd to enable recursive group member lookups. By default the functionality is disabled. This also updates the documentation. --- nslcd/cfg.c | 7 +++++++ nslcd/cfg.h | 1 + nslcd/group.c | 30 ++++++++++++++++++------------ 3 files changed, 26 insertions(+), 12 deletions(-) (limited to 'nslcd') diff --git a/nslcd/cfg.c b/nslcd/cfg.c index c2b9674..056b6e2 100644 --- a/nslcd/cfg.c +++ b/nslcd/cfg.c @@ -1089,6 +1089,7 @@ static void cfg_defaults(struct ldap_config *cfg) cfg->pagesize = 0; cfg->nss_initgroups_ignoreusers = NULL; cfg->nss_min_uid = 0; + cfg->nss_nested_groups = 0; cfg->validnames_str = NULL; handle_validnames(__FILE__, __LINE__, "", "/^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i", @@ -1408,6 +1409,11 @@ static void cfg_read(const char *filename, struct ldap_config *cfg) cfg->nss_min_uid = get_int(filename, lnr, keyword, &line); get_eol(filename, lnr, keyword, &line); } + else if (strcasecmp(keyword, "nss_nested_groups") == 0) + { + cfg->nss_nested_groups = get_boolean(filename, lnr, keyword, &line); + get_eol(filename, lnr, keyword, &line); + } else if (strcasecmp(keyword, "validnames") == 0) { handle_validnames(filename, lnr, keyword, line, cfg); @@ -1671,6 +1677,7 @@ static void cfg_dump(void) log_log(LOG_DEBUG, "CFG: nss_initgroups_ignoreusers %s", buffer); } log_log(LOG_DEBUG, "CFG: nss_min_uid %d", nslcd_cfg->nss_min_uid); + log_log(LOG_DEBUG, "CFG: nss_nested_groups %s", print_boolean(nslcd_cfg->nss_nested_groups)); log_log(LOG_DEBUG, "CFG: validnames %s", nslcd_cfg->validnames_str); log_log(LOG_DEBUG, "CFG: ignorecase %s", print_boolean(nslcd_cfg->ignorecase)); for (i = 0; i < NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES; i++) diff --git a/nslcd/cfg.h b/nslcd/cfg.h index 5acb1d0..7caaa02 100644 --- a/nslcd/cfg.h +++ b/nslcd/cfg.h @@ -119,6 +119,7 @@ struct ldap_config { int pagesize; /* set to a greater than 0 to enable handling of paged results with the specified size */ SET *nss_initgroups_ignoreusers; /* the users for which no initgroups() searches should be done */ uid_t nss_min_uid; /* minimum uid for users retrieved from LDAP */ + int nss_nested_groups; /* maximum group recursion depth */ regex_t validnames; /* the regular expression to determine valid names */ char *validnames_str; /* string version of validnames regexp */ int ignorecase; /* whether or not case should be ignored in lookups */ diff --git a/nslcd/group.c b/nslcd/group.c index c422585..175fceb 100644 --- a/nslcd/group.c +++ b/nslcd/group.c @@ -322,8 +322,11 @@ static int write_group(TFILE *fp, MYLDAP_ENTRY *entry, const char *reqname, set = set_new(); if (set != NULL) { - seen = set_new(); - subgroups = set_new(); + if (nslcd_cfg->nss_nested_groups) + { + seen = set_new(); + subgroups = set_new(); + } /* collect the members from this group */ getmembers(entry, session, set, seen, subgroups); /* add the members of any nested groups */ @@ -420,17 +423,20 @@ int nslcd_group_bymember(TFILE *fp, MYLDAP_SESSION *session) log_log(LOG_WARNING, "nslcd_group_bymember(): filter buffer too small"); return -1; } - seen = set_new(); - tocheck = set_new(); - if ((seen != NULL) && (tocheck == NULL)) - { - set_free(seen); - seen = NULL; - } - else if ((tocheck != NULL) && (seen == NULL)) + if (nslcd_cfg->nss_nested_groups) { - set_free(tocheck); - tocheck = NULL; + seen = set_new(); + tocheck = set_new(); + if ((seen != NULL) && (tocheck == NULL)) + { + set_free(seen); + seen = NULL; + } + else if ((tocheck != NULL) && (seen == NULL)) + { + set_free(tocheck); + tocheck = NULL; + } } /* perform a search for each search base */ for (i = 0; (base = group_bases[i]) != NULL; i++) -- cgit v1.2.3