lists.arthurdejong.org
RSS feed

nss-pam-ldapd branch master updated. 0.9.5-3-gc0366d8

[Date Prev][Date Next] [Thread Prev][Thread Next]

nss-pam-ldapd branch master updated. 0.9.5-3-gc0366d8



This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "nss-pam-ldapd".

The branch, master has been updated
       via  c0366d86466482f4ad0c885239871e05e79fee26 (commit)
      from  96045d249eda023a0bc7b810553a5b529d2c991a (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=c0366d86466482f4ad0c885239871e05e79fee26

commit c0366d86466482f4ad0c885239871e05e79fee26
Author: Andrew Elble <aweits@rit.edu>
Date:   Fri May 1 09:17:04 2015 -0400

    Implement disable_enumeration
    
    If this option is present, functions which cause all user/group entries
    to be loaded (getpwent(), getgrent()) from the directory will not
    succeed in doing so. This can dramatically reduce ldap server load in
    situations where there are a great number of users and/or groups.
    Applications that depend on being able to sequentially read all users
    and/or groups may fail to operate correctly. This option is not
    recommended for most configurations.

diff --git a/man/nslcd.conf.5.xml b/man/nslcd.conf.5.xml
index 0f27700..e6d5145 100644
--- a/man/nslcd.conf.5.xml
+++ b/man/nslcd.conf.5.xml
@@ -757,6 +757,27 @@
      </listitem>
     </varlistentry>
 
