Blame SOURCES/0023-nss-idmap-add-nss-like-calls-with-timeout-and-flags.patch

9f2ebf
From 15d7f1aeb541615314b914b6be1149f6e289d3e2 Mon Sep 17 00:00:00 2001
9f2ebf
From: Sumit Bose <sbose@redhat.com>
9f2ebf
Date: Fri, 29 Sep 2017 16:16:01 +0200
9f2ebf
Subject: [PATCH 23/31] nss-idmap: add nss like calls with timeout and flags
9f2ebf
9f2ebf
This patch adds new calls to libsss_nss_idmap to get NSS like user and
9f2ebf
group information directly from SSSD without using the system's NSS
9f2ebf
interfaces.
9f2ebf
9f2ebf
Additionally a timeout and a flags options are added which are not
9f2ebf
available for system's NSS.
9f2ebf
9f2ebf
Related to https://pagure.io/SSSD/sssd/issue/2478
9f2ebf
9f2ebf
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
9f2ebf
(cherry picked from commit 5e6622722e84d594298a8324f3685a1bda2b5868)
9f2ebf
---
9f2ebf
 Makefile.am                                  |  22 +-
9f2ebf
 configure.ac                                 |  13 +
9f2ebf
 src/sss_client/common.c                      |   9 +-
9f2ebf
 src/sss_client/common_private.h              |  41 +++
9f2ebf
 src/sss_client/idmap/common_ex.c             | 105 +++++++
9f2ebf
 src/sss_client/idmap/sss_nss_ex.c            | 402 +++++++++++++++++++++++++++
9f2ebf
 src/sss_client/idmap/sss_nss_idmap.exports   |  10 +
9f2ebf
 src/sss_client/idmap/sss_nss_idmap.h         | 135 +++++++++
9f2ebf
 src/sss_client/idmap/sss_nss_idmap_private.h |  30 ++
9f2ebf
 9 files changed, 757 insertions(+), 10 deletions(-)
9f2ebf
 create mode 100644 src/sss_client/common_private.h
9f2ebf
 create mode 100644 src/sss_client/idmap/common_ex.c
9f2ebf
 create mode 100644 src/sss_client/idmap/sss_nss_ex.c
9f2ebf
 create mode 100644 src/sss_client/idmap/sss_nss_idmap_private.h
9f2ebf
9f2ebf
diff --git a/Makefile.am b/Makefile.am
9f2ebf
index dc2f4b1857ce5bd376544488348731be29b6b293..dd25d1f7ea1be66388aa1b393bac290c4d7501a2 100644
9f2ebf
--- a/Makefile.am
9f2ebf
+++ b/Makefile.am
9f2ebf
@@ -1159,13 +1159,28 @@ pkgconfig_DATA += src/sss_client/idmap/sss_nss_idmap.pc
9f2ebf
 libsss_nss_idmap_la_DEPENDENCIES = src/sss_client/idmap/sss_nss_idmap.exports
9f2ebf
 libsss_nss_idmap_la_SOURCES = \
9f2ebf
     src/sss_client/idmap/sss_nss_idmap.c \
9f2ebf
+    src/sss_client/idmap/sss_nss_ex.c \
9f2ebf
+    src/sss_client/idmap/sss_nss_idmap_private.h \
9f2ebf
     src/sss_client/common.c \
9f2ebf
-    src/util/strtonum.c
9f2ebf
+    src/sss_client/idmap/common_ex.c \
9f2ebf
+    src/sss_client/nss_mc_passwd.c \
9f2ebf
+    src/sss_client/nss_passwd.c \
9f2ebf
+    src/sss_client/nss_mc_group.c \
9f2ebf
+    src/sss_client/nss_group.c \
9f2ebf
+    src/sss_client/nss_mc_initgr.c \
9f2ebf
+    src/sss_client/nss_mc_common.c \
9f2ebf
+    src/util/strtonum.c \
9f2ebf
+    src/util/murmurhash3.c \
9f2ebf
+    src/util/io.c \
9f2ebf
+    $(NULL)
9f2ebf
 libsss_nss_idmap_la_LIBADD = \
9f2ebf
-    $(CLIENT_LIBS)
9f2ebf
+    $(LIBCLOCK_GETTIME) \
9f2ebf
+    $(CLIENT_LIBS) \
9f2ebf
+    -lpthread \
9f2ebf
+    $(NULL)
9f2ebf
 libsss_nss_idmap_la_LDFLAGS = \
9f2ebf
     -Wl,--version-script,$(srcdir)/src/sss_client/idmap/sss_nss_idmap.exports \
9f2ebf
-    -version-info 3:0:3
9f2ebf
+    -version-info 4:0:4
9f2ebf
 
9f2ebf
 dist_noinst_DATA += src/sss_client/idmap/sss_nss_idmap.exports
9f2ebf
 
9f2ebf
@@ -3624,6 +3639,7 @@ libnss_sss_la_SOURCES = \
9f2ebf
     src/sss_client/sss_cli.h \
9f2ebf
     src/sss_client/nss_compat.h \
9f2ebf
     src/sss_client/nss_common.h \
9f2ebf
+    src/sss_client/common_private.h \
9f2ebf
     src/sss_client/nss_mc_common.c \
9f2ebf
     src/util/io.c \
9f2ebf
     src/util/murmurhash3.c \
9f2ebf
diff --git a/configure.ac b/configure.ac
9f2ebf
index 7037927b5f7045b29d3774c85758e00e35e6def6..7e699d33e342c70d210d3f320c8a29a99e0c78a6 100644
9f2ebf
--- a/configure.ac
9f2ebf
+++ b/configure.ac
9f2ebf
@@ -75,6 +75,19 @@ AC_SEARCH_LIBS([timer_create], [rt posix4],
9f2ebf
 AC_SUBST([LIBADD_TIMER])
9f2ebf
 LIBS=$SAVE_LIBS
9f2ebf
 
9f2ebf
+# Check library for the clock_gettime function
9f2ebf
+SAVE_LIBS=$LIBS
9f2ebf
+LIBS=
9f2ebf
+LIBCLOCK_GETTIME=
9f2ebf
+AC_SEARCH_LIBS([clock_gettime], [rt posix4],
9f2ebf
+    [AC_DEFINE([HAVE_LIBRT], [1],
9f2ebf
+         [Define if you have the librt library or equivalent.])
9f2ebf
+     LIBCLOCK_GETTIME="$LIBS"],
9f2ebf
+    [AC_MSG_ERROR([unable to find library for the clock_gettime() function])])
9f2ebf
+
9f2ebf
+AC_SUBST([LIBCLOCK_GETTIME])
9f2ebf
+LIBS=$SAVE_LIBS
9f2ebf
+
9f2ebf
 # Check for presence of modern functions for setting file timestamps
9f2ebf
 AC_CHECK_FUNCS([ utimensat \
9f2ebf
                  futimens ])
9f2ebf
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
9f2ebf
index e5e0cbf854e4c977c03f9b1ca1ac90bfd8cbdb77..40252a35281dc4e94c712c3e7f8253af8b19b35a 100644
9f2ebf
--- a/src/sss_client/common.c
9f2ebf
+++ b/src/sss_client/common.c
9f2ebf
@@ -43,6 +43,7 @@
9f2ebf
 #include <libintl.h>
9f2ebf
 #define _(STRING) dgettext (PACKAGE, STRING)
9f2ebf
 #include "sss_cli.h"
9f2ebf
+#include "common_private.h"
9f2ebf
 
9f2ebf
 #if HAVE_PTHREAD
9f2ebf
 #include <pthread.h>
9f2ebf
@@ -1113,13 +1114,7 @@ errno_t sss_strnlen(const char *str, size_t maxlen, size_t *len)
9f2ebf
 #if HAVE_PTHREAD
9f2ebf
 typedef void (*sss_mutex_init)(void);
9f2ebf
 
9f2ebf
-struct sss_mutex {
9f2ebf
-    pthread_mutex_t mtx;
9f2ebf
-
9f2ebf
-    int old_cancel_state;
9f2ebf
-};
9f2ebf
-
9f2ebf
-static struct sss_mutex sss_nss_mtx = { .mtx  = PTHREAD_MUTEX_INITIALIZER };
9f2ebf
+struct sss_mutex sss_nss_mtx = { .mtx  = PTHREAD_MUTEX_INITIALIZER };
9f2ebf
 
9f2ebf
 static struct sss_mutex sss_pam_mtx = { .mtx  = PTHREAD_MUTEX_INITIALIZER };
9f2ebf
 
9f2ebf
diff --git a/src/sss_client/common_private.h b/src/sss_client/common_private.h
9f2ebf
new file mode 100644
9f2ebf
index 0000000000000000000000000000000000000000..a98d2c062caeecdbab02ecdaa6ae44d688a791bb
9f2ebf
--- /dev/null
9f2ebf
+++ b/src/sss_client/common_private.h
9f2ebf
@@ -0,0 +1,41 @@
9f2ebf
+/*
9f2ebf
+    SSSD
9f2ebf
+
9f2ebf
+    SSS client - private calls
9f2ebf
+
9f2ebf
+    Authors:
9f2ebf
+        Sumit Bose <sbose@redhat.com>
9f2ebf
+
9f2ebf
+    Copyright (C) 2017 Red Hat
9f2ebf
+
9f2ebf
+    This program is free software; you can redistribute it and/or modify
9f2ebf
+    it under the terms of the GNU General Public License as published by
9f2ebf
+    the Free Software Foundation; either version 3 of the License, or
9f2ebf
+    (at your option) any later version.
9f2ebf
+
9f2ebf
+    This program is distributed in the hope that it will be useful,
9f2ebf
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
9f2ebf
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
9f2ebf
+    GNU General Public License for more details.
9f2ebf
+
9f2ebf
+    You should have received a copy of the GNU General Public License
9f2ebf
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
9f2ebf
+*/
9f2ebf
+
9f2ebf
+#ifndef COMMON_PRIVATE_H_
9f2ebf
+#define COMMON_PRIVATE_H_
9f2ebf
+
9f2ebf
+#include "config.h"
9f2ebf
+
9f2ebf
+#if HAVE_PTHREAD
9f2ebf
+#include <pthread.h>
9f2ebf
+
9f2ebf
+struct sss_mutex {
9f2ebf
+    pthread_mutex_t mtx;
9f2ebf
+
9f2ebf
+    int old_cancel_state;
9f2ebf
+};
9f2ebf
+
9f2ebf
+#endif /* HAVE_PTHREAD */
9f2ebf
+
9f2ebf
+#endif /* COMMON_PRIVATE_H_ */
9f2ebf
diff --git a/src/sss_client/idmap/common_ex.c b/src/sss_client/idmap/common_ex.c
9f2ebf
new file mode 100644
9f2ebf
index 0000000000000000000000000000000000000000..5efe9fabed7896ce674615472dbb256c4eae2144
9f2ebf
--- /dev/null
9f2ebf
+++ b/src/sss_client/idmap/common_ex.c
9f2ebf
@@ -0,0 +1,105 @@
9f2ebf
+/*
9f2ebf
+    Authors:
9f2ebf
+        Sumit Bose <sbose@redhat.com>
9f2ebf
+
9f2ebf
+    Copyright (C) 2017 Red Hat
9f2ebf
+
9f2ebf
+    SSSD's enhanced NSS API
9f2ebf
+
9f2ebf
+    This program is free software; you can redistribute it and/or modify
9f2ebf
+    it under the terms of the GNU General Public License as published by
9f2ebf
+    the Free Software Foundation; either version 3 of the License, or
9f2ebf
+    (at your option) any later version.
9f2ebf
+
9f2ebf
+    This program is distributed in the hope that it will be useful,
9f2ebf
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
9f2ebf
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
9f2ebf
+    GNU General Public License for more details.
