nss-pam-ldapd branch master updated. 0.8.12-133-g3daa68d
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
nss-pam-ldapd branch master updated. 0.8.12-133-g3daa68d
- From: Commits of the nss-pam-ldapd project <nss-pam-ldapd-commits [at] lists.arthurdejong.org>
- To: nss-pam-ldapd-commits [at] lists.arthurdejong.org
- Reply-to: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: nss-pam-ldapd branch master updated. 0.8.12-133-g3daa68d
- Date: Sun, 24 Mar 2013 22:55:38 +0100 (CET)
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "nss-pam-ldapd".
The branch, master has been updated
via 3daa68d35cf18c0dc80c8c24c7aa23c6273d06c4 (commit)
via 642064cc205cf484bd904d94141eba8740aa0a28 (commit)
via b1b7648169d0f3b3c88dea3e6642422a29ad373c (commit)
via d6a6e8b436fc2b3aabc8a6edd62ad60bd70e0c4c (commit)
via 41ba574974a22e709bde5728e90de5dd0c2ce82d (commit)
via 08f5301d802bddf754923ffc503366d33fc4b4dd (commit)
from edd119c3a0d532fc5f87ccf89585370cb2fa3fed (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=3daa68d35cf18c0dc80c8c24c7aa23c6273d06c4
commit 3daa68d35cf18c0dc80c8c24c7aa23c6273d06c4
Merge: edd119c 642064c
Author: Arthur de Jong <arthur@arthurdejong.org>
Date: Sun Mar 24 22:52:44 2013 +0100
Implement support for nested groups
http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=642064cc205cf484bd904d94141eba8740aa0a28
commit 642064cc205cf484bd904d94141eba8740aa0a28
Author: Arthur de Jong <arthur@arthurdejong.org>
Date: Sun Mar 24 20:02:24 2013 +0100
Add tests for nested group functionality
This also includes some changes to the test directory contents that were for
other tests and functionality.
diff --git a/tests/test.ldif b/tests/test.ldif
index 33a34d7..f8a8b82 100644
--- a/tests/test.ldif
+++ b/tests/test.ldif
@@ -55570,11 +55570,6 @@ modifyTimestamp: 20080215164610Z
entryCSN: 20080215164610.645394Z#000000#000#000000
dn: cn=testgroup2,ou=groups,dc=test,dc=tld
-member: cn=Test User2,ou=people,dc=test,dc=tld
-member: uid=arthur,ou=people,dc=test,dc=tld
-member: cn=testhost,ou=hosts,dc=test,dc=tld
-member: cn=bar,dc=foo,dc=com
-member: cn=Test\2C User4,ou=people,dc=test,dc=tld
sambaSID: 2
sambaGroupType: 2
gidNumber: 6200
@@ -55586,9 +55581,16 @@ cn: testgroup2
objectClass: top
objectClass: groupOfNames
objectClass: sambaGroupMapping
-entryCSN: 20091101122555.190719Z#000000#000#000000
+member: cn=Test User2,ou=people,dc=test,dc=tld
+member: cn=Test\2C User4,ou=people,dc=test,dc=tld
+member: cn=bar,dc=foo,dc=com
+member: cn=testhost,ou=hosts,dc=test,dc=tld
+member:: Y2490JDQkdCSINCT0pDQlNCC0IPQldCBLG91PXBlb3BsZSxkYz10ZXN0LGRjPXRsZA==
+member:: Y2495Y+v5piv5b2T6L+Z5LiqVeebmOWcqCxvdT1wZW9wbGUsZGM9dGVzdCxkYz10bGQ=
+member: uid=arthur,ou=people,dc=test,dc=tld
+entryCSN: 20130123220302.586061Z#000000#000#000000
modifiersName: cn=admin,dc=test,dc=tld
-modifyTimestamp: 20091101122555Z
+modifyTimestamp: 20130123220302Z
dn: cn=tst2netgroup,ou=netgroups,dc=test,dc=tld
objectClass: top
@@ -55865,3 +55867,259 @@ entryCSN: 20110208181844.413002Z#000000#000#000000
modifiersName: cn=admin,dc=test,dc=tld
modifyTimestamp: 20110208181844Z
+dn: ou=policies,dc=test,dc=tld
+objectClass: organizationalUnit
+objectClass: top
+ou: policies
+structuralObjectClass: organizationalUnit
+entryUUID: 4d7b4f58-e7a3-1031-9db7-15080ced11c7
+creatorsName: cn=admin,dc=test,dc=tld
+createTimestamp: 20121231143709Z
+entryCSN: 20121231143709.943433Z#000000#000#000000
+modifiersName: cn=admin,dc=test,dc=tld
+modifyTimestamp: 20121231143709Z
+
+dn: cn=default,ou=policies,dc=test,dc=tld
+cn: default
+objectClass: pwdPolicyChecker
+objectClass: pwdPolicy
+objectClass: person
+objectClass: top
+pwdAllowUserChange: TRUE
+pwdAttribute: userPassword
+pwdCheckModule: crackcheck.so
+pwdFailureCountInterval: 30
+pwdLockout: TRUE
+pwdMinLength: 12
+pwdSafeModify: FALSE
+sn: dummy value
+structuralObjectClass: person
+entryUUID: 4db81816-e7a3-1031-9db8-15080ced11c7
+creatorsName: cn=admin,dc=test,dc=tld
+createTimestamp: 20121231143710Z
+pwdMaxFailure: 3
+pwdCheckQuality: 0
+pwdMinAge: 1
+pwdGraceAuthNLimit: 10
+pwdLockoutDuration: 30
+pwdMustChange: TRUE
+pwdExpireWarning: 600
+pwdMaxAge: 660
+pwdInHistory: 0
+entryCSN: 20130106105309.705361Z#000000#000#000000
+modifiersName: cn=admin,dc=test,dc=tld
+modifyTimestamp: 20130106105309Z
+
+dn:: Y2495Y+v5piv5b2T6L+Z5LiqVeebmOWcqCxvdT1wZW9wbGUsZGM9dGVzdCxkYz10bGQ=
+uid: tstchinese
+uidNumber: 1005
+gidNumber: 100
+homeDirectory: /home/tstchinese
+userPassword:: e01ENX1DWTlyelVZaDAzUEszazZESmllMDlnPT0=
+loginShell: /bin/sh
+sn: User
+cn:: 5Y+v5piv5b2T6L+Z5LiqVeebmOWcqA==
+objectClass: top
+objectClass: posixAccount
+objectClass: shadowAccount
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+pwdChangedTime: 20130123214155Z
+structuralObjectClass: inetOrgPerson
+entryUUID: 73821438-f9f1-1031-95ee-17c50f29b0b1
+creatorsName: cn=admin,dc=test,dc=tld
+createTimestamp: 20130123214155Z
+entryCSN: 20130123214155.416125Z#000000#000#000000
+modifiersName: cn=admin,dc=test,dc=tld
+modifyTimestamp: 20130123214155Z
+
+dn:: Y2490JDQkdCSINCT0pDQlNCC0IPQldCBLG91PXBlb3BsZSxkYz10ZXN0LGRjPXRsZA==
