Re: Questions: Recursive group lookup
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Questions: Recursive group lookup
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Questions: Recursive group lookup
- Date: Fri, 29 Jan 2010 21:36:22 +0100
On Fri, 2010-01-29 at 17:44 +0100, Jan Schampera wrote:
> I was wondering about recursive lookup of posixGroup using uniqueMember
> attributes.
>
> Attached is a patch that kind of works. IT'S TEST CODE, nothing really
> serious.
>
> - It just makes nslcd/group.c:getmembers() a bit recursive
For this to be complete the signature of the getmembers() function
should be modified (having a set as an argument and not returning
anything).
> - I'm not entirely sure about the memory management there
The primary reason for the myldap code was to simplify memory management
(I can never remember which ldap_*() functions require you to call which
free() function if any).
As long as you use the myldap_*() code all allocated memory is
automatically cleared (myldap_get_entry() frees all memory from the
previous entry, myldap_search_close() any memory from entries and
searches and myldap_session_cleanup() memory from all searches in the
session.
> - I'm not at all sure about the implications of a multithreaded
> environment there
Every nslcd thread has it's own LDAP connection. According to the
OpenLDAP guys [0] this should be safe. The userdn to uid cache is shared
between the threads and is locked in all places where this is needed.
> - This code is interrupted by myldap_search() if the recursion depth is
> too high, that's why there is no own depth counter (in case you wonder)
Not a very elegant solution but it will work. Note that the number of
simultaneous searches in myldap is currently 4 which is probably too low
(dn2uid() may also perform a search) for this to be useful.
> Any hints or comments for the above issues?
One thing that stopped me from implementing this is that the reverse
lookup (NSLCD_ACTION_GROUP_BYMEMBER) can be tricky and slow (also has to
be recursive).
Anyway, thanks for looking into this. I know this is a feature that is
used in some environments.
[0] http://www.openldap.org/lists/openldap-software/200606/msg00252.html
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users