9f2ebf
+
9f2ebf
+    You should have received a copy of the GNU General Public License
9f2ebf
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
9f2ebf
+*/
9f2ebf
+
9f2ebf
+#include <time.h>
9f2ebf
+#include <errno.h>
9f2ebf
+
9f2ebf
+#include "sss_cli.h"
9f2ebf
+#include "common_private.h"
9f2ebf
+
9f2ebf
+extern struct sss_mutex sss_nss_mtx;
9f2ebf
+
9f2ebf
+#define SEC_FROM_MSEC(ms) ((ms) / 1000)
9f2ebf
+#define NSEC_FROM_MSEC(ms) (((ms) % 1000) * 1000 * 1000)
9f2ebf
+
9f2ebf
+/* adopted from timersub() defined in /usr/include/sys/time.h */
9f2ebf
+#define TIMESPECSUB(a, b, result)                                             \
9f2ebf
+  do {                                                                        \
9f2ebf
+    (result)->tv_sec = (a)->tv_sec - (b)->tv_sec;                             \
9f2ebf
+    (result)->tv_nsec = (a)->tv_nsec - (b)->tv_nsec;                          \
9f2ebf
+    if ((result)->tv_nsec < 0) {                                              \
9f2ebf
+      --(result)->tv_sec;                                                     \
9f2ebf
+      (result)->tv_nsec += 1000000000;                                        \
9f2ebf
+    }                                                                         \
9f2ebf
+  } while (0)
9f2ebf
+
9f2ebf
+#define TIMESPEC_TO_MS(ts) (  ((ts)->tv_sec * 1000) \
9f2ebf
+                            + ((ts)->tv_nsec) / (1000 * 1000) )
9f2ebf
+
9f2ebf
+static int sss_mt_timedlock(struct sss_mutex *m, struct timespec *endtime)
9f2ebf
+{
9f2ebf
+    int ret;
9f2ebf
+
9f2ebf
+    ret = pthread_mutex_timedlock(&m->mtx, endtime);
9f2ebf
+    if (ret != 0) {
9f2ebf
+        return ret;
9f2ebf
+    }
9f2ebf
+    pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &m->old_cancel_state);
9f2ebf
+
9f2ebf
+    return 0;
9f2ebf
+}
9f2ebf
+
9f2ebf
+int sss_nss_timedlock(unsigned int timeout_ms, int *time_left_ms)
9f2ebf
+{
9f2ebf
+    int ret;
9f2ebf
+    int left;
9f2ebf
+    struct timespec starttime;
9f2ebf
+    struct timespec endtime;
9f2ebf
+    struct timespec diff;
9f2ebf
+
9f2ebf
+    /* make sure there is no overrun when calculating the time left */
9f2ebf
+    if (timeout_ms > INT_MAX) {
9f2ebf
+        timeout_ms = INT_MAX;
9f2ebf
+    }
9f2ebf
+
9f2ebf
+    ret = clock_gettime(CLOCK_REALTIME, &starttime);
9f2ebf
+    if (ret != 0) {
9f2ebf
+        return ret;
9f2ebf
+    }
9f2ebf
+    endtime.tv_sec = starttime.tv_sec + SEC_FROM_MSEC(timeout_ms);
9f2ebf
+    endtime.tv_nsec = starttime.tv_nsec + NSEC_FROM_MSEC(timeout_ms);
9f2ebf
+
9f2ebf
+    ret = sss_mt_timedlock(&sss_nss_mtx, &endtime);
9f2ebf
+
9f2ebf
+    if (ret == 0) {
9f2ebf
+        ret = clock_gettime(CLOCK_REALTIME, &endtime);
9f2ebf
+        if (ret != 0) {
9f2ebf
+            return ret;
9f2ebf
+        }
9f2ebf
+
9f2ebf
+        if (timeout_ms == 0) {
9f2ebf
+            *time_left_ms = 0;
9f2ebf
+        } else {
9f2ebf
+            TIMESPECSUB(&endtime, &starttime, &diff);
9f2ebf
+            left = timeout_ms - TIMESPEC_TO_MS(&diff);
9f2ebf
+            if (left <= 0) {
9f2ebf
+                return EIO;
9f2ebf
+            } else if (left > SSS_CLI_SOCKET_TIMEOUT) {
9f2ebf
+                *time_left_ms = SSS_CLI_SOCKET_TIMEOUT;
9f2ebf
+            } else {
9f2ebf
+                *time_left_ms = left;
9f2ebf
+            }
9f2ebf
+        }
9f2ebf
+    }
9f2ebf
+
9f2ebf
+    return ret;
9f2ebf
+}
9f2ebf
diff --git a/src/sss_client/idmap/sss_nss_ex.c b/src/sss_client/idmap/sss_nss_ex.c
9f2ebf
new file mode 100644
9f2ebf
index 0000000000000000000000000000000000000000..582d1373ec35305cf128e04fd3d705457d304789
9f2ebf
--- /dev/null
9f2ebf
+++ b/src/sss_client/idmap/sss_nss_ex.c
9f2ebf
@@ -0,0 +1,402 @@
9f2ebf
+/*
9f2ebf
+    SSSD
9f2ebf
+
9f2ebf
+    Extended NSS Responder Interface
9f2ebf
+
9f2ebf
+    Authors:
9f2ebf
+        Sumit Bose <sbose@redhat.com>
9f2ebf
+
9f2ebf
+    Copyright (C) 2017 Red Hat
9f2ebf
+
9f2ebf
+    This program is free software; you can redistribute it and/or modify
9f2ebf
+    it under the terms of the GNU General Public License as published by
9f2ebf
+    the Free Software Foundation; either version 3 of the License, or
9f2ebf
+    (at your option) any later version.
9f2ebf
+
9f2ebf
+    This program is distributed in the hope that it will be useful,
9f2ebf
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
9f2ebf
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
9f2ebf
+    GNU General Public License for more details.
