Support blanking the member attribute

This allows remapping the member attribute to an empty string which
removes support for that attribute. This can reduce the number of search
operations if the attribute is not used.

3 files changed, 27 insertions, 16 deletions

diff --git a/nslcd/attmap.c b/nslcd/attmap.c
index 08130fa..1911273 100644
--- a/nslcd/attmap.c
+++ b/nslcd/attmap.c
@@ -2,7 +2,7 @@
    attmap.c - attribute mapping values and functions
    This file is part of the nss-pam-ldapd library.
 
-   Copyright (C) 2007, 2008, 2009, 2010, 2011, 2012 Arthur de Jong
+   Copyright (C) 2007-2014 Arthur de Jong
 
    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Lesser General Public
@@ -217,6 +217,7 @@ const char *attmap_set_mapping(const char **var, const char *value)
        (note that this needs to match the functionality in the specific
        lookup module) */
     if ((var != &attmap_group_userPassword) &&
+        (var != &attmap_group_member) &&
         (var != &attmap_passwd_userPassword) &&
         (var != &attmap_passwd_gidNumber) &&
         (var != &attmap_passwd_gecos) &&
@@ -231,6 +232,9 @@ const char *attmap_set_mapping(const char **var, const char *value)
         (var != &attmap_shadow_shadowExpire) &&
         (var != &attmap_shadow_shadowFlag))
       return NULL;
+    /* the member attribute may only be set to an empty string */
+    if ((var == attmap_group_member) && (strcmp(value, "\"\"") != 0))
+      return NULL;
   }
   /* check if the value will be changed */
   if ((*var == NULL) || (strcmp(*var, value) != 0))
diff --git a/nslcd/group.c b/nslcd/group.c
index 5ce6730..1455930 100644
--- a/nslcd/group.c
+++ b/nslcd/group.c
@@ -123,7 +123,8 @@ static int mkfilter_group_bymember(MYLDAP_SESSION *session,
   if (myldap_escape(uid, safeuid, sizeof(safeuid)))
     return -1;
   /* try to translate uid to DN */
-  if (uid2dn(session, uid, dn, sizeof(dn)) == NULL)
+  if ((strcasecmp(attmap_group_member, "\"\"") == 0) ||
+      (uid2dn(session, uid, dn, sizeof(dn)) == NULL))
     return mysnprintf(buffer, buflen, "(&%s(%s=%s))",
                       group_filter, attmap_group_memberUid, safeuid);
   /* escape DN */
@@ -227,6 +228,9 @@ static void getmembers(MYLDAP_ENTRY *entry, MYLDAP_SESSION *session,
       if (isvalidname(values[i]))
         set_add(members, values[i]);
     }
+  /* skip rest if attmap_group_member is blank */
+  if (strcasecmp(attmap_group_member, "\"\"") == 0)
+    return;
   /* add the member values */
   values = myldap_get_values(entry, attmap_group_member);
   if (values != NULL)
@@ -423,7 +427,7 @@ int nslcd_group_bymember(TFILE *fp, MYLDAP_SESSION *session)
     log_log(LOG_WARNING, "nslcd_group_bymember(): filter buffer too small");
     return -1;
   }
-  if (nslcd_cfg->nss_nested_groups)
+  if ((nslcd_cfg->nss_nested_groups) && (strcasecmp(attmap_group_member, "\"\"") != 0))
   {
     seen = set_new();
     tocheck = set_new();
diff --git a/pynslcd/group.py b/pynslcd/group.py
index da2d315..c8abfe5 100644
--- a/pynslcd/group.py
+++ b/pynslcd/group.py
@@ -1,7 +1,7 @@
 
 # group.py - group entry lookup routines
 #
-# Copyright (C) 2010, 2011, 2012, 2013 Arthur de Jong
+# Copyright (C) 2010-2014 Arthur de Jong
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -55,8 +55,10 @@ class Search(search.LDAPSearch):
         if 'memberUid' in self.parameters or 'member' in self.parameters:
             # set up our own attributes that leave out membership attributes
             self.attributes = list(self.attributes)
-            self.attributes.remove(attmap['memberUid'])
-            self.attributes.remove(attmap['member'])
+            if attmap['memberUid'] in self.attributes:
+                self.attributes.remove(attmap['memberUid'])
+            if attmap['member'] in self.attributes:
+                self.attributes.remove(attmap['member'])
 
     def mk_filter(self):
         # we still need a custom mk_filter because this is an | query
@@ -125,15 +127,16 @@ class GroupRequest(common.Request):
             if common.is_valid_name(member):
                 members.add(member)
         # translate and add the member values
-        for memberdn in clean(attributes['member']):
-            if memberdn in seen:
-                continue
-            seen.add(memberdn)
-            member = passwd.dn2uid(self.conn, memberdn)
-            if member and common.is_valid_name(member):
-                members.add(member)
-            elif cfg.nss_nested_groups:
-                subgroups.append(memberdn)
+        if attmap['member']:
+            for memberdn in clean(attributes['member']):
+                if memberdn in seen:
+                    continue
+                seen.add(memberdn)
+                member = passwd.dn2uid(self.conn, memberdn)
+                if member and common.is_valid_name(member):
+                    members.add(member)
+                elif cfg.nss_nested_groups:
+                    subgroups.append(memberdn)
 
     def convert(self, dn, attributes, parameters):
         # get group names and check against requested group name
@@ -200,7 +203,7 @@ class GroupByMemberRequest(GroupRequest):
             seen.add(dn)
             for values in self.convert(dn, attributes, parameters):
                 yield values
-        if cfg.nss_nested_groups:
+        if cfg.nss_nested_groups and attmap['member']:
             tocheck = list(seen)
             # find parent groups
             while tocheck: