Periodically refresh global ipa-kdb configuration

Before this patch, ipa-kdb would load global configuration on startup and
never update it. This means that if global configuration is changed, the
KDC never receives the new configuration until it is restarted.

This patch enables caching of the global configuration with a timeout of
60 seconds.

https://fedorahosted.org/freeipa/ticket/4153

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

1 files changed, 8 insertions, 2 deletions

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index a73a3cb46..084b689d4 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1878,6 +1878,9 @@ void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
     }
 
     if (ied == NULL || ied->authz_data == NULL) {
+        const struct ipadb_global_config *gcfg = NULL;
+        char **tmp = NULL;
+
         if (context == NULL) {
             krb5_klog_syslog(LOG_ERR, "Missing Kerberos context, no " \
                                       "authorization data will be added.");
@@ -1885,14 +1888,17 @@ void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
         }
 
         ipactx = ipadb_get_context(context);
-        if (ipactx == NULL || ipactx->authz_data == NULL) {
+        gcfg = ipadb_get_global_config(ipactx);
+        if (gcfg != NULL)
+            tmp = gcfg->authz_data;
+        if (ipactx == NULL || tmp == NULL) {
             krb5_klog_syslog(LOG_ERR, "No default authorization data types " \
                                       "available, no authorization data will " \
                                       "be added.");
             goto done;
         }
 
-        authz_data_list = ipactx->authz_data;
+        authz_data_list = tmp;
     } else {
         authz_data_list = ied->authz_data;
     }