9f2ebf
+
9f2ebf
+    You should have received a copy of the GNU General Public License
9f2ebf
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
9f2ebf
+*/
9f2ebf
+#include <stdlib.h>
9f2ebf
+#include <errno.h>
9f2ebf
+
9f2ebf
+#include <sys/param.h> /* for MIN() */
9f2ebf
+
9f2ebf
+#include "sss_client/sss_cli.h"
9f2ebf
+#include "sss_client/nss_mc.h"
9f2ebf
+#include "sss_client/nss_common.h"
9f2ebf
+#include "sss_client/idmap/sss_nss_idmap.h"
9f2ebf
+#include "sss_client/idmap/sss_nss_idmap_private.h"
9f2ebf
+
9f2ebf
+#ifndef discard_const
9f2ebf
+#define discard_const(ptr) ((void *)((uintptr_t)(ptr)))
9f2ebf
+#endif
9f2ebf
+
9f2ebf
+struct sss_nss_initgr_rep {
9f2ebf
+    gid_t *groups;
9f2ebf
+    long int *ngroups;
9f2ebf
+    long int *start;
9f2ebf
+};
9f2ebf
+
9f2ebf
+struct nss_input {
9f2ebf
+    union {
9f2ebf
+        const char *name;
9f2ebf
+        uid_t uid;
9f2ebf
+        gid_t gid;
9f2ebf
+    } input;
9f2ebf
+    struct sss_cli_req_data rd;
9f2ebf
+    enum sss_cli_command cmd;
9f2ebf
+    union {
9f2ebf
+        struct sss_nss_pw_rep pwrep;
9f2ebf
+        struct sss_nss_gr_rep grrep;
9f2ebf
+        struct sss_nss_initgr_rep initgrrep;
9f2ebf
+    } result;
9f2ebf
+};
9f2ebf
+
9f2ebf
+errno_t sss_nss_mc_get(struct nss_input *inp)
9f2ebf
+{
9f2ebf
+    switch(inp->cmd) {
9f2ebf
+    case SSS_NSS_GETPWNAM:
9f2ebf
+        return sss_nss_mc_getpwnam(inp->input.name, (inp->rd.len - 1),
9f2ebf
+                                   inp->result.pwrep.result,
9f2ebf
+                                   inp->result.pwrep.buffer,
9f2ebf
+                                   inp->result.pwrep.buflen);
9f2ebf
+        break;
9f2ebf
+    case SSS_NSS_GETPWUID:
9f2ebf
+        return sss_nss_mc_getpwuid(inp->input.uid,
9f2ebf
+                                   inp->result.pwrep.result,
9f2ebf
+                                   inp->result.pwrep.buffer,
9f2ebf
+                                   inp->result.pwrep.buflen);
9f2ebf
+        break;
9f2ebf
+    case SSS_NSS_GETGRNAM:
9f2ebf
+        return sss_nss_mc_getgrnam(inp->input.name, (inp->rd.len - 1),
9f2ebf
+                                   inp->result.grrep.result,
9f2ebf
+                                   inp->result.grrep.buffer,
9f2ebf
+                                   inp->result.grrep.buflen);
9f2ebf
+        break;
9f2ebf
+    case SSS_NSS_GETGRGID:
9f2ebf
+        return sss_nss_mc_getgrgid(inp->input.gid,
9f2ebf
+                                   inp->result.grrep.result,
9f2ebf
+                                   inp->result.grrep.buffer,
9f2ebf
+                                   inp->result.grrep.buflen);
9f2ebf
+        break;
9f2ebf
+    case SSS_NSS_INITGR:
9f2ebf
+        return sss_nss_mc_initgroups_dyn(inp->input.name, (inp->rd.len - 1),
9f2ebf
+                                         -1 /* currently ignored */,
9f2ebf
+                                         inp->result.initgrrep.start,
9f2ebf
+                                         inp->result.initgrrep.ngroups,
9f2ebf
+                                         &(inp->result.initgrrep.groups),
9f2ebf
+                                         *(inp->result.initgrrep.ngroups));
9f2ebf
+        break;
9f2ebf
+    default:
9f2ebf
+        return EINVAL;
9f2ebf
+    }
9f2ebf
+}
9f2ebf
+
9f2ebf
+int sss_get_ex(struct nss_input *inp, uint32_t flags, unsigned int timeout)
9f2ebf
+{
9f2ebf
+    uint8_t *repbuf = NULL;
9f2ebf
+    size_t replen;
9f2ebf
+    size_t len;
9f2ebf
+    uint32_t num_results;
9f2ebf
+    int ret;
9f2ebf
+    int time_left;
9f2ebf
+    int errnop;
9f2ebf
+    size_t c;
9f2ebf
+    gid_t *new_groups;
9f2ebf
+    size_t idx;
9f2ebf
+
9f2ebf
+    ret = sss_nss_mc_get(inp);
9f2ebf
+    switch (ret) {
9f2ebf
+    case 0:
9f2ebf
+        return 0;
9f2ebf
+    case ERANGE:
9f2ebf
+        return ERANGE;
9f2ebf
+    case ENOENT:
9f2ebf
+        /* fall through, we need to actively ask the parent
9f2ebf
+         * if no entry is found */
9f2ebf
+        break;
9f2ebf
+    default:
9f2ebf
+        /* if using the mmaped cache failed,
9f2ebf
+         * fall back to socket based comms */
9f2ebf
+        break;
9f2ebf
+    }
9f2ebf
+
9f2ebf
+    sss_nss_timedlock(timeout, &time_left);
9f2ebf
+
9f2ebf
+    /* previous thread might already initialize entry in mmap cache */
9f2ebf
+    ret = sss_nss_mc_get(inp);
9f2ebf
+    switch (ret) {
9f2ebf
+    case 0:
9f2ebf
+        ret = 0;
9f2ebf
+        goto out;
9f2ebf
+    case ERANGE:
9f2ebf
+        ret = ERANGE;
9f2ebf
+        goto out;
9f2ebf
+    case ENOENT:
9f2ebf
+        /* fall through, we need to actively ask the parent
9f2ebf
+         * if no entry is found */
