summaryrefslogtreecommitdiffstats
path: root/src/plugin.h
Commit message (Collapse)AuthorAgeFilesLines
* slapi-nis: process requests only when initialization completedAlexander Bokovoy2016-01-181-0/+1
| | | | | Initializing map cache may take time. Skip slapi-nis lookups untli the map cache is ready.
* slapi-nis: delay sending responses from compat tree after map searchAlexander Bokovoy2015-11-191-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When slapi-nis plugin responds on a search query, it holds read lock for the internal structure called 'map cache'. The map cache lock can also be taken for write when modification would be required like responding to DELETE, ADD, or MODIFY operations. As result of the lock semantics, write lock owner is blocked until all read lock owners release their locks. This is generally not a problem but when readers sent out LDAP query results, they call into SLAPI function that might take long time to send out the data due to external reasons (network latencies, clients being blocked, etc) and all this time map cache is locked for write operations. When Kerberos KDC issues a TGT, it needs to modify few Kerberos-related attributes in the principal's LDAP entry. These updates are generating MOD operations visible by slapi-nis plugin which triggers re-scan of map cache to potentially replace the affected entries. To perform potential replacement, slapi-nis has to take a write lock and be blocked by outstanding readers. Therefore, it is possible to encounter a situation where an LDAP client uses SASL GSSAPI authentication and existing Kerberos ticket did expire in a course of outstanding search request. According to LDAPv3 protocol specification, an LDAP client must perform re-negotiation before reading any outstanding PDUs. It would ask Kerberos KDC for a new (or renewed) TGT, that would cause MOD updates for the primary tree which is tracked for changes by slapi-nis. These changes would be blocked by a slapi-nis reader as the client cannot finish reading outstanding PDUs yet. To solve this problem, we avoid sending LDAP entries while keeping map cache lock. Instead, we generate a linked list of copies of entries which will be sent out. To allow sharing of entries between multiple parallel queries, we hash the entry and reference the cached entry in the linked list with increased reference count. Once entry is actually sent, its reference count decreased and on reaching zero it is removed from the hash. The entry in the hash table might become outdated. This is detected by comparing both modifyTimestamp and entryUSN values of the entry to be sent and entry in the hash table. If new version of the entry is different, hash table's entry reference is replaced with a new copy. The old entry is not removed because it is still referenced by some outstanding query processing. Thus, the hash table always references the most recent version of an entry but there might be multiple copies in possesion of the linked lists from the separate parallel queries. An entry sharing via hash table can be disabled by setting slapi-entry-cache: 0 in the definition, cn=Schema Compatibility,cn=plugins,cn=config Resolves: rhbz#1273587 https://bugzilla.redhat.com/show_bug.cgi?id=1273587
* schema-compat: use libnss_sss.so.2 explicitly to resolve trusted domain ↵Alexander Bokovoy2015-03-261-0/+1
| | | | | | | | | | | | users via NSS When Schema Compatibility plugin is configured to enumerate users and groups from Active Directory domains trusted by FreeIPA, use nss_sss module directly instead of following nsswitch.conf configuration. The issue with nsswitch.conf configuration is in the fact that for each request all modules in NSS chain are processed while only one of them is responsible for users from trusted Active Directory domains, namely, nss_sss.
* schema-compat: introduce a lock to protect PAM authenticationAlexander Bokovoy2013-08-071-0/+2
| | | | | | | | PAM stack requires exclusive access, therefore we need to use a write lock. Required for authenticating synthetically created records coming outside of LDAP store.
* fixup log messages and a signed booleanNalin Dahyabhai2012-11-141-1/+1
| | | | | - add missing newlines at the end of a couple of messages - make that one bit that we compare to zero unsigned instead of signed
* Overhaul betxn supportNalin Dahyabhai2012-11-011-1/+2
| | | | | | | | | * Check for BETXN support at build-time, provide options for disabling or requiring that it be available for build to succeed. * Track whether or not BETXN support is enabled in the plugin-local state. * Skip processing in post/internalpost callbacks if BETXN support is enabled. * Skip work in betxnpost callbacks if BETXN support is disabled.
* - whoops, this file got re-addedNalin Dahyabhai2008-06-301-0/+48
|
* - rename plugin.c,plugin.h to plug-nis.c,plug-nis.hNalin Dahyabhai2008-06-301-45/+0
|
* - add a place to store securenet configurationNalin Dahyabhai2008-06-091-0/+2
|
* - implement tcp_wrappers supportNalin Dahyabhai2008-06-031-0/+3
|
* - initial support for returning larger entries over tcp than we can over udpNalin Dahyabhai2008-06-021-0/+1
| | | | - make the tcp sizes tunable
* - sort out the threading start/stop functions, and add rwlock functionsNalin Dahyabhai2008-05-301-7/+3
|
* - switch to creating a PRThread instead of a pthreadNalin Dahyabhai2008-05-291-0/+6
|
* - more build machineryNalin Dahyabhai2008-05-291-0/+21
| | | | | - license text in source files - elaborate on what's still to be done
* - build cleanupsNalin Dahyabhai2008-05-291-9/+0
| | | | - remove some more NSPRisms in cases when XDRisms are even more portable
* - provide a way for the backend to register callbacks with the directoryNalin Dahyabhai2008-04-221-0/+1
| | | | | - switch to using the plugin's entry for locating maps in preference to the hard-coded location
* try to clean this up a bitNalin Dahyabhai2008-03-271-5/+4
|
* properly compile stream.c's routineNalin Dahyabhai2007-11-211-0/+25
generated by cgit (git 2.34.1) at 2025-08-28 15:51:24 +0000