nss-pam-ldapd branch master updated. 0.9.5-3-gc0366d8
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
nss-pam-ldapd branch master updated. 0.9.5-3-gc0366d8
- From: Commits of the nss-pam-ldapd project <nss-pam-ldapd-commits [at] lists.arthurdejong.org>
- To: nss-pam-ldapd-commits [at] lists.arthurdejong.org
- Reply-to: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: nss-pam-ldapd branch master updated. 0.9.5-3-gc0366d8
- Date: Fri, 1 May 2015 21:09:07 +0200 (CEST)
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "nss-pam-ldapd".
The branch, master has been updated
via c0366d86466482f4ad0c885239871e05e79fee26 (commit)
from 96045d249eda023a0bc7b810553a5b529d2c991a (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=c0366d86466482f4ad0c885239871e05e79fee26
commit c0366d86466482f4ad0c885239871e05e79fee26
Author: Andrew Elble <aweits@rit.edu>
Date: Fri May 1 09:17:04 2015 -0400
Implement disable_enumeration
If this option is present, functions which cause all user/group entries
to be loaded (getpwent(), getgrent()) from the directory will not
succeed in doing so. This can dramatically reduce ldap server load in
situations where there are a great number of users and/or groups.
Applications that depend on being able to sequentially read all users
and/or groups may fail to operate correctly. This option is not
recommended for most configurations.
diff --git a/man/nslcd.conf.5.xml b/man/nslcd.conf.5.xml
index 0f27700..e6d5145 100644
--- a/man/nslcd.conf.5.xml
+++ b/man/nslcd.conf.5.xml
@@ -757,6 +757,27 @@
</listitem>
</varlistentry>
+ <varlistentry id="nss_disable_enumeration"> <!-- since 0.9.6 -->
+ <term><option>nss_disable_enumeration</option> yes|no</term>
+ <listitem>
+ <para>
+ If this option is set, functions which cause all user/group entries to
+ be loaded (getpwent(), getgrent(), setspent()) from the directory will
+ not succeed in doing so.
+ Applications that depend on being able to sequentially read all users
+ and/or groups may fail to operate correctly.
+ </para>
+ <para>
+ This can dramatically reduce <acronym>LDAP</acronym> server load in
+ situations where there are a great number of users and/or groups.
+ This is typically used in situations where user/program access to
+ enumerate the entire directory is undesirable, and changing the
+ behavior of the user/program is not possible.
+ This option is not recommended for most configurations.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry id="validnames"> <!-- since 0.8.2 -->
<term><option>validnames</option> <replaceable>REGEX</replaceable></term>
<listitem>
diff --git a/nslcd/cfg.c b/nslcd/cfg.c
index d42fb71..e844af7 100644
--- a/nslcd/cfg.c
+++ b/nslcd/cfg.c
@@ -1192,6 +1192,7 @@ static void cfg_defaults(struct ldap_config *cfg)
cfg->nss_min_uid = 0;
cfg->nss_nested_groups = 0;
cfg->nss_getgrent_skipmembers = 0;
+ cfg->nss_disable_enumeration = 0;
cfg->validnames_str = NULL;
handle_validnames(__FILE__, __LINE__, "",
"/^[a-z0-9._@$()]([a-z0-9._@$()
\\~-]*[a-z0-9._@$()~-])?$/i",
@@ -1523,6 +1524,11 @@ static void cfg_read(const char *filename, struct
ldap_config *cfg)
cfg->nss_getgrent_skipmembers = get_boolean(filename, lnr, keyword,
&line);
get_eol(filename, lnr, keyword, &line);
}
+ else if (strcasecmp(keyword, "nss_disable_enumeration") == 0)
+ {
+ cfg->nss_getgrent_skipmembers = get_boolean(filename, lnr, keyword,
&line);
+ get_eol(filename, lnr, keyword, &line);
+ }
else if (strcasecmp(keyword, "validnames") == 0)
{
handle_validnames(filename, lnr, keyword, line, cfg);
@@ -1792,6 +1798,7 @@ static void cfg_dump(void)
log_log(LOG_DEBUG, "CFG: nss_min_uid %lu", (unsigned long
int)nslcd_cfg->nss_min_uid);
log_log(LOG_DEBUG, "CFG: nss_nested_groups %s",
print_boolean(nslcd_cfg->nss_nested_groups));
log_log(LOG_DEBUG, "CFG: nss_getgrent_skipmembers %s",
print_boolean(nslcd_cfg->nss_getgrent_skipmembers));
+ log_log(LOG_DEBUG, "CFG: nss_disable_enumeration %s",
print_boolean(nslcd_cfg->nss_disable_enumeration));
log_log(LOG_DEBUG, "CFG: validnames %s", nslcd_cfg->validnames_str);
log_log(LOG_DEBUG, "CFG: ignorecase %s",
print_boolean(nslcd_cfg->ignorecase));
for (i = 0; i < NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES; i++)
diff --git a/nslcd/cfg.h b/nslcd/cfg.h
index 6eef944..adc812b 100644
--- a/nslcd/cfg.h
+++ b/nslcd/cfg.h
@@ -123,6 +123,7 @@ struct ldap_config {
uid_t nss_min_uid; /* minimum uid for users retrieved from LDAP */
int nss_nested_groups; /* whether to expand nested groups */
int nss_getgrent_skipmembers; /* whether to skip member lookups */
+ int nss_disable_enumeration; /* enumeration turned on or off */
regex_t validnames; /* the regular expression to determine valid names */
char *validnames_str; /* string version of validnames regexp */
int ignorecase; /* whether or not case should be ignored in lookups */
diff --git a/nslcd/nslcd.c b/nslcd/nslcd.c
index 469793a..37a9167 100644
--- a/nslcd/nslcd.c
+++ b/nslcd/nslcd.c
@@ -390,7 +390,9 @@ static void handleconnection(int sock, MYLDAP_SESSION
*session)
case NSLCD_ACTION_GROUP_BYNAME: (void)nslcd_group_byname(fp, session);
break;
case NSLCD_ACTION_GROUP_BYGID: (void)nslcd_group_bygid(fp, session);
break;
case NSLCD_ACTION_GROUP_BYMEMBER: (void)nslcd_group_bymember(fp,
session); break;
- case NSLCD_ACTION_GROUP_ALL: (void)nslcd_group_all(fp, session);
break;
+ case NSLCD_ACTION_GROUP_ALL:
+ if (!nslcd_cfg->nss_disable_enumeration) (void)nslcd_group_all(fp,
session);
+ break;
case NSLCD_ACTION_HOST_BYNAME: (void)nslcd_host_byname(fp, session);
break;
case NSLCD_ACTION_HOST_BYADDR: (void)nslcd_host_byaddr(fp, session);
break;
case NSLCD_ACTION_HOST_ALL: (void)nslcd_host_all(fp, session);
break;
@@ -401,7 +403,9 @@ static void handleconnection(int sock, MYLDAP_SESSION
*session)
case NSLCD_ACTION_NETWORK_ALL: (void)nslcd_network_all(fp, session);
break;
case NSLCD_ACTION_PASSWD_BYNAME: (void)nslcd_passwd_byname(fp, session,
uid); break;
case NSLCD_ACTION_PASSWD_BYUID: (void)nslcd_passwd_byuid(fp, session,
uid); break;
- case NSLCD_ACTION_PASSWD_ALL: (void)nslcd_passwd_all(fp, session,
uid); break;
+ case NSLCD_ACTION_PASSWD_ALL:
+ if (!nslcd_cfg->nss_disable_enumeration) (void)nslcd_passwd_all(fp,
session, uid);
+ break;
case NSLCD_ACTION_PROTOCOL_BYNAME: (void)nslcd_protocol_byname(fp,
session); break;
case NSLCD_ACTION_PROTOCOL_BYNUMBER:(void)nslcd_protocol_bynumber(fp,
session); break;
case NSLCD_ACTION_PROTOCOL_ALL: (void)nslcd_protocol_all(fp, session);
break;
@@ -412,7 +416,9 @@ static void handleconnection(int sock, MYLDAP_SESSION
*session)
case NSLCD_ACTION_SERVICE_BYNUMBER: (void)nslcd_service_bynumber(fp,
session); break;
case NSLCD_ACTION_SERVICE_ALL: (void)nslcd_service_all(fp, session);
break;