9f2ebf
+        break;
9f2ebf
+    default:
9f2ebf
+        /* if using the mmaped cache failed,
9f2ebf
+         * fall back to socket based comms */
9f2ebf
+        break;
9f2ebf
+    }
9f2ebf
+
9f2ebf
+    ret = sss_nss_make_request_timeout(inp->cmd, &inp->rd, time_left,
9f2ebf
+                                       &repbuf, &replen, &errnop);
9f2ebf
+    if (ret != NSS_STATUS_SUCCESS) {
9f2ebf
+        ret = errnop != 0 ? errnop : EIO;
9f2ebf
+        goto out;
9f2ebf
+    }
9f2ebf
+
9f2ebf
+    /* Get number of results from repbuf. */
9f2ebf
+    SAFEALIGN_COPY_UINT32(&num_results, repbuf, NULL);
9f2ebf
+
9f2ebf
+    /* no results if not found */
9f2ebf
+    if (num_results == 0) {
9f2ebf
+        ret = ENOENT;
9f2ebf
+        goto out;
9f2ebf
+    }
9f2ebf
+
9f2ebf
+    if (inp->cmd == SSS_NSS_INITGR) {
9f2ebf
+        if ((*(inp->result.initgrrep.ngroups) - *(inp->result.initgrrep.start))
9f2ebf
+                    < num_results) {
9f2ebf
+            new_groups = realloc(inp->result.initgrrep.groups,
9f2ebf
+                                 (num_results + *(inp->result.initgrrep.start))
9f2ebf
+                                    * sizeof(gid_t));
9f2ebf
+            if (new_groups == NULL) {
9f2ebf
+                ret = ENOMEM;
9f2ebf
+                goto out;
9f2ebf
+            }
9f2ebf
+
9f2ebf
+            inp->result.initgrrep.groups = new_groups;
9f2ebf
+        }
9f2ebf
+        *(inp->result.initgrrep.ngroups) = num_results
9f2ebf
+                                            + *(inp->result.initgrrep.start);
9f2ebf
+
9f2ebf
+        idx = 2 * sizeof(uint32_t);
9f2ebf
+        for (c = 0; c < num_results; c++) {
9f2ebf
+            SAFEALIGN_COPY_UINT32(
9f2ebf
+                &(inp->result.initgrrep.groups[*(inp->result.initgrrep.start)]),
9f2ebf
+                repbuf + idx, &idx);
9f2ebf
+            *(inp->result.initgrrep.start) += 1;
9f2ebf
+        }
9f2ebf
+
9f2ebf
+        ret = 0;
9f2ebf
+        goto out;
9f2ebf
+    }
9f2ebf
+
9f2ebf
+    /* only 1 result is accepted for this function */
9f2ebf
+    if (num_results != 1) {
9f2ebf
+        ret = EBADMSG;
9f2ebf
+        goto out;
9f2ebf
+    }
9f2ebf
+
9f2ebf
+    len = replen - 8;
9f2ebf
+    if (inp->cmd == SSS_NSS_GETPWNAM || inp->cmd == SSS_NSS_GETPWUID) {
9f2ebf
+        ret = sss_nss_getpw_readrep(&(inp->result.pwrep), repbuf+8, &len;;
9f2ebf
+    } else if (inp->cmd == SSS_NSS_GETGRNAM || inp->cmd == SSS_NSS_GETGRGID) {
9f2ebf
+        ret = sss_nss_getgr_readrep(&(inp->result.grrep), repbuf+8, &len;;
9f2ebf
+    } else {
9f2ebf
+        ret = EINVAL;
9f2ebf
+        goto out;
9f2ebf
+    }
9f2ebf
+    if (ret) {
9f2ebf
+        goto out;
9f2ebf
+    }
9f2ebf
+
9f2ebf
+    if (len == 0) {
9f2ebf
+        /* no extra data */
9f2ebf
+        ret = 0;
9f2ebf
+        goto out;
9f2ebf
+    }
9f2ebf
+
9f2ebf
+out:
9f2ebf
+    free(repbuf);
9f2ebf
+
9f2ebf
+    sss_nss_unlock();
9f2ebf
+    return ret;
9f2ebf
+}
9f2ebf
+
9f2ebf
+int sss_nss_getpwnam_timeout(const char *name, struct passwd *pwd,
9f2ebf
+                             char *buffer, size_t buflen,
9f2ebf
+                             struct passwd **result,
9f2ebf
+                             uint32_t flags, unsigned int timeout)
9f2ebf
+{
9f2ebf
+    int ret;
9f2ebf
+    struct nss_input inp = {
9f2ebf
+        .input.name = name,
9f2ebf
+        .cmd = SSS_NSS_GETPWNAM,
9f2ebf
+        .rd.data = name,
9f2ebf
+        .result.pwrep.result = pwd,
9f2ebf
+        .result.pwrep.buffer = buffer,
9f2ebf
+        .result.pwrep.buflen = buflen};
9f2ebf
+
9f2ebf
+    if (buffer == NULL || buflen == 0) {
9f2ebf
+        return ERANGE;
9f2ebf
+    }
9f2ebf
+
9f2ebf
+    ret = sss_strnlen(name, SSS_NAME_MAX, &inp.rd.len);
9f2ebf
+    if (ret != 0) {
9f2ebf
+        return EINVAL;
9f2ebf
+    }
9f2ebf
+    inp.rd.len++;
9f2ebf
+
9f2ebf
+    *result = NULL;
9f2ebf
+
9f2ebf
+    ret = sss_get_ex(&inp, flags, timeout);
9f2ebf
+    if (ret == 0) {
9f2ebf
+        *result = inp.result.pwrep.result;
9f2ebf
+    }
9f2ebf
+    return ret;
9f2ebf
+}
9f2ebf
+
9f2ebf
+int sss_nss_getpwuid_timeout(uid_t uid, struct passwd *pwd,
9f2ebf
+                             char *buffer, size_t buflen,
9f2ebf
+                             struct passwd **result,
9f2ebf
+                             uint32_t flags, unsigned int timeout)
9f2ebf
+{
9f2ebf
+    int ret;
9f2ebf
+    uint32_t user_uid = uid;
9f2ebf
+    struct nss_input inp = {
9f2ebf
+        .input.uid = uid,
9f2ebf
+        .cmd = SSS_NSS_GETPWUID,
9f2ebf
+        .rd.len = sizeof(uint32_t),
9f2ebf
+        .rd.data = &user_uid,
9f2ebf
+        .result.pwrep.result = pwd,
