diff options
| author | Arthur de Jong <arthur@arthurdejong.org> | 2014-01-05 22:11:20 +0100 |
|---|---|---|
| committer | Arthur de Jong <arthur@arthurdejong.org> | 2014-01-05 22:11:20 +0100 |
| commit | c6c317ec9efb8190bdc1834091c4761b60637e7f (patch) | |
| tree | 5525692071b163d3a464153aa77d39f8936820af /compat/ldap_compat.h | |
| parent | be94912a9d236bbe3d5b0e17b771727b0054906d (diff) | |
| parent | 309b4bbbc040ce9f37ccf25399eacc5294bfc34f (diff) | |
Implement deref control handling
This uses the LDAP_CONTROL_X_DEREF control as described in
draft-masarati-ldap-deref-00 to request the LDAP server to dereference
group member attribute values to uid attribute values.
This should reduce the number of searches that are required for
expanding group members that use the member attribute.
This mechanism could also be used to extract information on nested
groups but the gains are less clear there.
Not all LDAP servers support this control. In OpenLDAP, load the
(currently undocumented) deref overlay and enable it for the database to
take advantage of this improvement.
There is a functional difference when using this control. Any returned
deferred uid value returned by the LDAP server is accepted as a member.
No checks are performed to see if the user matches the search base and
search filters set for passwd entries.
Diffstat (limited to 'compat/ldap_compat.h')
| -rw-r--r-- | compat/ldap_compat.h | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/compat/ldap_compat.h b/compat/ldap_compat.h index 6e9c6b1..b69974f 100644 --- a/compat/ldap_compat.h +++ b/compat/ldap_compat.h @@ -1,7 +1,7 @@ /* ldap_compat.h - provide a replacement definitions for some ldap functions - Copyright (C) 2009, 2010, 2012, 2013 Arthur de Jong + Copyright (C) 2009-2013 Arthur de Jong This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public @@ -80,6 +80,14 @@ int ldap_parse_passwordpolicy_control(LDAP *ld, LDAPControl *ctrl, const char *ldap_passwordpolicy_err2txt(LDAPPasswordPolicyError error); #endif /* HAVE_LDAP_PASSWORDPOLICY_ERR2TXT */ +#ifdef REPLACE_LDAP_CREATE_DEREF_CONTROL +/* provide a replacement implementation of ldap_create_deref_control() */ +int replacement_ldap_create_deref_control(LDAP *ld, LDAPDerefSpec *ds, + int iscritical, LDAPControl **ctrlp); +#define ldap_create_deref_control(ld, dc, iscritical, ctrlp) \ + replacement_ldap_create_deref_control(ld, dc, iscritical, ctrlp) +#endif /* REPLACE_LDAP_CREATE_DEREF_CONTROL */ + /* compatibility definition */ #ifndef LDAP_SASL_QUIET #define LDAP_SASL_QUIET 2U @@ -106,5 +114,8 @@ const char *ldap_passwordpolicy_err2txt(LDAPPasswordPolicyError error); #ifndef LDAP_CONTROL_PASSWORDPOLICYRESPONSE #define LDAP_CONTROL_PASSWORDPOLICYRESPONSE "1.3.6.1.4.1.42.2.27.8.5.1" #endif /* LDAP_CONTROL_PASSWORDPOLICYRESPONSE */ +#ifndef LDAP_CONTROL_X_DEREF +#define LDAP_CONTROL_X_DEREF "1.3.6.1.4.1.4203.666.5.16" +#endif /* LDAP_CONTROL_X_DEREF */ #endif /* COMPAT__LDAP_COMPAT_H */ |