case NSLCD_ACTION_SHADOW_BYNAME: (void)nslcd_shadow_byname(fp, session,
uid); break;
- case NSLCD_ACTION_SHADOW_ALL: (void)nslcd_shadow_all(fp, session,
uid); break;
+ case NSLCD_ACTION_SHADOW_ALL:
+ if (!nslcd_cfg->nss_disable_enumeration) (void)nslcd_shadow_all(fp,
session, uid); break;
+ break;
case NSLCD_ACTION_PAM_AUTHC: (void)nslcd_pam_authc(fp, session,
uid); break;
case NSLCD_ACTION_PAM_AUTHZ: (void)nslcd_pam_authz(fp, session);
break;
case NSLCD_ACTION_PAM_SESS_O: (void)nslcd_pam_sess_o(fp, session);
break;
diff --git a/pynslcd/cfg.py b/pynslcd/cfg.py
index f9025fb..48ba4af 100644
--- a/pynslcd/cfg.py
+++ b/pynslcd/cfg.py
@@ -83,6 +83,7 @@ nss_initgroups_ignoreusers = set()
nss_min_uid = 0
nss_nested_groups = False
nss_getgrent_skipmembers = False
+nss_disable_enumeration = False
validnames = re.compile(r'^[a-z0-9._@$][a-z0-9._@$
\\~-]{0,98}[a-z0-9._@$~-]$', re.IGNORECASE)
pam_authz_searches = []
pam_password_prohibit_message = None
@@ -176,7 +177,7 @@ def read(filename):
globals()[m.group('keyword').lower()] = int(m.group('value'))
continue
# parse options with a single boolean argument
- m =
re.match('(?P<keyword>referrals|nss_nested_groups|nss_getgrent_skipmembers)\s+(?P<value>%s)'
%
+ m =
re.match('(?P<keyword>referrals|nss_nested_groups|nss_getgrent_skipmembers|nss_disable_enumeration)\s+(?P<value>%s)'
%
'|'.join(_boolean_options.keys()),
line, re.IGNORECASE)
if m:
diff --git a/pynslcd/group.py b/pynslcd/group.py
index d1412bb..bd26cf3 100644
--- a/pynslcd/group.py
+++ b/pynslcd/group.py
@@ -229,3 +229,7 @@ class GroupByMemberRequest(GroupRequest):
class GroupAllRequest(GroupRequest):
action = constants.NSLCD_ACTION_GROUP_ALL
+
+ def handle_request(self, parameters):
+ if not cfg.nss_disable_enumeration:
+ return super(GroupAllRequest, self).handle_request(parameters)
diff --git a/pynslcd/passwd.py b/pynslcd/passwd.py
index d65e556..c16d390 100644
--- a/pynslcd/passwd.py
+++ b/pynslcd/passwd.py
@@ -126,6 +126,10 @@ class PasswdAllRequest(PasswdRequest):
action = constants.NSLCD_ACTION_PASSWD_ALL
+ def handle_request(self, parameters):
+ if not cfg.nss_disable_enumeration:
+ return super(PasswdAllRequest, self).handle_request(parameters)
+
def uid2entry(conn, uid):
"""Look up the user by uid and return the LDAP entry or None if the user
diff --git a/pynslcd/shadow.py b/pynslcd/shadow.py
index 89dbbfa..7d0ebf9 100644
--- a/pynslcd/shadow.py
+++ b/pynslcd/shadow.py
@@ -19,6 +19,7 @@
# 02110-1301 USA
import cache
+import cfg
import common
import constants
import search
@@ -125,3 +126,7 @@ class ShadowByNameRequest(ShadowRequest):
class ShadowAllRequest(ShadowRequest):
action = constants.NSLCD_ACTION_SHADOW_ALL
+
+ def handle_request(self, parameters):
+ if not cfg.nss_disable_enumeration:
+ return super(ShadowAllRequest, self).handle_request(parameters)
-----------------------------------------------------------------------
Summary of changes:
man/nslcd.conf.5.xml | 21 +++++++++++++++++++++
nslcd/cfg.c | 7 +++++++
nslcd/cfg.h | 1 +
nslcd/nslcd.c | 12 +++++++++---
pynslcd/cfg.py | 3 ++-
pynslcd/group.py | 4 ++++
pynslcd/passwd.py | 4 ++++
pynslcd/shadow.py | 5 +++++
8 files changed, 53 insertions(+), 4 deletions(-)
hooks/post-receive
--
nss-pam-ldapd
--
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits/
- nss-pam-ldapd branch master updated. 0.9.5-3-gc0366d8,
Commits of the nss-pam-ldapd project