9f2ebf
+        .result.pwrep.buffer = buffer,
9f2ebf
+        .result.pwrep.buflen = buflen};
9f2ebf
+
9f2ebf
+    if (buffer == NULL || buflen == 0) {
9f2ebf
+        return ERANGE;
9f2ebf
+    }
9f2ebf
+
9f2ebf
+    *result = NULL;
9f2ebf
+
9f2ebf
+    ret = sss_get_ex(&inp, flags, timeout);
9f2ebf
+    if (ret == 0) {
9f2ebf
+        *result = inp.result.pwrep.result;
9f2ebf
+    }
9f2ebf
+    return ret;
9f2ebf
+}
9f2ebf
+
9f2ebf
+int sss_nss_getgrnam_timeout(const char *name, struct group *grp,
9f2ebf
+                             char *buffer, size_t buflen, struct group **result,
9f2ebf
+                             uint32_t flags, unsigned int timeout)
9f2ebf
+{
9f2ebf
+    int ret;
9f2ebf
+    struct nss_input inp = {
9f2ebf
+        .input.name = name,
9f2ebf
+        .cmd = SSS_NSS_GETGRNAM,
9f2ebf
+        .rd.data = name,
9f2ebf
+        .result.grrep.result = grp,
9f2ebf
+        .result.grrep.buffer = buffer,
9f2ebf
+        .result.grrep.buflen = buflen};
9f2ebf
+
9f2ebf
+    if (buffer == NULL || buflen == 0) {
9f2ebf
+        return ERANGE;
9f2ebf
+    }
9f2ebf
+
9f2ebf
+    ret = sss_strnlen(name, SSS_NAME_MAX, &inp.rd.len);
9f2ebf
+    if (ret != 0) {
9f2ebf
+        return EINVAL;
9f2ebf
+    }
9f2ebf
+    inp.rd.len++;
9f2ebf
+
9f2ebf
+    *result = NULL;
9f2ebf
+
9f2ebf
+    ret = sss_get_ex(&inp, flags, timeout);
9f2ebf
+    if (ret == 0) {
9f2ebf
+        *result = inp.result.grrep.result;
9f2ebf
+    }
9f2ebf
+    return ret;
9f2ebf
+}
9f2ebf
+
9f2ebf
+int sss_nss_getgrgid_timeout(gid_t gid, struct group *grp,
9f2ebf
+                             char *buffer, size_t buflen, struct group **result,
9f2ebf
+                             uint32_t flags, unsigned int timeout)
9f2ebf
+{
9f2ebf
+    int ret;
9f2ebf
+    uint32_t group_gid = gid;
9f2ebf
+    struct nss_input inp = {
9f2ebf
+        .input.gid = gid,
9f2ebf
+        .cmd = SSS_NSS_GETGRGID,
9f2ebf
+        .rd.len = sizeof(uint32_t),
9f2ebf
+        .rd.data = &group_gid,
9f2ebf
+        .result.grrep.result = grp,
9f2ebf
+        .result.grrep.buffer = buffer,
9f2ebf
+        .result.grrep.buflen = buflen};
9f2ebf
+
9f2ebf
+    if (buffer == NULL || buflen == 0) {
9f2ebf
+        return ERANGE;
9f2ebf
+    }
9f2ebf
+
9f2ebf
+    *result = NULL;
9f2ebf
+
9f2ebf
+    ret = sss_get_ex(&inp, flags, timeout);
9f2ebf
+    if (ret == 0) {
9f2ebf
+        *result = inp.result.grrep.result;
9f2ebf
+    }
9f2ebf
+    return ret;
9f2ebf
+}
9f2ebf
+
9f2ebf
+int sss_nss_getgrouplist_timeout(const char *name, gid_t group,
9f2ebf
+                                 gid_t *groups, int *ngroups,
9f2ebf
+                                 uint32_t flags, unsigned int timeout)
9f2ebf
+{
9f2ebf
+    int ret;
9f2ebf
+    gid_t *new_groups;
9f2ebf
+    long int new_ngroups;
9f2ebf
+    long int start = 1;
9f2ebf
+    struct nss_input inp = {
9f2ebf
+        .input.name = name,
9f2ebf
+        .cmd = SSS_NSS_INITGR,
9f2ebf
+        .rd.data = name};
9f2ebf
+
9f2ebf
+    if (groups == NULL || ngroups == NULL || *ngroups == 0) {
9f2ebf
+        return EINVAL;
9f2ebf
+    }
9f2ebf
+
9f2ebf
+    ret = sss_strnlen(name, SSS_NAME_MAX, &inp.rd.len);
9f2ebf
+    if (ret != 0) {
9f2ebf
+        return ret;
9f2ebf
+    }
9f2ebf
+    inp.rd.len++;
9f2ebf
+
9f2ebf
+    new_ngroups = MAX(1, *ngroups);
9f2ebf
+    new_groups = malloc(new_ngroups * sizeof(gid_t));
9f2ebf
+    if (new_groups == NULL) {
9f2ebf
+        free(discard_const(inp.rd.data));
9f2ebf
+        return ENOMEM;
9f2ebf
+    }
9f2ebf
+    new_groups[0] = group;
9f2ebf
+
9f2ebf
+    inp.result.initgrrep.groups = new_groups,
9f2ebf
+    inp.result.initgrrep.ngroups = &new_ngroups;
9f2ebf
+    inp.result.initgrrep.start = &start;
9f2ebf
+
9f2ebf
+
9f2ebf
+    ret = sss_get_ex(&inp, flags, timeout);
9f2ebf
+    free(discard_const(inp.rd.data));
9f2ebf
+    if (ret != 0) {
9f2ebf
+        free(new_groups);
9f2ebf
+        return ret;
9f2ebf
+    }
9f2ebf
+
9f2ebf
+    memcpy(groups, new_groups, MIN(*ngroups, start) * sizeof(gid_t));
9f2ebf
+    free(new_groups);
9f2ebf
+
9f2ebf
+    if (start > *ngroups) {
9f2ebf
+        ret = ERANGE;
9f2ebf
+    } else {
9f2ebf
+        ret = 0;
9f2ebf
+    }
9f2ebf
+    *ngroups = start;
9f2ebf
+
9f2ebf
+    return ret;
9f2ebf
+}
9f2ebf
diff --git a/src/sss_client/idmap/sss_nss_idmap.exports b/src/sss_client/idmap/sss_nss_idmap.exports
9f2ebf
index 49dac6fc9351b0ca98cd46e83b85ec8ef0075a0d..788d05ecc3bd56fa88e68a98b9c8096cf7140a09 100644
9f2ebf
--- a/src/sss_client/idmap/sss_nss_idmap.exports
9f2ebf
+++ b/src/sss_client/idmap/sss_nss_idmap.exports
9f2ebf
@@ -31,3 +31,13 @@ SSS_NSS_IDMAP_0.3.0 {
9f2ebf
     global:
9f2ebf
