From be94912a9d236bbe3d5b0e17b771727b0054906d Mon Sep 17 00:00:00 2001
From: Arthur de Jong <arthur@arthurdejong.org>
Date: Sun, 5 Jan 2014 21:36:09 +0100
Subject: Support blanking the member attribute

This allows remapping the member attribute to an empty string which
removes support for that attribute. This can reduce the number of search
operations if the attribute is not used.
---
 nslcd/attmap.c | 6 +++++-
 nslcd/group.c  | 8 ++++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

(limited to 'nslcd')

diff --git a/nslcd/attmap.c b/nslcd/attmap.c
index 08130fa..1911273 100644
--- a/nslcd/attmap.c
+++ b/nslcd/attmap.c
@@ -2,7 +2,7 @@
    attmap.c - attribute mapping values and functions
    This file is part of the nss-pam-ldapd library.
 
-   Copyright (C) 2007, 2008, 2009, 2010, 2011, 2012 Arthur de Jong
+   Copyright (C) 2007-2014 Arthur de Jong
 
    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Lesser General Public
@@ -217,6 +217,7 @@ const char *attmap_set_mapping(const char **var, const char *value)
        (note that this needs to match the functionality in the specific
        lookup module) */
     if ((var != &attmap_group_userPassword) &&
+        (var != &attmap_group_member) &&
         (var != &attmap_passwd_userPassword) &&
         (var != &attmap_passwd_gidNumber) &&
         (var != &attmap_passwd_gecos) &&
@@ -231,6 +232,9 @@ const char *attmap_set_mapping(const char **var, const char *value)
         (var != &attmap_shadow_shadowExpire) &&
         (var != &attmap_shadow_shadowFlag))
       return NULL;
+    /* the member attribute may only be set to an empty string */
+    if ((var == attmap_group_member) && (strcmp(value, "\"\"") != 0))
+      return NULL;
   }
   /* check if the value will be changed */
   if ((*var == NULL) || (strcmp(*var, value) != 0))
diff --git a/nslcd/group.c b/nslcd/group.c
index 5ce6730..1455930 100644
--- a/nslcd/group.c
+++ b/nslcd/group.c
@@ -123,7 +123,8 @@ static int mkfilter_group_bymember(MYLDAP_SESSION *session,
   if (myldap_escape(uid, safeuid, sizeof(safeuid)))
     return -1;
   /* try to translate uid to DN */
-  if (uid2dn(session, uid, dn, sizeof(dn)) == NULL)
+  if ((strcasecmp(attmap_group_member, "\"\"") == 0) ||
+      (uid2dn(session, uid, dn, sizeof(dn)) == NULL))
     return mysnprintf(buffer, buflen, "(&%s(%s=%s))",
                       group_filter, attmap_group_memberUid, safeuid);
   /* escape DN */
@@ -227,6 +228,9 @@ static void getmembers(MYLDAP_ENTRY *entry, MYLDAP_SESSION *session,
       if (isvalidname(values[i]))
         set_add(members, values[i]);
     }
+  /* skip rest if attmap_group_member is blank */
+  if (strcasecmp(attmap_group_member, "\"\"") == 0)
+    return;
   /* add the member values */
   values = myldap_get_values(entry, attmap_group_member);
   if (values != NULL)
@@ -423,7 +427,7 @@ int nslcd_group_bymember(TFILE *fp, MYLDAP_SESSION *session)
     log_log(LOG_WARNING, "nslcd_group_bymember(): filter buffer too small");
     return -1;
   }
-  if (nslcd_cfg->nss_nested_groups)
+  if ((nslcd_cfg->nss_nested_groups) && (strcasecmp(attmap_group_member, "\"\"") != 0))
   {
     seen = set_new();
     tocheck = set_new();
-- 
cgit v1.2.3