+uid: tstcyrillic
+uidNumber: 1006
+gidNumber: 100
+homeDirectory: /home/tstcyrillic
+userPassword:: e01ENX1DWTlyelVZaDAzUEszazZESmllMDlnPT0=
+loginShell: /bin/sh
+sn: User
+cn:: 0JDQkdCSINCT0pDQlNCC0IPQldCB
+objectClass: top
+objectClass: posixAccount
+objectClass: shadowAccount
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+pwdChangedTime: 20130123220302Z
+structuralObjectClass: inetOrgPerson
+entryUUID: 66e3afe0-f9f4-1031-95ef-17c50f29b0b1
+creatorsName: cn=admin,dc=test,dc=tld
+createTimestamp: 20130123220302Z
+entryCSN: 20130123220302.735610Z#000000#000#000000
+modifiersName: cn=admin,dc=test,dc=tld
+modifyTimestamp: 20130123220302Z
+
+dn: ou=autofs,dc=test,dc=tld
+objectClass: top
+objectClass: organizationalUnit
+ou: autofs
+structuralObjectClass: organizationalUnit
+entryUUID: ce19e9de-07c5-1032-9908-1b06e556a61b
+creatorsName: cn=admin,dc=test,dc=tld
+createTimestamp: 20130210120445Z
+entryCSN: 20130210120445.828919Z#000000#000#000000
+modifiersName: cn=admin,dc=test,dc=tld
+modifyTimestamp: 20130210120445Z
+
+dn: ou=auto.master,ou=autofs,dc=test,dc=tld
+objectClass: top
+objectClass: automountMap
+ou: auto.master
+structuralObjectClass: automountMap
+entryUUID: ce3875ac-07c5-1032-9909-1b06e556a61b
+creatorsName: cn=admin,dc=test,dc=tld
+createTimestamp: 20130210120446Z
+entryCSN: 20130210120446.029108Z#000000#000#000000
+modifiersName: cn=admin,dc=test,dc=tld
+modifyTimestamp: 20130210120446Z
+
+dn: cn=/ldap,ou=auto.master,ou=autofs,dc=test,dc=tld
+objectClass: automount
+cn: /ldap
+automountInformation: ldap://192.168.12.4/ou=auto.indirect,ou=autofs, dc=test,
+ dc=tld
+structuralObjectClass: automount
+entryUUID: ce3ce7ae-07c5-1032-990a-1b06e556a61b
+creatorsName: cn=admin,dc=test,dc=tld
+createTimestamp: 20130210120446Z
+entryCSN: 20130210120446.058241Z#000000#000#000000
+modifiersName: cn=admin,dc=test,dc=tld
+modifyTimestamp: 20130210120446Z
+
+dn: cn=/-,ou=auto.master,ou=autofs,dc=test,dc=tld
+objectClass: automount
+cn: /-
+automountInformation: ldap://192.168.12.4/ou=auto.direct,ou=autofs, dc=test, d
+ c=tld
+structuralObjectClass: automount
+entryUUID: ce401df2-07c5-1032-990b-1b06e556a61b
+creatorsName: cn=admin,dc=test,dc=tld
+createTimestamp: 20130210120446Z
+entryCSN: 20130210120446.079292Z#000000#000#000000
+modifiersName: cn=admin,dc=test,dc=tld
+modifyTimestamp: 20130210120446Z
+
+dn: ou=auto.indirect,ou=autofs,dc=test,dc=tld
+objectClass: top
+objectClass: automountMap
+ou: auto.indirect
+structuralObjectClass: automountMap
+entryUUID: ce415fb4-07c5-1032-990c-1b06e556a61b
+creatorsName: cn=admin,dc=test,dc=tld
+createTimestamp: 20130210120446Z
+entryCSN: 20130210120446.087530Z#000000#000#000000
+modifiersName: cn=admin,dc=test,dc=tld
+modifyTimestamp: 20130210120446Z
+
+dn: cn=bin,ou=auto.indirect,ou=autofs,dc=test,dc=tld
+objectClass: automount
+cn: bin
+automountInformation:: ICBzdGlwcGVyOi9zaGFyZQ==
+structuralObjectClass: automount
+entryUUID: ce48aae4-07c5-1032-990d-1b06e556a61b
+creatorsName: cn=admin,dc=test,dc=tld
+createTimestamp: 20130210120446Z
+entryCSN: 20130210120446.135327Z#000000#000#000000
+modifiersName: cn=admin,dc=test,dc=tld
+modifyTimestamp: 20130210120446Z
+
+dn: ou=auto.direct,ou=autofs,dc=test,dc=tld
+objectClass: top
+objectClass: automountMap
+ou: auto.direct
+structuralObjectClass: automountMap
+entryUUID: ce4ce1fe-07c5-1032-990e-1b06e556a61b
+creatorsName: cn=admin,dc=test,dc=tld
+createTimestamp: 20130210120446Z
+entryCSN: 20130210120446.162952Z#000000#000#000000
+modifiersName: cn=admin,dc=test,dc=tld
+modifyTimestamp: 20130210120446Z
+
+dn: cn=/nfs/budgie/man,ou=auto.direct,ou=autofs,dc=test,dc=tld
+objectClass: automount
+cn: /nfs/budgie/man
+automountInformation:: ICBidWRnaWU6L3Vzci9sb2NhbC9tYW4=
+structuralObjectClass: automount
+entryUUID: ce4e24a6-07c5-1032-990f-1b06e556a61b
+creatorsName: cn=admin,dc=test,dc=tld
+createTimestamp: 20130210120446Z
+entryCSN: 20130210120446.171215Z#000000#000#000000
+modifiersName: cn=admin,dc=test,dc=tld
+modifyTimestamp: 20130210120446Z
+
+dn: cn=/nfs/budgie/bin,ou=auto.direct,ou=autofs,dc=test,dc=tld
+objectClass: automount
+cn: /nfs/budgie/bin
+automountInformation:: ICBidWRnaWU6L2xvY2FsL2RhdGEvYmlu
+structuralObjectClass: automount
+entryUUID: ce4f6d34-07c5-1032-9910-1b06e556a61b
+creatorsName: cn=admin,dc=test,dc=tld
+createTimestamp: 20130210120446Z
+entryCSN: 20130210120446.179627Z#000000#000#000000
+modifiersName: cn=admin,dc=test,dc=tld
+modifyTimestamp: 20130210120446Z
+
+dn: cn=nstgrp1,ou=groups,dc=test,dc=tld
+objectClass: top
+objectClass: groupOfNames
+objectClass: sambaGroupMapping
+cn: nstgrp1
+sambaSID: 3
+sambaGroupType: 2
+gidNumber: 800
+structuralObjectClass: groupOfNames
+entryUUID: 52b454ae-277e-1032-97b8-977873c640f6
+creatorsName: cn=admin,dc=test,dc=tld
+createTimestamp: 20130322205341Z
+member: cn=Test User2,ou=people,dc=test,dc=tld
+entryCSN: 20130323210928.654262Z#000000#000#000000
+modifiersName: cn=admin,dc=test,dc=tld
+modifyTimestamp: 20130323210928Z
+
+dn: cn=nstgrp2,ou=groups,dc=test,dc=tld
+objectClass: top
+objectClass: groupOfNames
