diff options
| author | Arthur de Jong <arthur@arthurdejong.org> | 2014-01-05 22:11:20 +0100 |
|---|---|---|
| committer | Arthur de Jong <arthur@arthurdejong.org> | 2014-01-05 22:11:20 +0100 |
| commit | c6c317ec9efb8190bdc1834091c4761b60637e7f (patch) | |
| tree | 5525692071b163d3a464153aa77d39f8936820af /compat/derefctrl.c | |
| parent | be94912a9d236bbe3d5b0e17b771727b0054906d (diff) | |
| parent | 309b4bbbc040ce9f37ccf25399eacc5294bfc34f (diff) | |
Implement deref control handling
This uses the LDAP_CONTROL_X_DEREF control as described in
draft-masarati-ldap-deref-00 to request the LDAP server to dereference
group member attribute values to uid attribute values.
This should reduce the number of searches that are required for
expanding group members that use the member attribute.
This mechanism could also be used to extract information on nested
groups but the gains are less clear there.
Not all LDAP servers support this control. In OpenLDAP, load the
(currently undocumented) deref overlay and enable it for the database to
take advantage of this improvement.
There is a functional difference when using this control. Any returned
deferred uid value returned by the LDAP server is accepted as a member.
No checks are performed to see if the user matches the search base and
search filters set for passwd entries.
Diffstat (limited to 'compat/derefctrl.c')
| -rw-r--r-- | compat/derefctrl.c | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/compat/derefctrl.c b/compat/derefctrl.c new file mode 100644 index 0000000..9676c55 --- /dev/null +++ b/compat/derefctrl.c @@ -0,0 +1,50 @@ +/* + derefctrl.c - replacement function + + Copyright (C) 2013 Arthur de Jong + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + 02110-1301 USA +*/ + +#include "config.h" + +#include <stdlib.h> +#include <lber.h> +#include <ldap.h> +#include <string.h> + +#include "compat/ldap_compat.h" +#include "compat/attrs.h" + +#ifdef REPLACE_LDAP_CREATE_DEREF_CONTROL +int replacement_ldap_create_deref_control(LDAP *ld, LDAPDerefSpec *ds, + int iscritical, LDAPControl **ctrlp) +{ + int rc; + struct berval value; + if (ctrlp == NULL) + return LDAP_PARAM_ERROR; + rc = ldap_create_deref_control_value(ld, ds, &value); + if (rc != LDAP_SUCCESS) + return rc; + rc = ldap_control_create(LDAP_CONTROL_X_DEREF, iscritical, &value, 0, ctrlp); + if (rc != LDAP_SUCCESS) + { + ber_memfree(value.bv_val); + } + return rc; +} +#endif /* REPLACE_LDAP_CREATE_DEREF_CONTROL */ |