nss-pam-ldapd commit: r1076 - in nss-pam-ldapd: man nslcd
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
nss-pam-ldapd commit: r1076 - in nss-pam-ldapd: man nslcd
- From: "Commits of the nss-pam-ldapd project." <nss-pam-ldapd-commits [at] lists.arthurdejong.org>
- To: nss-pam-ldapd-commits [at] lists.arthurdejong.org
- Reply-to: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: nss-pam-ldapd commit: r1076 - in nss-pam-ldapd: man nslcd
- Date: Sat, 20 Mar 2010 17:01:35 +0100 (CET)
Author: arthur
Date: Sat Mar 20 17:01:34 2010
New Revision: 1076
URL: http://arthurdejong.org/viewvc/nss-pam-ldapd?view=rev&revision=1076
Log:
add an nss_initgroups_ignoreusers option to ignore username to group lookups
for the specified users
Modified:
nss-pam-ldapd/man/nslcd.conf.5.xml
nss-pam-ldapd/nslcd/cfg.c
nss-pam-ldapd/nslcd/cfg.h
nss-pam-ldapd/nslcd/group.c
Modified: nss-pam-ldapd/man/nslcd.conf.5.xml
==============================================================================
--- nss-pam-ldapd/man/nslcd.conf.5.xml Sat Mar 13 16:40:23 2010 (r1075)
+++ nss-pam-ldapd/man/nslcd.conf.5.xml Sat Mar 20 17:01:34 2010 (r1076)
@@ -625,6 +625,23 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>nss_initgroups_ignoreusers</option> user1,user2,...</term>
+ <listitem>
+ <para>
+ This option prevents group membership lookups through
+ <acronym>LDAP</acronym> for the specified users. This can be useful
+ in case of unavailability of the <acronym>LDAP</acronym> server.
+ This option may be specified multiple times.
+ </para>
+ <para>
+ Alternatively, the value <emphasis remap="I">ALLLOCAL</emphasis> may be
+ used. With that value nslcd builds a full list of
+ non-<acronym>LDAP</acronym> users on startup.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect2>
Modified: nss-pam-ldapd/nslcd/cfg.c
==============================================================================
--- nss-pam-ldapd/nslcd/cfg.c Sat Mar 13 16:40:23 2010 (r1075)
+++ nss-pam-ldapd/nslcd/cfg.c Sat Mar 20 17:01:34 2010 (r1076)
@@ -118,6 +118,7 @@
#endif /* LDAP_OPT_X_TLS */
cfg->ldc_restart=1;
cfg->ldc_pagesize=0;
+ cfg->ldc_nss_initgroups_ignoreusers=NULL;
}
/* simple strdup wrapper */
@@ -679,6 +680,50 @@
}
}
+/* this function modifies the statement argument passed */
+static void parse_nss_initgroups_ignoreusers_statement(
+ const char *filename,int lnr,const char *keyword,
+ char *line,struct ldap_config *cfg)
+{
+ char token[MAX_LINE_LENGTH];
+ char *username,*next;
+ struct passwd *pwent;
+ check_argumentcount(filename,lnr,keyword,(line!=NULL)&&(*line!='\0'));
+ if (cfg->ldc_nss_initgroups_ignoreusers==NULL)
+ cfg->ldc_nss_initgroups_ignoreusers=set_new();
+ while (get_token(&line,token,sizeof(token))!=NULL)
+ {
+ if (strcasecmp(token,"alllocal")==0)
+ {
+ /* go over all users (this will work because nslcd is not yet running) */
+ setpwent();
+ while ((pwent=getpwent())!=NULL)
+ set_add(cfg->ldc_nss_initgroups_ignoreusers,pwent->pw_name);
+ endpwent();
+ }
+ else
+ {
+ next=token;
+ while (*next!='\0')
+ {
+ username=next;
+ /* find the end of the current username */
+ while ((*next!='\0')&&(*next!=',')) next++;
+ if (*next==',')
+ {
+ *next='\0';
+ next++;
+ }
+ /* check if user exists (but add anyway) */
+ pwent=getpwnam(username);
+ if (pwent==NULL)
+ log_log(LOG_ERR,"%s:%d: user '%s' does not
exist",filename,lnr,username);
+ set_add(cfg->ldc_nss_initgroups_ignoreusers,username);
+ }
+ }
+ }
+}
+
static void cfg_read(const char *filename,struct ldap_config *cfg)
{
FILE *fp;
@@ -971,6 +1016,10 @@
get_int(filename,lnr,keyword,&line,&cfg->ldc_pagesize);
get_eol(filename,lnr,keyword,&line);
}
+ else if (strcasecmp(keyword,"nss_initgroups_ignoreusers")==0)
+ {
+
parse_nss_initgroups_ignoreusers_statement(filename,lnr,keyword,line,cfg);
+ }
#ifdef ENABLE_CONFIGFILE_CHECKING
/* fallthrough */
else
Modified: nss-pam-ldapd/nslcd/cfg.h
==============================================================================
--- nss-pam-ldapd/nslcd/cfg.h Sat Mar 13 16:40:23 2010 (r1075)
+++ nss-pam-ldapd/nslcd/cfg.h Sat Mar 20 17:01:34 2010 (r1076)
@@ -32,6 +32,7 @@
#include <ldap.h>
#include "compat/attrs.h"
+#include "common/set.h"
/* values for uid and gid */
#define NOUID ((gid_t)-1)
@@ -132,6 +133,9 @@
int ldc_restart;
/* set to a greater than 0 to enable handling of paged results with the
specified size */
int ldc_pagesize;
+ /* the users for which no initgroups() searches should be done
+ Note: because we use a set here comparisons will be case-insensitive */
+ SET *ldc_nss_initgroups_ignoreusers;
};
/* this is a pointer to the global configuration, it should be available
Modified: nss-pam-ldapd/nslcd/group.c
==============================================================================
--- nss-pam-ldapd/nslcd/group.c Sat Mar 13 16:40:23 2010 (r1075)
+++ nss-pam-ldapd/nslcd/group.c Sat Mar 20 17:01:34 2010 (r1076)
@@ -314,6 +314,15 @@
if (!isvalidname(name)) {
log_log(LOG_WARNING,"nslcd_group_bymember(%s): invalid user name",name);
return -1;
+ }
+ if ((nslcd_cfg->ldc_nss_initgroups_ignoreusers!=NULL)&&
+ set_contains(nslcd_cfg->ldc_nss_initgroups_ignoreusers,name))
+ {
+ /* just end the request, returning no results */
+ WRITE_INT32(fp,NSLCD_VERSION);
+ WRITE_INT32(fp,NSLCD_ACTION_GROUP_BYMEMBER);
+ WRITE_INT32(fp,NSLCD_RESULT_END);
+ return 0;
},
log_log(LOG_DEBUG,"nslcd_group_bymember(%s)",name);,
NSLCD_ACTION_GROUP_BYMEMBER,
--
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits
- nss-pam-ldapd commit: r1076 - in nss-pam-ldapd: man nslcd,
Commits of the nss-pam-ldapd project.