         sss_nss_getlistbycert;
9f2ebf
 } SSS_NSS_IDMAP_0.2.0;
9f2ebf
+
9f2ebf
+SSS_NSS_IDMAP_0.4.0 {
9f2ebf
+    # public functions
9f2ebf
+    global:
9f2ebf
+        sss_nss_getpwnam_timeout;
9f2ebf
+        sss_nss_getpwuid_timeout;
9f2ebf
+        sss_nss_getgrnam_timeout;
9f2ebf
+        sss_nss_getgrgid_timeout;
9f2ebf
+        sss_nss_getgrouplist_timeout;
9f2ebf
+} SSS_NSS_IDMAP_0.3.0;
9f2ebf
diff --git a/src/sss_client/idmap/sss_nss_idmap.h b/src/sss_client/idmap/sss_nss_idmap.h
9f2ebf
index cbf19479ff9ec6e0d6e07e1f7e48a1571e147740..2334b6cb3fb8ef62e4ce3a7187c7affaeaa034e7 100644
9f2ebf
--- a/src/sss_client/idmap/sss_nss_idmap.h
9f2ebf
+++ b/src/sss_client/idmap/sss_nss_idmap.h
9f2ebf
@@ -26,6 +26,9 @@
9f2ebf
 #define SSS_NSS_IDMAP_H_
9f2ebf
 
9f2ebf
 #include <stdint.h>
9f2ebf
+#include <sys/types.h>
9f2ebf
+#include <pwd.h>
9f2ebf
+#include <grp.h>
9f2ebf
 
9f2ebf
 /**
9f2ebf
  * Object types
9f2ebf
@@ -159,4 +162,136 @@ int sss_nss_getlistbycert(const char *cert, char ***fq_name,
9f2ebf
  * @param[in] kv_list Key-value list returned by sss_nss_getorigbyname().
9f2ebf
  */
9f2ebf
 void sss_nss_free_kv(struct sss_nss_kv *kv_list);
9f2ebf
+
9f2ebf
+/**
9f2ebf
+ * Flags to control the behavior and the results for sss_*_ex() calls
9f2ebf
+ */
9f2ebf
+
9f2ebf
+#define SSS_NSS_EX_FLAG_NO_FLAGS 0
9f2ebf
+
9f2ebf
+#ifdef IPA_389DS_PLUGIN_HELPER_CALLS
9f2ebf
+
9f2ebf
+/**
9f2ebf
+ * @brief Return user information based on the user name
9f2ebf
+ *
9f2ebf
+ * @param[in]  name       same as for getpwnam_r(3)
9f2ebf
+ * @param[in]  pwd        same as for getpwnam_r(3)
9f2ebf
+ * @param[in]  buffer     same as for getpwnam_r(3)
9f2ebf
+ * @param[in]  buflen     same as for getpwnam_r(3)
9f2ebf
+ * @param[out] result     same as for getpwnam_r(3)
9f2ebf
+ * @param[in]  flags      flags to control the behavior and the results of the
9f2ebf
+ *                        call
9f2ebf
+ * @param[in]  timeout    timeout in milliseconds
9f2ebf
+ *
9f2ebf
+ * @return
9f2ebf
+ *  - 0:
9f2ebf
+ *  - ENOENT:    no user with the given name found
9f2ebf
+ *  - ERANGE:    Insufficient buffer space supplied
9f2ebf
+ *  - ETIME:     request timed out but was send to SSSD
9f2ebf
+ *  - ETIMEDOUT: request timed out but was not send to SSSD
9f2ebf
+ */
9f2ebf
+int sss_nss_getpwnam_timeout(const char *name, struct passwd *pwd,
9f2ebf
+                             char *buffer, size_t buflen,
9f2ebf
+                             struct passwd **result,
9f2ebf
+                             uint32_t flags, unsigned int timeout);
9f2ebf
+
9f2ebf
+/**
9f2ebf
+ * @brief Return user information based on the user uid
9f2ebf
+ *
9f2ebf
+ * @param[in]  uid        same as for getpwuid_r(3)
9f2ebf
+ * @param[in]  pwd        same as for getpwuid_r(3)
9f2ebf
+ * @param[in]  buffer     same as for getpwuid_r(3)
9f2ebf
+ * @param[in]  buflen     same as for getpwuid_r(3)
9f2ebf
+ * @param[out] result     same as for getpwuid_r(3)
9f2ebf
+ * @param[in]  flags      flags to control the behavior and the results of the
9f2ebf
+ *                        call
9f2ebf
+ * @param[in]  timeout    timeout in milliseconds
9f2ebf
+ *
9f2ebf
+ * @return
9f2ebf
+ *  - 0:
9f2ebf
+ *  - ENOENT:    no user with the given uid found
9f2ebf
+ *  - ERANGE:    Insufficient buffer space supplied
9f2ebf
+ *  - ETIME:     request timed out but was send to SSSD
9f2ebf
+ *  - ETIMEDOUT: request timed out but was not send to SSSD
9f2ebf
+ */
9f2ebf
+int sss_nss_getpwuid_timeout(uid_t uid, struct passwd *pwd,
9f2ebf
+                             char *buffer, size_t buflen,
9f2ebf
+                             struct passwd **result,
9f2ebf
+                             uint32_t flags, unsigned int timeout);
9f2ebf
+
9f2ebf
+/**
9f2ebf
+ * @brief Return group information based on the group name
9f2ebf
+ *
9f2ebf
+ * @param[in]  name       same as for getgrnam_r(3)
9f2ebf
+ * @param[in]  pwd        same as for getgrnam_r(3)
9f2ebf
+ * @param[in]  buffer     same as for getgrnam_r(3)
9f2ebf
+ * @param[in]  buflen     same as for getgrnam_r(3)
9f2ebf
+ * @param[out] result     same as for getgrnam_r(3)
9f2ebf
+ * @param[in]  flags      flags to control the behavior and the results of the
9f2ebf
+ *                        call
9f2ebf
+ * @param[in]  timeout    timeout in milliseconds
9f2ebf
+ *
9f2ebf
+ * @return
9f2ebf
+ *  - 0:
9f2ebf
+ *  - ENOENT:    no group with the given name found
9f2ebf
+ *  - ERANGE:    Insufficient buffer space supplied
9f2ebf
+ *  - ETIME:     request timed out but was send to SSSD
9f2ebf
+ *  - ETIMEDOUT: request timed out but was not send to SSSD
9f2ebf
+ */
9f2ebf
+int sss_nss_getgrnam_timeout(const char *name, struct group *grp,