+    <varlistentry id="nss_disable_enumeration"> <!-- since 0.9.6 -->
+     <term><option>nss_disable_enumeration</option> yes|no</term>
+     <listitem>
+      <para>
+       If this option is set, functions which cause all user/group entries to
+       be loaded (getpwent(), getgrent(), setspent()) from the directory will
+       not succeed in doing so.
+       Applications that depend on being able to sequentially read all users
+       and/or groups may fail to operate correctly.
+      </para>
+      <para>
+       This can dramatically reduce <acronym>LDAP</acronym> server load in
+       situations where there are a great number of users and/or groups.
+       This is typically used in situations where user/program access to
+       enumerate the entire directory is undesirable, and changing the
+       behavior of the user/program is not possible.
+       This option is not recommended for most configurations.
+      </para>
+     </listitem>
+    </varlistentry>
+
     <varlistentry id="validnames"> <!-- since 0.8.2 -->
      <term><option>validnames</option> <replaceable>REGEX</replaceable></term>
      <listitem>
diff --git a/nslcd/cfg.c b/nslcd/cfg.c
index d42fb71..e844af7 100644
--- a/nslcd/cfg.c
+++ b/nslcd/cfg.c
@@ -1192,6 +1192,7 @@ static void cfg_defaults(struct ldap_config *cfg)
   cfg->nss_min_uid = 0;
   cfg->nss_nested_groups = 0;
   cfg->nss_getgrent_skipmembers = 0;
+  cfg->nss_disable_enumeration = 0;
   cfg->validnames_str = NULL;
   handle_validnames(__FILE__, __LINE__, "",
                     "/^[a-z0-9._@$()]([a-z0-9._@$() 
\\~-]*[a-z0-9._@$()~-])?$/i",
@@ -1523,6 +1524,11 @@ static void cfg_read(const char *filename, struct 
ldap_config *cfg)
       cfg->nss_getgrent_skipmembers = get_boolean(filename, lnr, keyword, 
&line);
       get_eol(filename, lnr, keyword, &line);
     }
+    else if (strcasecmp(keyword, "nss_disable_enumeration") == 0)
+    {
+      cfg->nss_getgrent_skipmembers = get_boolean(filename, lnr, keyword, 
&line);
+      get_eol(filename, lnr, keyword, &line);
+    }
     else if (strcasecmp(keyword, "validnames") == 0)
     {
       handle_validnames(filename, lnr, keyword, line, cfg);
@@ -1792,6 +1798,7 @@ static void cfg_dump(void)
   log_log(LOG_DEBUG, "CFG: nss_min_uid %lu", (unsigned long 
int)nslcd_cfg->nss_min_uid);
   log_log(LOG_DEBUG, "CFG: nss_nested_groups %s", 
print_boolean(nslcd_cfg->nss_nested_groups));
   log_log(LOG_DEBUG, "CFG: nss_getgrent_skipmembers %s", 
print_boolean(nslcd_cfg->nss_getgrent_skipmembers));
+  log_log(LOG_DEBUG, "CFG: nss_disable_enumeration %s", 
print_boolean(nslcd_cfg->nss_disable_enumeration));
   log_log(LOG_DEBUG, "CFG: validnames %s", nslcd_cfg->validnames_str);
   log_log(LOG_DEBUG, "CFG: ignorecase %s", 
print_boolean(nslcd_cfg->ignorecase));
   for (i = 0; i < NSS_LDAP_CONFIG_MAX_AUTHZ_SEARCHES; i++)
diff --git a/nslcd/cfg.h b/nslcd/cfg.h
index 6eef944..adc812b 100644
--- a/nslcd/cfg.h
+++ b/nslcd/cfg.h
@@ -123,6 +123,7 @@ struct ldap_config {
   uid_t nss_min_uid;  /* minimum uid for users retrieved from LDAP */
   int nss_nested_groups; /* whether to expand nested groups */
   int nss_getgrent_skipmembers;  /* whether to skip member lookups */
+  int nss_disable_enumeration;  /* enumeration turned on or off */
   regex_t validnames; /* the regular expression to determine valid names */
   char *validnames_str; /* string version of validnames regexp */
   int ignorecase; /* whether or not case should be ignored in lookups */
diff --git a/nslcd/nslcd.c b/nslcd/nslcd.c
index 469793a..37a9167 100644
--- a/nslcd/nslcd.c
+++ b/nslcd/nslcd.c
@@ -390,7 +390,9 @@ static void handleconnection(int sock, MYLDAP_SESSION 
*session)
     case NSLCD_ACTION_GROUP_BYNAME:     (void)nslcd_group_byname(fp, session); 
break;
     case NSLCD_ACTION_GROUP_BYGID:      (void)nslcd_group_bygid(fp, session); 
break;
     case NSLCD_ACTION_GROUP_BYMEMBER:   (void)nslcd_group_bymember(fp, 
session); break;
-    case NSLCD_ACTION_GROUP_ALL:        (void)nslcd_group_all(fp, session); 
break;
+    case NSLCD_ACTION_GROUP_ALL:
+      if (!nslcd_cfg->nss_disable_enumeration) (void)nslcd_group_all(fp, 
session);
+      break;
     case NSLCD_ACTION_HOST_BYNAME:      (void)nslcd_host_byname(fp, session); 
break;
     case NSLCD_ACTION_HOST_BYADDR:      (void)nslcd_host_byaddr(fp, session); 
break;
     case NSLCD_ACTION_HOST_ALL:         (void)nslcd_host_all(fp, session); 
break;
@@ -401,7 +403,9 @@ static void handleconnection(int sock, MYLDAP_SESSION 
*session)
     case NSLCD_ACTION_NETWORK_ALL:      (void)nslcd_network_all(fp, session); 
break;
     case NSLCD_ACTION_PASSWD_BYNAME:    (void)nslcd_passwd_byname(fp, session, 
uid); break;
     case NSLCD_ACTION_PASSWD_BYUID:     (void)nslcd_passwd_byuid(fp, session, 
uid); break;
-    case NSLCD_ACTION_PASSWD_ALL:       (void)nslcd_passwd_all(fp, session, 
uid); break;
+    case NSLCD_ACTION_PASSWD_ALL:
+      if (!nslcd_cfg->nss_disable_enumeration) (void)nslcd_passwd_all(fp, 
session, uid);
+      break;
     case NSLCD_ACTION_PROTOCOL_BYNAME:  (void)nslcd_protocol_byname(fp, 
session); break;
     case NSLCD_ACTION_PROTOCOL_BYNUMBER:(void)nslcd_protocol_bynumber(fp, 
session); break;
     case NSLCD_ACTION_PROTOCOL_ALL:     (void)nslcd_protocol_all(fp, session); 
break;
@@ -412,7 +416,9 @@ static void handleconnection(int sock, MYLDAP_SESSION 
*session)
     case NSLCD_ACTION_SERVICE_BYNUMBER: (void)nslcd_service_bynumber(fp, 
session); break;
     case NSLCD_ACTION_SERVICE_ALL:      (void)nslcd_service_all(fp, session); 
break;
     case NSLCD_ACTION_SHADOW_BYNAME:    (void)nslcd_shadow_byname(fp, session, 
uid); break;
-    case NSLCD_ACTION_SHADOW_ALL:       (void)nslcd_shadow_all(fp, session, 
uid); break;
+    case NSLCD_ACTION_SHADOW_ALL:
+      if (!nslcd_cfg->nss_disable_enumeration) (void)nslcd_shadow_all(fp, 
session, uid); break;
+      break;
     case NSLCD_ACTION_PAM_AUTHC:        (void)nslcd_pam_authc(fp, session, 
uid); break;
     case NSLCD_ACTION_PAM_AUTHZ:        (void)nslcd_pam_authz(fp, session); 
break;
     case NSLCD_ACTION_PAM_SESS_O:       (void)nslcd_pam_sess_o(fp, session); 
break;
diff --git a/pynslcd/cfg.py b/pynslcd/cfg.py
index f9025fb..48ba4af 100644
--- a/pynslcd/cfg.py
+++ b/pynslcd/cfg.py
@@ -83,6 +83,7 @@ nss_initgroups_ignoreusers = set()
 nss_min_uid = 0
 nss_nested_groups = False
 nss_getgrent_skipmembers = False
+nss_disable_enumeration = False
 validnames = re.compile(r'^[a-z0-9._@$][a-z0-9._@$ 
\\~-]{0,98}[a-z0-9._@$~-]$', re.IGNORECASE)
 pam_authz_searches = []
 pam_password_prohibit_message = None
@@ -176,7 +177,7 @@ def read(filename):
             globals()[m.group('keyword').lower()] = int(m.group('value'))
             continue
         # parse options with a single boolean argument
-        m = 
re.match('(?P<keyword>referrals|nss_nested_groups|nss_getgrent_skipmembers)\s+(?P<value>%s)'
 %
+        m = 
re.match('(?P<keyword>referrals|nss_nested_groups|nss_getgrent_skipmembers|nss_disable_enumeration)\s+(?P<value>%s)'
 %
                          '|'.join(_boolean_options.keys()),
                      line, re.IGNORECASE)
         if m:
diff --git a/pynslcd/group.py b/pynslcd/group.py
index d1412bb..bd26cf3 100644
--- a/pynslcd/group.py
+++ b/pynslcd/group.py
@@ -229,3 +229,7 @@ class GroupByMemberRequest(GroupRequest):
 class GroupAllRequest(GroupRequest):
 
