summaryrefslogtreecommitdiffstats
path: root/src/plug-sch.c
Commit message (Collapse)AuthorAgeFilesLines
* schema-compat: add support for timeout-based NSS queries with libsss_nss_idmapAlexander Bokovoy2017-11-031-0/+7
| | | | | | | | | | | | | | | | | | | | | | In case libsss_nss_idmap provides timeout-enabled NSS API, use it. This solves a problem of too long queries to an NSS backend with traditional POSIX NSS API. In case SSSD takes too long to respond to a query, corresponding 389-ds thread running schema-compat plugin would stuck waiting that response. It can lead to an exhaustion of 389-ds threads. A refactored interface to NSS backends is introduced with this commit. A backend API looks like an API an NSS plugin has to implement in glibc but also allows to handle timeout-based requests internally. If backend implements timeout-enabled calls, then backend_nss_set_timeout() function can be used to modify a per-context state. There is no need for a caller to know whether backend supports timeout-enabled calls because either way these calls are synchronous and backend choice is done at compile-time. schema-compat plugin uses 10 seconds as its default timeout. One can change it via 'slapi-nss-timeout' attribute in the plugin config entry.
* slapi-nis should allow password update on a virtual entryThierry Bordaz2016-06-201-0/+24
| | | | | | | | | | | | | During password modification ext. op (1.3.6.1.4.1.4203.1.11.1), if the target entry is in the compat tree, slapi-nis should remap the entry to the real entry. This needs to be done in a pre-op extop that calls the callback function handling a given OID. The password mod. callback does a reverse mapping of extop USERID and set it in SLAPI_TARGET_SDN. https://fedorahosted.org/freeipa/ticket/5955
* schema-compat: add backend shutdown support for priming threadThierry Bordaz2016-05-301-7/+27
| | | | Resolves: rhbz#1327197
* slapi-nis: populate data trees asynchronously after LDAP server startupAlexander Bokovoy2016-01-261-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently slapi-nis design assumes the map cache is populated by scanning the original trees on plugin start up. This has few consequences: - LDAP server cannot serve LDAP clients until all plugins are initialized - slapi-nis cannot ask SSSD to resolve external identities at this point as SSSD will need to talk to the LDAP server which is at this point not listening for connections. SSSD will put whole IPA domain into offline and always will respond with negative result To solve these issues, schedule tree scan after LDAP server startup. The problem here is that it is not possible to reliably detect when 389-ds starts to listen to the incoming connections. However, it is possible to schedule an event into 389-ds event queue that will run shortly after start of the event loop. Given that the call back function which is registered to be called is called within the event loop thread, one can fire off another thread and wait in the thread function some time until the LDAP server is ready for connections. The time interval is something that would depend on a specific deployment profile but experiments show that having 5 seconds delay should be enough as event queue is created just before starting the listeners.
* slapi-nis: delay sending responses from compat tree after map searchAlexander Bokovoy2015-11-191-0/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When slapi-nis plugin responds on a search query, it holds read lock for the internal structure called 'map cache'. The map cache lock can also be taken for write when modification would be required like responding to DELETE, ADD, or MODIFY operations. As result of the lock semantics, write lock owner is blocked until all read lock owners release their locks. This is generally not a problem but when readers sent out LDAP query results, they call into SLAPI function that might take long time to send out the data due to external reasons (network latencies, clients being blocked, etc) and all this time map cache is locked for write operations. When Kerberos KDC issues a TGT, it needs to modify few Kerberos-related attributes in the principal's LDAP entry. These updates are generating MOD operations visible by slapi-nis plugin which triggers re-scan of map cache to potentially replace the affected entries. To perform potential replacement, slapi-nis has to take a write lock and be blocked by outstanding readers. Therefore, it is possible to encounter a situation where an LDAP client uses SASL GSSAPI authentication and existing Kerberos ticket did expire in a course of outstanding search request. According to LDAPv3 protocol specification, an LDAP client must perform re-negotiation before reading any outstanding PDUs. It would ask Kerberos KDC for a new (or renewed) TGT, that would cause MOD updates for the primary tree which is tracked for changes by slapi-nis. These changes would be blocked by a slapi-nis reader as the client cannot finish reading outstanding PDUs yet. To solve this problem, we avoid sending LDAP entries while keeping map cache lock. Instead, we generate a linked list of copies of entries which will be sent out. To allow sharing of entries between multiple parallel queries, we hash the entry and reference the cached entry in the linked list with increased reference count. Once entry is actually sent, its reference count decreased and on reaching zero it is removed from the hash. The entry in the hash table might become outdated. This is detected by comparing both modifyTimestamp and entryUSN values of the entry to be sent and entry in the hash table. If new version of the entry is different, hash table's entry reference is replaced with a new copy. The old entry is not removed because it is still referenced by some outstanding query processing. Thus, the hash table always references the most recent version of an entry but there might be multiple copies in possesion of the linked lists from the separate parallel queries. An entry sharing via hash table can be disabled by setting slapi-entry-cache: 0 in the definition, cn=Schema Compatibility,cn=plugins,cn=config Resolves: rhbz#1273587 https://bugzilla.redhat.com/show_bug.cgi?id=1273587
* schema-compat: use libnss_sss.so.2 explicitly to resolve trusted domain ↵Alexander Bokovoy2015-03-261-0/+3
| | | | | | | | | | | | users via NSS When Schema Compatibility plugin is configured to enumerate users and groups from Active Directory domains trusted by FreeIPA, use nss_sss module directly instead of following nsswitch.conf configuration. The issue with nsswitch.conf configuration is in the fact that for each request all modules in NSS chain are processed while only one of them is responsible for users from trusted Active Directory domains, namely, nss_sss.