9f2ebf
+                             char *buffer, size_t buflen, struct group **result,
9f2ebf
+                             uint32_t flags, unsigned int timeout);
9f2ebf
+
9f2ebf
+/**
9f2ebf
+ * @brief Return group information based on the group gid
9f2ebf
+ *
9f2ebf
+ * @param[in]  gid        same as for getgrgid_r(3)
9f2ebf
+ * @param[in]  pwd        same as for getgrgid_r(3)
9f2ebf
+ * @param[in]  buffer     same as for getgrgid_r(3)
9f2ebf
+ * @param[in]  buflen     same as for getgrgid_r(3)
9f2ebf
+ * @param[out] result     same as for getgrgid_r(3)
9f2ebf
+ * @param[in]  flags      flags to control the behavior and the results of the
9f2ebf
+ *                        call
9f2ebf
+ * @param[in]  timeout    timeout in milliseconds
9f2ebf
+ *
9f2ebf
+ * @return
9f2ebf
+ *  - 0:
9f2ebf
+ *  - ENOENT:    no group with the given gid found
9f2ebf
+ *  - ERANGE:    Insufficient buffer space supplied
9f2ebf
+ *  - ETIME:     request timed out but was send to SSSD
9f2ebf
+ *  - ETIMEDOUT: request timed out but was not send to SSSD
9f2ebf
+ */
9f2ebf
+int sss_nss_getgrgid_timeout(gid_t gid, struct group *grp,
9f2ebf
+                             char *buffer, size_t buflen, struct group **result,
9f2ebf
+                             uint32_t flags, unsigned int timeout);
9f2ebf
+
9f2ebf
+/**
9f2ebf
+ * @brief Return a list of groups to which a user belongs
9f2ebf
+ *
9f2ebf
+ * @param[in]      name       name of the user
9f2ebf
+ * @param[in]      group      same as second argument of getgrouplist(3)
9f2ebf
+ * @param[in]      groups     array of gid_t of size ngroups, will be filled
9f2ebf
+ *                            with GIDs of groups the user belongs to
9f2ebf
+ * @param[in,out]  ngroups    size of the groups array on input. On output it
9f2ebf
+ *                            will contain the actual number of groups the
9f2ebf
+ *                            user belongs to. With a return value of 0 the
9f2ebf
+ *                            groups array was large enough to hold all group.
9f2ebf
+ *                            With a return valu of ERANGE the array was not
9f2ebf
+ *                            large enough and ngroups will have the needed
9f2ebf
+ *                            size.
9f2ebf
+ * @param[in]  flags          flags to control the behavior and the results of
9f2ebf
+ *                            the call
9f2ebf
+ * @param[in]  timeout        timeout in milliseconds
9f2ebf
+ *
9f2ebf
+ * @return
9f2ebf
+ *  - 0:         success
9f2ebf
+ *  - ENOENT:    no user with the given name found
9f2ebf
+ *  - ERANGE:    Insufficient buffer space supplied
9f2ebf
+ *  - ETIME:     request timed out but was send to SSSD
9f2ebf
+ *  - ETIMEDOUT: request timed out but was not send to SSSD
9f2ebf
+ */
9f2ebf
+int sss_nss_getgrouplist_timeout(const char *name, gid_t group,
9f2ebf
+                                 gid_t *groups, int *ngroups,
9f2ebf
+                                 uint32_t flags, unsigned int timeout);
9f2ebf
+#endif /* IPA_389DS_PLUGIN_HELPER_CALLS */
9f2ebf
 #endif /* SSS_NSS_IDMAP_H_ */
9f2ebf
diff --git a/src/sss_client/idmap/sss_nss_idmap_private.h b/src/sss_client/idmap/sss_nss_idmap_private.h
9f2ebf
new file mode 100644
9f2ebf
index 0000000000000000000000000000000000000000..afcd8e355981b9a2dc29a62bab143756b39ed654
9f2ebf
--- /dev/null
9f2ebf
+++ b/src/sss_client/idmap/sss_nss_idmap_private.h
9f2ebf
@@ -0,0 +1,30 @@
9f2ebf
+/*
9f2ebf
+    SSSD
9f2ebf
+
9f2ebf
+    NSS Responder ID-mapping interface - private calls
9f2ebf
+
9f2ebf
+    Authors:
9f2ebf
+        Sumit Bose <sbose@redhat.com>
9f2ebf
+
9f2ebf
+    Copyright (C) 2017 Red Hat
9f2ebf
+
9f2ebf
+    This program is free software; you can redistribute it and/or modify
9f2ebf
+    it under the terms of the GNU General Public License as published by
9f2ebf
+    the Free Software Foundation; either version 3 of the License, or
9f2ebf
+    (at your option) any later version.
9f2ebf
+
9f2ebf
+    This program is distributed in the hope that it will be useful,
9f2ebf
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
9f2ebf
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
9f2ebf
+    GNU General Public License for more details.
9f2ebf
+
9f2ebf
+    You should have received a copy of the GNU General Public License
9f2ebf
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
9f2ebf
+*/
9f2ebf
+
9f2ebf
+#ifndef SSS_NSS_IDMAP_PRIVATE_H_
9f2ebf
+#define SSS_NSS_IDMAP_PRIVATE_H_
9f2ebf
+
9f2ebf
+int sss_nss_timedlock(unsigned int timeout_ms, int *time_left_ms);
9f2ebf
+
9f2ebf
+#endif /* SSS_NSS_IDMAP_PRIVATE_H_ */
9f2ebf
-- 
9f2ebf
2.13.6
9f2ebf