     action = constants.NSLCD_ACTION_GROUP_ALL
+
+    def handle_request(self, parameters):
+        if not cfg.nss_disable_enumeration:
+            return super(GroupAllRequest, self).handle_request(parameters)
diff --git a/pynslcd/passwd.py b/pynslcd/passwd.py
index d65e556..c16d390 100644
--- a/pynslcd/passwd.py
+++ b/pynslcd/passwd.py
@@ -126,6 +126,10 @@ class PasswdAllRequest(PasswdRequest):
 
     action = constants.NSLCD_ACTION_PASSWD_ALL
 
+    def handle_request(self, parameters):
+        if not cfg.nss_disable_enumeration:
+            return super(PasswdAllRequest, self).handle_request(parameters)
+
 
 def uid2entry(conn, uid):
     """Look up the user by uid and return the LDAP entry or None if the user
diff --git a/pynslcd/shadow.py b/pynslcd/shadow.py
index 89dbbfa..7d0ebf9 100644
--- a/pynslcd/shadow.py
+++ b/pynslcd/shadow.py
@@ -19,6 +19,7 @@
 # 02110-1301 USA
 
 import cache
+import cfg
 import common
 import constants
 import search
@@ -125,3 +126,7 @@ class ShadowByNameRequest(ShadowRequest):
 class ShadowAllRequest(ShadowRequest):
 
     action = constants.NSLCD_ACTION_SHADOW_ALL
+
+    def handle_request(self, parameters):
+        if not cfg.nss_disable_enumeration:
+            return super(ShadowAllRequest, self).handle_request(parameters)

-----------------------------------------------------------------------

Summary of changes:
 man/nslcd.conf.5.xml |   21 +++++++++++++++++++++
 nslcd/cfg.c          |    7 +++++++
 nslcd/cfg.h          |    1 +
 nslcd/nslcd.c        |   12 +++++++++---
 pynslcd/cfg.py       |    3 ++-
 pynslcd/group.py     |    4 ++++
 pynslcd/passwd.py    |    4 ++++
 pynslcd/shadow.py    |    5 +++++
 8 files changed, 53 insertions(+), 4 deletions(-)


hooks/post-receive
-- 
nss-pam-ldapd
-- 
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits/