diff options
author | Nathaniel McCallum <npmccallum@redhat.com> | 2014-02-24 14:19:13 -0500 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-06-19 14:50:32 +0200 |
commit | 8b2f4443dcf61e1edf59ef0812ed05e1fa93f8fc (patch) | |
tree | e6d5491f12c10a2ccdbcd517ee16b0468dc9a1a9 /daemons/ipa-kdb/ipa_kdb_principals.c | |
parent | 49e83256b4f3ebe05c9e9fab5a55c6d502faf491 (diff) | |
download | freeipa-8b2f4443dcf61e1edf59ef0812ed05e1fa93f8fc.tar.gz freeipa-8b2f4443dcf61e1edf59ef0812ed05e1fa93f8fc.tar.xz freeipa-8b2f4443dcf61e1edf59ef0812ed05e1fa93f8fc.zip |
Periodically refresh global ipa-kdb configuration
Before this patch, ipa-kdb would load global configuration on startup and
never update it. This means that if global configuration is changed, the
KDC never receives the new configuration until it is restarted.
This patch enables caching of the global configuration with a timeout of
60 seconds.
https://fedorahosted.org/freeipa/ticket/4153
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'daemons/ipa-kdb/ipa_kdb_principals.c')
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb_principals.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 96f473e48..e158c236e 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -320,18 +320,25 @@ static void ipadb_validate_password(struct ipadb_context *ipactx, static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx, LDAPMessage *lentry) { + enum ipadb_user_auth gua = IPADB_USER_AUTH_NONE; enum ipadb_user_auth ua = IPADB_USER_AUTH_NONE; + const struct ipadb_global_config *gcfg = NULL; /* Get the user's user_auth settings. */ ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua); + /* Get the global user_auth settings. */ + gcfg = ipadb_get_global_config(ipactx); + if (gcfg != NULL) + gua = gcfg->user_auth; + /* If the disabled flag is set, ignore everything else. */ - if ((ua | ipactx->user_auth) & IPADB_USER_AUTH_DISABLED) + if ((ua | gua) & IPADB_USER_AUTH_DISABLED) return IPADB_USER_AUTH_DISABLED; /* Determine which user_auth policy is active: user or global. */ if (ua == IPADB_USER_AUTH_NONE) - ua = ipactx->user_auth; + ua = gua; /* Perform flag validation. */ ipadb_validate_otp(ipactx, lentry, &ua); |