+objectClass: sambaGroupMapping
+cn: nstgrp2
+sambaSID: 4
+sambaGroupType: 2
+gidNumber: 801
+structuralObjectClass: groupOfNames
+entryUUID: 52bbd0d0-277e-1032-97b9-977873c640f6
+creatorsName: cn=admin,dc=test,dc=tld
+createTimestamp: 20130322205341Z
+member: cn=Test User2,ou=people,dc=test,dc=tld
+member: cn=Test User3,ou=extra,ou=people,dc=test,dc=tld
+member: cn=nstgrp1,ou=groups,dc=test,dc=tld
+entryCSN: 20130323210928.673771Z#000000#000#000000
+modifiersName: cn=admin,dc=test,dc=tld
+modifyTimestamp: 20130323210928Z
+
+dn: cn=nstgrp3,ou=groups,dc=test,dc=tld
+objectClass: top
+objectClass: groupOfNames
+objectClass: sambaGroupMapping
+cn: nstgrp3
+sambaSID: 5
+sambaGroupType: 2
+gidNumber: 802
+member: cn=nstgrp1,ou=groups,dc=test,dc=tld
+member: cn=nstgrp2,ou=groups,dc=test,dc=tld
+member: cn=nstgrp3,ou=groups,dc=test,dc=tld
+structuralObjectClass: groupOfNames
+entryUUID: 1ae13698-2849-1032-8d63-9f2843fb7873
+creatorsName: cn=admin,dc=test,dc=tld
+createTimestamp: 20130323210515Z
+entryCSN: 20130323210515.920979Z#000000#000#000000
+modifiersName: cn=admin,dc=test,dc=tld
+modifyTimestamp: 20130323210515Z
+
diff --git a/tests/test_nsscmds.sh b/tests/test_nsscmds.sh
index 7f4fa73..676c4a6 100755
--- a/tests/test_nsscmds.sh
+++ b/tests/test_nsscmds.sh
@@ -154,7 +154,7 @@ check "groups arthur | sed 's/^.*://'" << EOM
users testgroup testgroup2 grp4 grp5 grp6 grp7 grp8 grp9 grp10 grp11 grp12
grp13 grp14 grp15 grp16 grp17 grp18
EOM
-check "groups testuser4 | sed 's/^.*://'" << EOM
+check "groups testuser4 | sed 's/^.* *: *//'" << EOM
users testgroup testgroup2
EOM
@@ -165,7 +165,7 @@ users:*:100:arthur,test
EOM
check "getent group | wc -l" << EOM
-`grep -c : /etc/group | awk '{print $1 + 20}'`
+`grep -c : /etc/group | awk '{print $1 + 23}'`
EOM
check "getent group | grep ^largegroup | sortgroup" << EOM
@@ -184,6 +184,26 @@ check "getent group hugegroup | sortgroup" << EOM
hugegroup:*:1006:ablackstock,abortignon,achhor,ademosthenes,adenicola,adishaw,aesbensen,aferge,afredin,afuchs,agarbett,agimm,agordner,ahandy,ajaquess,akertzman,akomsthoeft,akraskouskas,akravetz,alamour,alat,alienhard,amanganelli,amaslyn,amayorga,amccroskey,amcgraw,amckinney,ameisinger,aponcedeleon,apurdon,areid,arosel,ascheno,ascovel,asemons,ashuey,asivley,astrunk,atollefsrud,atonkin,awhitt,aziernicki,badair,baigner,bbeckfield,bbrenton,bcoletta,bcolorado,bdadds,bdaughenbaugh,bdevera,bdominga,behrke,beon,bfishbeck,bgavagan,bguthary,bharnois,bhelverson,bjolly,blovig,bluellen,bmadamba,bmarlin,bmarszalek,bmicklos,bmoling,bouten,bphou,bpinedo,brodgerson,broher,bromano,bscadden,bsibal,bstrede,bswantak,btempel,btheim,bveeneman,bwinterton,bwynes,cabare,carguellez,cbarlup,cbartnick,cbelardo,cbleimehl,cbotdorf,cbourek,cbrechbill,cbrom,ccyganiewicz,cdeckard,cdegravelle,cdickes,cdrumm,cfasone,cflenner,cfleurantin,cgaler,cgalinol,cgaudette,cghianni,charriman,cjody,cjuntunen,ckerska,ckistenmacher,cklem,ckodish,clapenta,clewicki,clouder,cmafnas,cmanno,cmcanulty,cmellberg,cmiramon,cnabzdyk,cnoriego,cpaccione,cpalmios,cparee,cpencil,cpentreath,cpinela,cpluid,critchie,cscullion,csever,csoomaroo,cspilis,cswigert,ctenny,ctetteh,ctuzzo,cwank,cweiss,dasiedu,daubert,dbarriball,dbertels,dblazejewski,dcaltabiano,dciullo,ddeguire,ddigerolamo,denriquez,deshmon,dfirpo,dflore,dfollman,dgiacomazzi,dgivliani,dgosser,dhammontree,dhendon,dhindsman,dholdaway,dlablue,dlanois,dlargo,dledenbach,dlongbotham,dloubier,dmahapatra,dmarchizano,dmcgillen,dminozzi,dnegri,dpebbles,draymundo,dscheurer,dsharr,dsherard,dsteever,dtashjian,dtornow,dtuholski,dwittlinger,dzurek,eaguire,eathey,ebattee,ebeachem,eberkman,ebusk,ecelestin,ecolden,ecordas,ediga,edrinkwater,edurick,egospatrick,egrago,ehathcock,ehindbaugh,ejeppesen,ekalfas,ekenady,ekeuper,eklein,eklunder,ekurter,emanikowski,emargulis,emcquiddy,emehta,eorsten,eparham,epeterson,epoinelli,erathert,erostad,eserrett,esheehan,esonia,esproull,esthill,estockwin,etunby,ewicks,ewilles,ewismer,ewuitschick,eyounglas,eziebert,fagro,faleo,farquette,fbeatrice,fberra,fberyman,fbielecki,fburrough,fcha,fcunard,ffigert,fgoben,fgrashot,fhain,fhalon,fkeef,fmarchi,fmilsaps,fnottage,fparness,fplayfair,fsapien,fsavela,fsirianni,fsplinter,fsunderland,fsymmonds,fthein,fvallian,fvascones,fverfaille,fvinal,fwidhalm,gallanson,gapkin,garchambeault,gbitar,gbolay,gcarlini,gcervantez,gchounlapane,gclapham,gcobane,gconver,gcukaj,gcummer,gcurnutt,gdaub,gdeblasio,gdeyarmond,gdrilling,gearnshaw,gfaire,gfedewa,ggehrke,ggillim,ghann,ghelderman,ghumbles,gishii,gjankowiak,gkerens,glafontaine,gloebs,gmackinder,gmassi,gmilian,gmings,gmoen,gparkersmith,gpomerance,gportolese,greiff,gsantella,gschaumburg,gshrode,gtinnel,guresti,gvollrath,gwaud,habby,hbastidos,hbetterman,hbickford,hbraim,hbrandow,hbrehmer,hbukovsky,hcafourek,hcarrizal,hchaviano,hcintron,hcowles,hcusta,hdoiel,hdyner,hfludd,hgalavis,hhaffey,hhagee,hhartranft,hholyfield,hhysong,hkarney,hkinderknecht,hkippes,hkohlmeyer,hlauchaire,hlemon,hlichota,hliverman,hloftis,hlynema,hmateer,hmatonak,hmiazga,hmogush,hmuscaro,hpalmquist,hpimpare,hpolintan,hrapisura,hrenart,hriech,hsabol,hschelb,hschoepfer,hspiry,hstreitnatter,hsweezer,htilzer,htomlinson,htsuha,hvannette,hveader,hwestermark,hwoodert,hzagami,hzinda,iambrosino,ibeto,ibreitbart,ibuzo,ibyles,ichewning,icoard,ideveyra,ienglert,igizzi,ihalford,ihanneman,ihegener,ihernan,iherrarte,ihimmelwright,ihoa,iiffert,ikadar,ikulbida,ilacourse,ilamberth,ilawbaugh,ileaman,ilevian,imarungo,imcbay,imensah,imicthell,imillin,imuehl,inarain,iogasawara,iroiger,iseipel,isowder,isplonskowski,istallcup,istarring,isteinlicht,ithum,ivanschaack,iweibe,iyorgey,iyorks,jamber,jappleyard,jbielicki,jbjorkman,jcaroll,jdodge,jeuresti,jeverton,jglotzbecker,jherkenratt,jholzmiller,jjumalon,jkimpton,jknight,jlebouf,jlunney,jmartha,jmarugg,jmatty,joligee,jquicksall,jrees,jreigh,jroman,jscheitlin,jseen,jsegundo,jsenavanh,jskafec,jspohn,jsweezy,jvillaire,jwinterton,jzych,kaanerud,kalguire,kbarnthouse,kbartolet,kbattershell,kbrevitz,kbrugal,kcofrancesco,kcomparoni,kconkey,kdevincent,kepps,kfaure,kfend,kgarced,kgremminger,khartness,kheadlon,khovanesian,kjoslyn,klitehiser,klundsten,klurie,kmallach,kmandolfo,kmarzili,kmayoras,kmcardle,kmcguire,kmedcaf,kmeester,kmisove,kmoesch,kmosko,kmuros,kolexa,kottomaniello,kpalka,kpannunzio,kpenale,kpuebla,krahman,kseisler,kshippy,ksiering,ksollitto,ksparling,kstachurski,kthede,ktoni,ktriblett,ktuccio,ktuner,kwidrick,kwinterling,kwirght,laksamit,lautovino,lbanco,lbassin,lbove,lbuchtel,lcanestrini,lcaudell,lcavez,lcocherell,lcoulon,lcremer,leberhardt,lfarraj,lfichtner,lgadomski,lgandee,lgradilla,lhuggler,limbrogno,ljomes,lkimel,llarmore,llasher,lmadruga,lmauracher,lmcgeary,lmichaud,lmuehlberger,lnormand,lparrish,lpeagler,lpintor,lpitek,lpondexter,lrandall,lringuette,lschenkelberg,lschnorbus,lschollmeier,lseabold,lseehafer,lshilling,lsivic,lsobrino,lsous,lspielvogel,lvaleriano,lvanconant,lwedner,lyoula,mallmand,maustine,mbeagley,mbodley,mbravata,mcampagnone,mcaram,mcashett,mcasida,mcoch,mcolehour,mcontreras,mdanos,mdecourcey,mdedon,mdickinson,mdimaio,mdoering,mdyce,meconomides,mespinel,mfaeth,mfeil,mferandez,mfitzherbert,mgavet,mgayden,mground,mheilbrun,mhollings,mjeon,mkibler,mkofoed,mlaverde,mlenning,mlinak,mlinardi,mmangiamele,mmattu,mmcchristian,mmerriwether,mmesidor,mneubacher,moller,moser,mpanahon,mpark,mpellew,mpilon,mpizzaro,mpytko,mquigg,mredd,mrizer,mruppel,mrydelek,mskeele,mstirn,mswogger,mtanzi,mtintle,mvanbergen,mvanpelt,mvas,mvedder,mviverette,myokoyama,nagerton,nasmar,nbuford,nbugtong,ncermeno,nchrisman,nciucci,ndesautels,ndrumgole,nedgin,nendicott,nerbach,nevan,nforti,nfunchess,ngiesler,nglathar,ngrowney,ngullett,nhayer,nhelfinstine,nhija,ninnella,njordon,nkempon,nkubley,nlainhart,nlatchaw,nlemma,nlinarez,nlohmiller,nmccolm,nmoren,nnamanworth,nnickel,nousdahl,nphan,nramones,nranck,nridinger,nriofrio,nrybij,nrysavy,nschmig,nsiemonsma,nslaby,nspolar,nvyhnal,nwescott,nwiker,oahyou,oalthouse,obeaufait,obenallack,obercier,obihl,ocalleo,ochasten,oclunes,oconerly,ocrabbs,oebrani,ofelcher,ohatto,ohearl,ohedlund,ohoffert,ohove,ojerabek,okave,okveton,omalvaez,omasone,omatula,omcdaid,oolivarez,oosterhouse,opeet,opizzuti,opoch,oport,opuglisi,oreiss,osaber,oscarpello,oshough,ovibbert,owhelchel,owhitelow,pahles,pbascom,pbeckerdite,pbiggart,pbondroff,pbrentano,pcaposole,pcornn,pdauterman,pdech,pdischinger,pduitscher,pdulac,pdurando,pfavolise,pgiegerich,pgreenier,pgrybel,phalkett,pheathcock,phyer,pmineo,pminnis,ppedraja,ppeper,pphuaphes,prepasky,prowena,psabado,psalesky,pschrayter,psharits,psiroky,psundeen,pthornberry,ptoenjes,ptraweek,purquilla,pvierthaler,pvirelli,pviviani,pwademan,pwashuk,pwetherwax,pwhitmire,pwohlenhaus,pwutzke,qhanly,ralspach,rbernhagen,rbillingsly,rbloomstrand,rbrisby,rcheshier,rchevrette,rdubs,rdubuisson,redling,rfassinger,rfauerbach,rfidel,rginer,rgoonez,rgramby,rgriffies,rguinane,rheinzmann,rkraszewski,rlambertus,rlatessa,rlosinger,rmandril,rmcstay,rnordby,rpastorin,rpikes,rpinilla,rpitter,rramirez,rrasual,rschkade,rtole,rtooker,saben,sackles,sarndt,saycock,sbemo,sbettridge,sbloise,sbonnie,sbrabyn,scocuzza,sdebry,senrico,sestergard,sgefroh,sgirsh,sgropper,sgunder,sgurski,shaith,sherzberg,showe,sjankauskas,skanjirathinga,skoegler,slaningham,slaudeman,slerew,smccaie,smillian,smullowney,snotari,spolmer,srees,srubenfield,sscheiern,sskone,sskyers,sspagnuolo,sstough,sstuemke,svandewalle,svielle,svogler,svongal,swoodie,tabdelal,tairth,tbagne,tbattista,tboxx,tcacal,tcossa,tcrissinger,tdonathan,teliades,tfalconeri,tfetherston,tgelen,tgindhart,tguinnip,tharr,thelfritz,thoch,thynson,tkeala,tkelly,tkhora,tlana,tlowers,tmalecki,tmarkus,tmccaffity,tmccamish,tmcmickle,tmelland,tmorr,tmurata,tmysinger,tnaillon,tnitzel,tpaa,tplatko,tredfearn,tsablea,tsann,tschnepel,tsearle,tsepulueda,tsowells,tstalworth,tvehrs,tvrooman,tyounglas,ualway,uazatyan,ubenken,ubieniek,ubynum,udatu,uednilao,ueriks,uflander,ugerpheide,ugreenberg,uhayakawa,uholecek,ulanigan,umarbury,umosser,upater,upellam,uransford,urosentrance,uschweyen,usevera,uslavinski,uspittler,uvanmatre,uwalpole,uweyand,vbaldasaro,vbigalow,vbonder,vburton,vchevalier,vcrofton,vdesir,vdolan,veisenhardt,vemily,venfort,vfeigel,vglidden,vkrug,vlubic,vmaynard,vmedici,vnazzal,vnery,vpeairs,vpender,vpiraino,vrodick,vrunyon,vsefcovic,vstirman,vtowell,vtresch,vtrumpp,vwabasha,vwaltmann,vwisinger,vwokwicz,wbrill,wclokecloak,wconces,wconstantino,wcreggett,wdagrella,wdevenish,wdovey,wenglander,werrick,wesguerra,wganther,wkhazaleh,wleiva,wlynch,wmailey,wmendell,wnunziata,wottesen,wselim,wstjean,wtruman,wvalcin,wvermeulen,xeppley,xlantey,xrahaim,yautin,ycerasoli,ycobetto,ycostaneda,yduft,yeven,yfrymoyer,ygockel,yhenriques,ykimbel,yolivier,yschmuff,ysnock,yvdberg,zanderlik,zborgmeyer,zbuscaglia,zculp,zfarler,zhaulk,zkutchera,zmeeker,zneeb,zratti,zscammahorn,zvagt,zwinterbottom
