diff options
author | Eric Covener <covener@apache.org> | 2013-09-11 18:22:18 +0000 |
---|---|---|
committer | Eric Covener <covener@apache.org> | 2013-09-11 18:22:18 +0000 |
commit | 7ae58cc772e26957d7654e65b3cbd6c33067cdc9 (patch) | |
tree | a827004c058e9813218b257c586560edba30bc3f /modules/ldap | |
parent | c2e05dfd8b52bb8e54b08c62494d9f98898a04af (diff) | |
download | httpd-7ae58cc772e26957d7654e65b3cbd6c33067cdc9.tar.gz |
comments only, before I task switch.
Subgroup checking is cached, but very inefficient for large groups.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1521973 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'modules/ldap')
-rw-r--r-- | modules/ldap/util_ldap.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c index 461e48638a..0f2324e64f 100644 --- a/modules/ldap/util_ldap.c +++ b/modules/ldap/util_ldap.c @@ -1219,6 +1219,7 @@ static util_compare_subgroup_t* uldap_get_subgroups(request_rec *r, sgc_ents = (struct mod_auth_ldap_groupattr_entry_t *) subgroupclasses->elts; + /* XXX: attrs should not be required, they're just a secondary filtering */ if (!subgroupAttrs) { return res; } @@ -1242,6 +1243,7 @@ start_over: } /* try to do the search */ + /* XXX: this filter should include the subgroup object classes! */ result = ldap_search_ext_s(ldc->ldap, (char *)dn, LDAP_SCOPE_BASE, (char *)"cn=*", subgroupAttrs, 0, NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &sga_res); @@ -1295,12 +1297,17 @@ start_over: */ while (values[val_index]) { /* Check if this entry really is a group. */ + + /* XXX: This has to be wrong, we're iterating over subgroup attributes, + * but checking the objectClass of the subgroup. This could have been a filter. + */ + tmp_sgcIndex = 0; result = LDAP_COMPARE_FALSE; while ((tmp_sgcIndex < subgroupclasses->nelts) && (result != LDAP_COMPARE_TRUE)) { result = uldap_cache_compare(r, ldc, url, - values[val_index], + values[val_index], /* candidate subgroup DN */ "objectClass", sgc_ents[tmp_sgcIndex].name ); @@ -1310,6 +1317,11 @@ start_over: } } /* It's a group, so add it to the array. */ + + /* XXX: Hold on -- we never actually checked that the subgroup DN had any "subgroupattrs" in it. + * Maybe it's never actually been useful, IOW that objectClass is enough. + */ + if (result == LDAP_COMPARE_TRUE) { char **newgrp = (char **) apr_array_push(subgroups); *newgrp = apr_pstrdup(r->pool, values[val_index]); |