* schema-compat: introduce a lock to protect PAM authenticationAlexander Bokovoy2013-08-071-0/+3
| | | | | | | | PAM stack requires exclusive access, therefore we need to use a write lock. Required for authenticating synthetically created records coming outside of LDAP store.
* include header to avoid implicit declarationNalin Dahyabhai2012-11-141-0/+1
|
* log message fixupsNalin Dahyabhai2012-11-141-10/+12
| | | | | - put a newline at the end of these two messages - register callbacks in a consistent order
* show betxn settings in the plugin versionNalin Dahyabhai2012-11-131-1/+1
|
* Overhaul betxn supportNalin Dahyabhai2012-11-011-77/+68
| | | | | | | | | * Check for BETXN support at build-time, provide options for disabling or requiring that it be available for build to succeed. * Track whether or not BETXN support is enabled in the plugin-local state. * Skip processing in post/internalpost callbacks if BETXN support is enabled. * Skip work in betxnpost callbacks if BETXN support is disabled.
* make NIS Plugin and Schema Compatibility Plugin betxn awareNoriko Hosoi2012-10-161-26/+103
| | | | | | | | | | When NIS Plugin and Schema Compatibility Plugin config entries include nsslapd-pluginbetxn: on (the value could be yes, true or 1, too), the plugins' update callbacks (add, delete, modify, and modrdn) are called at the betxn pre/postop timing. By default, the value of nsslapd-pluginbetxn is off. (See also https://fedorahosted.org/389/ticket/351)
* drop support for directory server transactionsNalin Dahyabhai2012-06-131-28/+0
| | | | | | | Transaction support the way we added it is an all-or-nothing proposition for a server installation, which turned out to be problematic, so 389 is going to pursue another strategy for that. The new way requires that we not register as a betxn plugin, ever.
* - if the entry being touched is in an ldbm back-end, but there's no ↵Nalin Dahyabhai2012-01-161-2/+0
| | | | transaction ID, just return, and have faith that we'll be called again in the transaction post
* - update copyright dates in files modified this yearNalin Dahyabhai2012-01-161-1/+1
|
* - in callbacks, only use pblocks that are built from pblocks that weNalin Dahyabhai2012-01-161-2/+2
| | | | | | already have, so that we can pass the transaction ID around; this includes additional parameters for a number of functions and a new callback data type for backend_set_config_entry_add_cb()
* - change how we skip the be-txn-post hook so that it doesn't produce a ↵Nalin Dahyabhai2012-01-091-0/+2
| | | | | | misleading debug message - set IPV6_V6ONLY to avoid logging an expected EADDRINUSE error
* - most of what's needed to hook back-end txn postoperations, except for the ↵Nalin Dahyabhai2012-01-091-0/+28
| | | | passing the TXN ID around, which means we deadlock if we actually do it
* fix a typo in the error messageNalin Dahyabhai2011-12-051-1/+1
|
* - don't assume that libc will provide yp headers -- build them ourselvesNalin Dahyabhai2011-05-131-2/+2
|
* we don't use syslog, so don't bother including the headerNalin Dahyabhai2011-01-281-1/+0
|
* - remove that debug message, it's redundantNalin Dahyabhai2009-05-071-1/+0
|
* - revert to registering plugins at init-time, which is what the docsNalin Dahyabhai2009-05-061-38/+35
| | | | | | say we should do - use whether or not the plugin_base is initialized as in indicator of whether the plugin's been started or not
* - register our internal pre-/post-/internalpre-op plugins atNalin Dahyabhai2009-05-061-44/+52
| | | | startup-time, so that the hooks will only be used if we're enabled
* - use our own bind-reserve-port helper, which should work with eitherNalin Dahyabhai2009-02-111-1/+0
| | | | | ipv4 or ipv6 sockets - make portmap_register()/portmap_unregister() require the address family
* - give callback registration the ability to return errorsNalin Dahyabhai2008-12-031-4/+40
| | | | | - make the nis plugin register two types of internal plugins, since it can't just be a postop plugin any more
* - move config.h into src/Nalin Dahyabhai2008-10-241-1/+1
|
* - clean up the map data at shutdown timeNalin Dahyabhai2008-07-071-0/+11
| | | | - add a shutdown function to the sch plugin so that it can clean up its cache
* - sneak in the global state so that the preop and postop plugins get access toNalin Dahyabhai2008-07-021-36/+12
| | | | the base DN information
* - read the plugin base DN at plugin startup so that we can easily get to itNalin Dahyabhai2008-07-021-0/+20
| | | | later
* - register both preoperation and postoperation functionalityNalin Dahyabhai2008-07-011-4/+54
|
* - add a startup function to finish populating our private dataNalin Dahyabhai2008-07-011-0/+12
|
* - have the plugin call backend initialization directlyNalin Dahyabhai2008-06-301-1/+3
|
* - take out the need for a backend to provide a matching testNalin Dahyabhai2008-06-301-1/+1
| | | | - start adding configuration for the schema plugin
* - start adding an sch backendNalin Dahyabhai2008-06-301-0/+113
- start factoring out the backend logic where the sch and nis backends overlap
generated by cgit (git 2.34.1) at 2025-08-29 01:56:54 +0000