RSS feed

Re: Questions: Recursive group lookup

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Questions: Recursive group lookup

On Fri, 2010-01-29 at 17:44 +0100, Jan Schampera wrote:
> I was wondering about recursive lookup of posixGroup using uniqueMember
> attributes.
> Attached is a patch that kind of works. IT'S TEST CODE, nothing really
> serious.
> - It just makes nslcd/group.c:getmembers() a bit recursive

For this to be complete the signature of the getmembers() function
should be modified (having a set as an argument and not returning

> - I'm not entirely sure about the memory management there

The primary reason for the myldap code was to simplify memory management
(I can never remember which ldap_*() functions require you to call which
free() function if any).

As long as you use the myldap_*() code all allocated memory is
automatically cleared (myldap_get_entry() frees all memory from the
previous entry, myldap_search_close() any memory from entries and
searches and myldap_session_cleanup() memory from all searches in the

> - I'm not at all sure about the implications of a multithreaded
> environment there

Every nslcd thread has it's own LDAP connection. According to the
OpenLDAP guys [0] this should be safe. The userdn to uid cache is shared
between the threads and is locked in all places where this is needed.

> - This code is interrupted by myldap_search() if the recursion depth is
> too high, that's why there is no own depth counter (in case you wonder)

Not a very elegant solution but it will work. Note that the number of
simultaneous searches in myldap is currently 4 which is probably too low
(dn2uid() may also perform a search) for this to be useful.

> Any hints or comments for the above issues?

One thing that stopped me from implementing this is that the reverse
lookup (NSLCD_ACTION_GROUP_BYMEMBER) can be tricky and slow (also has to
be recursive).

Anyway, thanks for looking into this. I know this is a feature that is
used in some environments.


-- arthur - - --
To unsubscribe send an email to or see