EOM
+check "getent group nstgrp1 | sortgroup" << EOM
+nstgrp1:*:800:testusr2
+EOM
+
+check "getent group nstgrp2 | sortgroup" << EOM
+nstgrp2:*:801:testusr2,testusr3
+EOM
+
+check "getent group nstgrp3 | sortgroup" << EOM
+nstgrp3:*:802:testusr2,testusr3
+EOM
+
+check "groups testusr2 | sed 's/^.* *: *//'" << EOM
+users largegroup testgroup2 nstgrp1 nstgrp2 nstgrp3
+EOM
+
+check "groups testusr3 | sed 's/^.* *: *//'" << EOM
+users largegroup nstgrp2 nstgrp3
+EOM
+
###########################################################################
echo "test_nsscmds.sh: testing hosts..."
http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=b1b7648169d0f3b3c88dea3e6642422a29ad373c
commit b1b7648169d0f3b3c88dea3e6642422a29ad373c
Author: Arthur de Jong <arthur@arthurdejong.org>
Date: Sun Mar 24 19:59:34 2013 +0100
Implement a nss_nested_groups configuration option
This option can be used in both nslcd and pynslcd to enable recursive group
member lookups. By default the functionality is disabled. This also updates
the documentation.
diff --git a/README b/README
index d997e68..ad906a5 100644
--- a/README
+++ b/README
@@ -15,7 +15,7 @@
Copyright (C) 1997-2006 Luke Howard
Copyright (C) 2006-2007 West Consulting
- Copyright (C) 2006-2012 Arthur de Jong
+ Copyright (C) 2006-2013 Arthur de Jong
Copyright (C) 2009 Howard Chu
Copyright (C) 2010 Symas Corporation
@@ -158,7 +158,6 @@ unsupported features
Since nss-pam-ldapd was forked from nss_ldap most of the features that came
with nss_ldap are available. The most important differences:
- the configuration file formats are not fully compatible
-- nested groups are currently unsupported
- rootbinddn/rootbindpw support is removed and is not likely to return
For the PAM module some functionality is missing. Comparing it to pam_ldap:
@@ -356,8 +355,11 @@ If the DN value already contains a uid value (e.g.
uid=arthur, dc=example,
dc=com) the lookup is skipped and the value from the DN is used. A cache is
maintained that saves the DN to uid translations for 15 minutes.
-Currently, having nested groups by member values pointing to other groups,
-as well as the memberOf attribute in posixAccount entries are unsupported.
+The member attribute may also contain the DN of another group entry. These
+nested groups are parsed recursively depending on the nss_nested_groups
+option.
+
+Currently, the memberOf attribute in posixAccount entries is unsupported.
case sensitivity
----------------
diff --git a/man/nslcd.conf.5.xml b/man/nslcd.conf.5.xml
index 3dc044a..5bee5f4 100644
--- a/man/nslcd.conf.5.xml
+++ b/man/nslcd.conf.5.xml
@@ -720,6 +720,19 @@
</listitem>
</varlistentry>
+ <varlistentry id="nss_nested_groups"> <!-- since 0.9.0 -->
+ <term><option>nss_nested_groups</option> yes|no</term>
+ <listitem>
+ <para>
+ If this option is set, the <litera>member</litera> attribute of a
+ group may point to another group.
+ Members of nested groups are also returned in the higher level group
+ and parent groups are returned when finding groups for a specific user.
+ The default is not to perform extra searches for nested groups.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry id="validnames"> <!-- since 0.8.2 -->
<term><option>validnames</option> <replaceable>REGEX</replaceable></term>
<listitem>
diff --git a/nslcd/cfg.c b/nslcd/cfg.c
index c2b9674..056b6e2 100644
--- a/nslcd/cfg.c
+++ b/nslcd/cfg.c
@@ -1089,6 +1089,7 @@ static void cfg_defaults(struct ldap_config *cfg)
cfg->pagesize = 0;
cfg->nss_initgroups_ignoreusers = NULL;
cfg->nss_min_uid = 0;
+ cfg->nss_nested_groups = 0;
cfg->validnames_str = NULL;
handle_validnames(__FILE__, __LINE__, "",
"/^[a-z0-9._@$()]([a-z0-9._@$()
\\~-]*[a-z0-9._@$()~-])?$/i",
@@ -1408,6 +1409,11 @@ static void cfg_read(const char *filename, struct
ldap_config *cfg)
cfg->nss_min_uid = get_int(filename, lnr, keyword, &line);
get_eol(filename, lnr, keyword, &line);
}
+ else if (strcasecmp(keyword, "nss_nested_groups") == 0)
+ {
+ cfg->nss_nested_groups = get_boolean(filename, lnr, keyword, &line);
+ get_eol(filename, lnr, keyword, &line);
+ }
else if (strcasecmp(keyword, "validnames") == 0)
{
handle_validnames(filename, lnr, keyword, line, cfg);
@@ -1671,6 +1677,7 @@ static void cfg_dump(void)
log_log(LOG_DEBUG, "CFG: nss_initgroups_ignoreusers %s", buffer);
}
log_log(LOG_DEBUG, "CFG: nss_min_uid %d", nslcd_cfg->nss_min_uid);
+ log_log(LOG_DEBUG, "CFG: nss_nested_groups %s",
print_boolean(nslcd_cfg->nss_nested_groups));
log_log(LOG_DEBUG, "CFG: validnames %s", nslcd_cfg->validnames_str);
log_log(LOG_DEBUG, "CFG: ignorecase %s",
print_boolean(nslcd_cfg->ignorecase));
for (i = 0; i < NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES; i++)
diff --git a/nslcd/cfg.h b/nslcd/cfg.h
index 5acb1d0..7caaa02 100644
--- a/nslcd/cfg.h
+++ b/nslcd/cfg.h
@@ -119,6 +119,7 @@ struct ldap_config {
int pagesize; /* set to a greater than 0 to enable handling of paged results
with the specified size */
SET *nss_initgroups_ignoreusers; /* the users for which no initgroups()
searches should be done */
uid_t nss_min_uid; /* minimum uid for users retrieved from LDAP */
+ int nss_nested_groups; /* maximum group recursion depth */
regex_t validnames; /* the regular expression to determine valid names */
char *validnames_str; /* string version of validnames regexp */
int ignorecase; /* whether or not case should be ignored in lookups */
diff --git a/nslcd/group.c b/nslcd/group.c
index c422585..175fceb 100644
--- a/nslcd/group.c
+++ b/nslcd/group.c
@@ -322,8 +322,11 @@ static int write_group(TFILE *fp, MYLDAP_ENTRY *entry,
const char *reqname,
set = set_new();
if (set != NULL)
{
- seen = set_new();
- subgroups = set_new();
+ if (nslcd_cfg->nss_nested_groups)
+ {
+ seen = set_new();
+ subgroups = set_new();
+ }
/* collect the members from this group */
getmembers(entry, session, set, seen, subgroups);
/* add the members of any nested groups */
@@ -420,17 +423,20 @@ int nslcd_group_bymember(TFILE *fp, MYLDAP_SESSION
*session)
log_log(LOG_WARNING, "nslcd_group_bymember(): filter buffer too small");
return -1;
}
- seen = set_new();
- tocheck = set_new();
- if ((seen != NULL) && (tocheck == NULL))
- {
- set_free(seen);
- seen = NULL;
- }
- else if ((tocheck != NULL) && (seen == NULL))
+ if (nslcd_cfg->nss_nested_groups)
{
- set_free(tocheck);
- tocheck = NULL;
+ seen = set_new();
+ tocheck = set_new();
+ if ((seen != NULL) && (tocheck == NULL))
+ {
+ set_free(seen);
+ seen = NULL;
+ }
+ else if ((tocheck != NULL) && (seen == NULL))
+ {
+ set_free(tocheck);
+ tocheck = NULL;
+ }
}
/* perform a search for each search base */
for (i = 0; (base = group_bases[i]) != NULL; i++)
diff --git a/pynslcd/cfg.py b/pynslcd/cfg.py
index 57a1be2..b03b8c7 100644
--- a/pynslcd/cfg.py
+++ b/pynslcd/cfg.py
@@ -85,6 +85,7 @@ tls_key = None
pagesize = 0
nss_initgroups_ignoreusers = set()
nss_min_uid = 0
+nss_nested_groups = False
validnames = re.compile(r'^[a-z0-9._@$][a-z0-9._@$
\\~-]{0,98}[a-z0-9._@$~-]$', re.IGNORECASE)
pam_authz_searches = []
pam_password_prohibit_message = None
@@ -176,7 +177,7 @@ def read(filename):
globals()[m.group('keyword').lower()] = int(m.group('value'))
continue
# parse options with a single boolean argument
- m = re.match('(?P<keyword>referrals)\s+(?P<value>%s)' %
+ m =
re.match('(?P<keyword>referrals|nss_nested_groups)\s+(?P<value>%s)' %
'|'.join(_boolean_options.keys()),
line, re.IGNORECASE)
if m:
diff --git a/pynslcd/group.py b/pynslcd/group.py
index 20f81bf..71a1173 100644
--- a/pynslcd/group.py
+++ b/pynslcd/group.py
@@ -26,6 +26,7 @@ import ldap
from passwd import dn2uid, uid2dn
import cache
+import cfg
import common
import constants
import search
@@ -109,7 +110,7 @@ class GroupRequest(common.Request):
member = dn2uid(self.conn, memberdn)
if member and common.isvalidname(member):
members.add(member)
- else:
+ elif cfg.nss_nested_groups:
subgroups.append(memberdn)
def convert(self, dn, attributes, parameters):
@@ -172,16 +173,17 @@ class GroupByMemberRequest(GroupRequest):
seen.add(dn)
for values in self.convert(dn, attributes, parameters):
yield values
- tocheck = list(seen)
- # find parent groups
- while tocheck:
- group = tocheck.pop(0)
- for dn, attributes in self.search(self.conn,
parameters=dict(member=group)):
- if dn not in seen:
- seen.add(dn)
- tocheck.append(dn)
- for result in self.convert(dn, attributes, parameters):
- yield result
+ if cfg.nss_nested_groups:
+ tocheck = list(seen)
+ # find parent groups
+ while tocheck:
+ group = tocheck.pop(0)
+ for dn, attributes in self.search(self.conn,
parameters=dict(member=group)):
+ if dn not in seen:
+ seen.add(dn)
+ tocheck.append(dn)
+ for result in self.convert(dn, attributes, parameters):
+ yield result
class GroupAllRequest(GroupRequest):
http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=d6a6e8b436fc2b3aabc8a6edd62ad60bd70e0c4c
commit d6a6e8b436fc2b3aabc8a6edd62ad60bd70e0c4c
Author: Arthur de Jong <arthur@arthurdejong.org>
Date: Sun Mar 24 19:58:28 2013 +0100
Implement support for nested groups in pynslcd
diff --git a/pynslcd/common.py b/pynslcd/common.py
index bbffef4..3a59cbe 100644
--- a/pynslcd/common.py
+++ b/pynslcd/common.py
@@ -82,18 +82,23 @@ class Request(object):
stream."""
pass
+ def get_results(self, parameters):
+ """Provide the result entries by performing a search."""
+ for dn, attributes in self.search(self.conn, parameters=parameters):
+ for values in self.convert(dn, attributes, parameters):
+ yield values
+
def handle_request(self, parameters):
"""This method handles the request based on the parameters read
with read_parameters()."""
try:
#with cache.con:
if True:
- for dn, attributes in self.search(self.conn,
parameters=parameters):
- for values in self.convert(dn, attributes, parameters):
- self.fp.write_int32(constants.NSLCD_RESULT_BEGIN)
- self.write(*values)
- if self.cache:
- self.cache.store(*values)
+ for values in self.get_results(parameters):
+ self.fp.write_int32(constants.NSLCD_RESULT_BEGIN)
+ self.write(*values)
+ if self.cache:
+ self.cache.store(*values)
except ldap.SERVER_DOWN:
if self.cache:
logging.debug('read from cache')
diff --git a/pynslcd/group.py b/pynslcd/group.py
index a43aae5..20f81bf 100644
--- a/pynslcd/group.py
+++ b/pynslcd/group.py
@@ -22,6 +22,7 @@ import itertools
import logging
from ldap.filter import escape_filter_chars
+import ldap
from passwd import dn2uid, uid2dn
import cache
@@ -51,7 +52,7 @@ class Search(search.LDAPSearch):
def __init__(self, *args, **kwargs):
super(Search, self).__init__(*args, **kwargs)
- if 'memberUid' in self.parameters:
+ if 'memberUid' in self.parameters or 'member' in self.parameters:
# set up our own attributes that leave out membership attributes
self.attributes = list(self.attributes)
self.attributes.remove(attmap['memberUid'])
@@ -95,24 +96,39 @@ class GroupRequest(common.Request):
self.fp.write_int32(gid)
self.fp.write_stringlist(members)
- def convert(self, dn, attributes, parameters):
- # get group names and check against requested group name
- names = attributes['cn']
- # get group group password
- passwd = attributes['userPassword'][0]
- # get group id(s)
- gids = [int(x) for x in attributes['gidNumber']]
- # build member list
- members = set()
+ def get_members(self, attributes, members, subgroups, seen):
# add the memberUid values
for member in clean(attributes['memberUid']):
if common.isvalidname(member):
members.add(member)
# translate and add the member values
for memberdn in clean(attributes['member']):
+ if memberdn in seen:
+ continue
+ seen.add(memberdn)
member = dn2uid(self.conn, memberdn)
if member and common.isvalidname(member):
members.add(member)
+ else:
+ subgroups.append(memberdn)
+
+ def convert(self, dn, attributes, parameters):
+ # get group names and check against requested group name
+ names = attributes['cn']
+ # get group group password
+ passwd = attributes['userPassword'][0]
+ # get group id(s)
+ gids = [int(x) for x in attributes['gidNumber']]
+ # build member list
+ members = set()
+ subgroups = []
+ seen = set([dn])
+ self.get_members(attributes, members, subgroups, seen)
+ # go over subgroups to find more members
+ while subgroups:
+ memberdn = subgroups.pop(0)
+ for dn2, attributes2 in self.search(self.conn, base=memberdn,
scope=ldap.SCOPE_BASE):
+ self.get_members(attributes2, members, subgroups, seen)
# actually return the results
for name in names:
if not common.isvalidname(name):
@@ -150,6 +166,23 @@ class GroupByMemberRequest(GroupRequest):
common.validate_name(memberuid)
return dict(memberUid=memberuid)
+ def get_results(self, parameters):
+ seen = set()
+ for dn, attributes in self.search(self.conn, parameters=parameters):
+ seen.add(dn)
+ for values in self.convert(dn, attributes, parameters):
+ yield values
+ tocheck = list(seen)
+ # find parent groups
+ while tocheck:
+ group = tocheck.pop(0)
+ for dn, attributes in self.search(self.conn,
parameters=dict(member=group)):
+ if dn not in seen:
+ seen.add(dn)
+ tocheck.append(dn)
+ for result in self.convert(dn, attributes, parameters):
+ yield result
+
class GroupAllRequest(GroupRequest):
http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=41ba574974a22e709bde5728e90de5dd0c2ce82d
commit 41ba574974a22e709bde5728e90de5dd0c2ce82d
Author: Arthur de Jong <arthur@arthurdejong.org>
Date: Sun Mar 24 19:57:22 2013 +0100
Implement support for nested groups in nslcd
This differs from the code provided by Steve Hill in that it avoids
(recursively) performing parallel LDAP searches by queueing groups and check
for extra members per queued group (in the forward lookup) or check for
extra
parents (for the user to groups lookup).
For the reverse lookup handling the NSLCD_HANDLE macro could no longer be
used
because extra care should be taken to free the sets before returning and two
search phases are needed.
diff --git a/nslcd/group.c b/nslcd/group.c
index af7a23a..c422585 100644
--- a/nslcd/group.c
+++ b/nslcd/group.c
@@ -213,16 +213,12 @@ static int do_write_group(TFILE *fp, MYLDAP_ENTRY *entry,
return 0;
}
-/* return the list of members */
-static const char **getmembers(MYLDAP_ENTRY *entry, MYLDAP_SESSION *session)
+static void getmembers(MYLDAP_ENTRY *entry, MYLDAP_SESSION *session,
+ SET *members, SET *seen, SET *subgroups)
{
char buf[256];
int i;
const char **values;
- SET *set;
- set = set_new();
- if (set == NULL)
- return NULL;
/* add the memberUid values */
values = myldap_get_values(entry, attmap_group_memberUid);
if (values != NULL)
@@ -230,21 +226,25 @@ static const char **getmembers(MYLDAP_ENTRY *entry,
MYLDAP_SESSION *session)
{
/* only add valid usernames */
if (isvalidname(values[i]))
- set_add(set, values[i]);
+ set_add(members, values[i]);
}
/* add the member values */
values = myldap_get_values(entry, attmap_group_member);
if (values != NULL)
for (i = 0; values[i] != NULL; i++)
{
- /* transform the DN into a uid (dn2uid() already checks validity) */
- if (dn2uid(session, values[i], buf, sizeof(buf)) != NULL)
- set_add(set, buf);
+ if ((seen == NULL) || (!set_contains(seen, values[i])))
+ {
+ if (seen != NULL)
+ set_add(seen, values[i]);
+ /* transform the DN into a uid (dn2uid() already checks validity) */
+ if (dn2uid(session, values[i], buf, sizeof(buf)) != NULL)
+ set_add(members, buf);
+ /* wasn't a UID - try handling it as a nested group */
+ else if (subgroups != NULL)
+ set_add(subgroups, values[i]);
+ }
}
- /* return the members */
- values = set_tolist(set);
- set_free(set);
- return values;
}
/* the maximum number of gidNumber attributes per entry */
@@ -256,11 +256,14 @@ static int write_group(TFILE *fp, MYLDAP_ENTRY *entry,
const char *reqname,
{
const char **names, **gidvalues;
const char *passwd;
- const char **members;
+ const char **members = NULL;
+ SET *set, *seen=NULL, *subgroups=NULL;
gid_t gids[MAXGIDS_PER_ENTRY];
int numgids;
char *tmp;
char passbuffer[64];
+ MYLDAP_SEARCH *search;
+ MYLDAP_ENTRY *entry2;
int rc;
/* get group name (cn) */
names = myldap_get_values(entry, attmap_group_cn);
@@ -315,9 +318,33 @@ static int write_group(TFILE *fp, MYLDAP_ENTRY *entry,
const char *reqname,
passwd = default_group_userPassword;
/* get group memebers (memberUid&member) */
if (wantmembers)
- members = getmembers(entry, session);
- else
- members = NULL;
+ {
+ set = set_new();
+ if (set != NULL)
+ {
+ seen = set_new();
+ subgroups = set_new();
+ /* collect the members from this group */
+ getmembers(entry, session, set, seen, subgroups);
+ /* add the members of any nested groups */
+ if (subgroups != NULL)
+ {
+ while ((tmp = set_pop(subgroups)) != NULL)
+ {
+ search = myldap_search(session, tmp, LDAP_SCOPE_BASE, group_filter,
group_attrs, NULL);
+ if (search != NULL)
+ while ((entry2 = myldap_get_entry(search, NULL)) != NULL)
+ getmembers(entry2, session, set, seen, subgroups);
+ }
+ }
+ members = set_tolist(set);
+ set_free(set);
+ if (seen != NULL)
+ set_free(seen);
+ if (subgroups != NULL)
+ set_free(subgroups);
+ }
+ }
/* write entries (split to a separate function so we can ensure the call
to free() below in case a write fails) */
rc = do_write_group(fp, entry, names, gids, numgids, passwd, members,
@@ -353,12 +380,22 @@ NSLCD_HANDLE(
write_group(fp, entry, NULL, &gid, 1, session)
)
-NSLCD_HANDLE(
- group, bymember, NSLCD_ACTION_GROUP_BYMEMBER,
+int nslcd_group_bymember(TFILE *fp, MYLDAP_SESSION *session)
+{
+ /* define common variables */
+ int32_t tmpint32;
+ MYLDAP_SEARCH *search;
+ MYLDAP_ENTRY *entry;
+ const char *dn;
+ const char *base;
+ int rc, i;
char name[256];
char filter[4096];
+ SET *seen=NULL, *tocheck=NULL;
+ /* read request parameters */
READ_STRING(fp, name);
log_setrequest("group/member=\"%s\"", name);
+ /* validate request */
if (!isvalidname(name))
{
log_log(LOG_WARNING, "request denied by validnames option");
@@ -373,10 +410,111 @@ NSLCD_HANDLE(
WRITE_INT32(fp, NSLCD_ACTION_GROUP_BYMEMBER);
WRITE_INT32(fp, NSLCD_RESULT_END);
return 0;
- },
- mkfilter_group_bymember(session, name, filter, sizeof(filter)),
- write_group(fp, entry, NULL, NULL, 0, session)
-)
+ }
+ /* write the response header */
+ WRITE_INT32(fp, NSLCD_VERSION);
+ WRITE_INT32(fp, NSLCD_ACTION_GROUP_BYMEMBER);
+ /* prepare the search filter */
+ if (mkfilter_group_bymember(session, name, filter, sizeof(filter)))
+ {
+ log_log(LOG_WARNING, "nslcd_group_bymember(): filter buffer too small");
+ return -1;
+ }
+ seen = set_new();
+ tocheck = set_new();
+ if ((seen != NULL) && (tocheck == NULL))
+ {
+ set_free(seen);
+ seen = NULL;
+ }
+ else if ((tocheck != NULL) && (seen == NULL))
+ {
+ set_free(tocheck);
+ tocheck = NULL;
+ }
+ /* perform a search for each search base */
+ for (i = 0; (base = group_bases[i]) != NULL; i++)
+ {
+ /* do the LDAP search */
+ search = myldap_search(session, base, group_scope, filter,
+ group_attrs, NULL);
+ if (search == NULL)
+ {
+ if (seen != NULL)
+ {
+ set_free(seen);
+ set_free(tocheck);
+ }
+ return -1;
+ }
+ /* go over results */
+ while ((entry = myldap_get_entry(search, &rc)) != NULL)
+ {
+ if ((seen == NULL) || (!set_contains(seen, dn = myldap_get_dn(entry))))
+ {
+ if (seen != NULL)
+ {
+ set_add(seen, dn);
+ set_add(tocheck, dn);
+ }
+ if (write_group(fp, entry, NULL, NULL, 0, session))
+ {
+ if (seen != NULL)
+ {
+ set_free(seen);
+ set_free(tocheck);
+ }
+ return -1;
+ }
+ }
+ }
+ }
+ /* write possible parent groups */
+ if (tocheck != NULL)
+ {
+ while ((dn = set_pop(tocheck)) != NULL)
+ {
+ /* make filter for finding groups with our group as member */
+ if (mkfilter_group_bymemberdn(session, dn, filter, sizeof(filter)))
+ {
+ log_log(LOG_WARNING, "nslcd_group_bymember(): filter buffer too
small");
+ set_free(seen);
+ set_free(tocheck);
+ return -1;
+ }
+ /* do the LDAP searches */
+ for (i = 0; (base = group_bases[i]) != NULL; i++)
+ {
+ search = myldap_search(session, base, group_scope, filter,
group_attrs, NULL);
+ if (search != NULL)
+ {
+ while ((entry = myldap_get_entry(search, NULL)) != NULL)
+ {
+ if (!set_contains(seen, dn = myldap_get_dn(entry)))
+ {
+ set_add(seen, dn);
+ set_add(tocheck, dn);
+ if (write_group(fp, entry, NULL, NULL, 0, session))
+ {
+ set_free(seen);
+ set_free(tocheck);
+ return -1;
+ }
+ }
+ }
+ }
+ }
+ }
+ set_free(seen);
+ set_free(tocheck);
+ }
+ /* write the final result code */
+ if (rc == LDAP_SUCCESS)
+ {
+ WRITE_INT32(fp, NSLCD_RESULT_END);
+ }
+ return 0;
+}
NSLCD_HANDLE(
group, all, NSLCD_ACTION_GROUP_ALL,
http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=08f5301d802bddf754923ffc503366d33fc4b4dd
commit 08f5301d802bddf754923ffc503366d33fc4b4dd
Author: Steve Hill <steve@opendium.com>
Date: Wed Mar 20 14:48:14 2013 +0100
Implement a mkfilter_group_bymemberdn() function
This was part of a bigger change to implement nested groups, however most of
the other parts were re-implemented differently.
For the original changes, see:
http://lists.arthurdejong.org/nss-pam-ldapd-users/2013/msg00034.html
diff --git a/AUTHORS b/AUTHORS
index 1d9f989..1f88b1b 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -120,3 +120,4 @@ Matthew L. Dailey <matthew.l.dailey@dartmouth.edu>
Chris Hiestand <chiestand@salk.edu>
Jon Severinsson <jon@severinsson.net>
Thorsten Glaser <t.glaser@tarent.de>
+Steve Hill <steve@opendium.com>
diff --git a/nslcd/group.c b/nslcd/group.c
index 868110c..af7a23a 100644
--- a/nslcd/group.c
+++ b/nslcd/group.c
@@ -6,6 +6,7 @@
Copyright (C) 1997-2006 Luke Howard
Copyright (C) 2006 West Consulting
Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013 Arthur de Jong
+ Copyright (C) 2013 Steve Hill
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
@@ -135,6 +136,20 @@ static int mkfilter_group_bymember(MYLDAP_SESSION *session,
attmap_group_member, safedn);
}
+static int mkfilter_group_bymemberdn(MYLDAP_SESSION *session,
+ const char *dn,
+ char *buffer, size_t buflen)
+{
+ char safedn[300];
+ /* escape DN */
+ if (myldap_escape(dn, safedn, sizeof(safedn)))
+ return -1;
+ return mysnprintf(buffer, buflen,
+ "(&%s(%s=%s))",
+ group_filter,
+ attmap_group_member, safedn);
+}
+
void group_init(void)
{
int i;
-----------------------------------------------------------------------
Summary of changes:
AUTHORS | 1 +
README | 10 +-
man/nslcd.conf.5.xml | 13 +++
nslcd/cfg.c | 7 ++
nslcd/cfg.h | 1 +
nslcd/group.c | 207 +++++++++++++++++++++++++++++++++-----
pynslcd/cfg.py | 3 +-
pynslcd/common.py | 17 ++-
pynslcd/group.py | 55 ++++++++--
tests/test.ldif | 272 +++++++++++++++++++++++++++++++++++++++++++++++--
tests/test_nsscmds.sh | 24 ++++-
11 files changed, 556 insertions(+), 54 deletions(-)
hooks/post-receive
--
nss-pam-ldapd
--
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits/
- nss-pam-ldapd branch master updated. 0.8.12-133-g3daa68d,
Commits of the nss-pam-ldapd project