diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2015-04-28 13:16:51 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-05-12 11:25:21 +0200 |
| commit | 601d193feba2d9859661b979c2a0d1d479d5cee8 (patch) | |
| tree | e56a9162cf78f408ab61e1b33203d5d3bdfba795 | |
| parent | a50b229c8ea1e22c9efa677760b94d8c48c3ec89 (diff) | |
| download | sssd-601d193feba2d9859661b979c2a0d1d479d5cee8.tar.gz sssd-601d193feba2d9859661b979c2a0d1d479d5cee8.tar.xz sssd-601d193feba2d9859661b979c2a0d1d479d5cee8.zip | |
LDAP: disable the cleanup task by default
Resolves:
https://fedorahosted.org/sssd/ticket/2627
The cleanup task was designed to keep the cache size within certain
limits. This is how it roughly works now:
- find users who have never logged in by default. If
account_cache_expiration is set, find users who loggged in later
than account_cache_expiration
- delete the matching set of users
- find groups that have no members
- delete the matching set of groups
So unless account_cache_expiration is set to something sensible, only empty
groups and expired users who never logged in are removed and that's quite
a corner case. The above effectivelly walks the whole database, especially
the groups step is quite slow with a huge database. The whole cleanup task
also runs in a single sysdb transaction, which means all other transactions
are blocked while the cleanup task crunches the database.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
| -rw-r--r-- | src/man/sssd-ldap.5.xml | 9 | ||||
| -rw-r--r-- | src/providers/ad/ad_opts.h | 2 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_opts.h | 2 | ||||
| -rw-r--r-- | src/providers/ldap/ldap_id_enum.c | 19 | ||||
| -rw-r--r-- | src/providers/ldap/ldap_opts.h | 2 |
5 files changed, 29 insertions, 5 deletions
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 83ec9b668..9756a5547 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -719,10 +719,15 @@ </para> <para> Setting this option to zero will disable the - cache cleanup operation. + cache cleanup operation. Please note that if + enumeration is enabled, the cleanup task is + required in order to detect entries removed from + the server and can't be disabled. By default, + the cleanup task will run every 3 hours with + enumeration enabled. </para> <para> - Default: 10800 (3 hours) + Default: 0 (disabled) </para> </listitem> </varlistentry> diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h index 0b7255a82..15b140434 100644 --- a/src/providers/ad/ad_opts.h +++ b/src/providers/ad/ad_opts.h @@ -86,7 +86,7 @@ struct dp_option ad_def_ldap_opts[] = { { "ldap_offline_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER }, { "ldap_force_upper_case_realm", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ldap_enumeration_refresh_timeout", DP_OPT_NUMBER, { .number = 300 }, NULL_NUMBER }, - { "ldap_purge_cache_timeout", DP_OPT_NUMBER, { .number = 10800 }, NULL_NUMBER }, + { "ldap_purge_cache_timeout", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, { "ldap_tls_cacert", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_tls_cacertdir", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_tls_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING }, diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h index f2f164bc3..8a0764265 100644 --- a/src/providers/ipa/ipa_opts.h +++ b/src/providers/ipa/ipa_opts.h @@ -98,7 +98,7 @@ struct dp_option ipa_def_ldap_opts[] = { { "ldap_offline_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER }, { "ldap_force_upper_case_realm", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ldap_enumeration_refresh_timeout", DP_OPT_NUMBER, { .number = 300 }, NULL_NUMBER }, - { "ldap_purge_cache_timeout", DP_OPT_NUMBER, { .number = 3600 }, NULL_NUMBER }, + { "ldap_purge_cache_timeout", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, { "ldap_tls_cacert", DP_OPT_STRING, { "/etc/ipa/ca.crt" }, NULL_STRING }, { "ldap_tls_cacertdir", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_tls_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING }, diff --git a/src/providers/ldap/ldap_id_enum.c b/src/providers/ldap/ldap_id_enum.c index 1aec91a99..89c305c0d 100644 --- a/src/providers/ldap/ldap_id_enum.c +++ b/src/providers/ldap/ldap_id_enum.c @@ -27,6 +27,8 @@ #include "providers/ldap/ldap_common.h" #include "providers/ldap/sdap_async_enum.h" +#define LDAP_ENUM_PURGE_TIMEOUT 10800 + errno_t ldap_setup_enumeration(struct be_ctx *be_ctx, struct sdap_options *opts, struct sdap_domain *sdom, @@ -37,6 +39,7 @@ errno_t ldap_setup_enumeration(struct be_ctx *be_ctx, errno_t ret; time_t first_delay; time_t period; + time_t cleanup; bool has_enumerated; struct ldap_enum_ctx *ectx; @@ -65,6 +68,22 @@ errno_t ldap_setup_enumeration(struct be_ctx *be_ctx, first_delay = 0; } + cleanup = dp_opt_get_int(opts->basic, SDAP_CACHE_PURGE_TIMEOUT); + if (cleanup == 0) { + /* We need to cleanup the cache once in a while when enumerating, otherwise + * enumeration would only download deltas since the previous lastUSN and would + * not detect removed entries + */ + ret = dp_opt_set_int(opts->basic, SDAP_CACHE_PURGE_TIMEOUT, + LDAP_ENUM_PURGE_TIMEOUT); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot set cleanup timeout, enumeration wouldn't " + "detect removed entries!\n"); + return ret; + } + } + period = dp_opt_get_int(opts->basic, SDAP_ENUM_REFRESH_TIMEOUT); ectx = talloc(sdom, struct ldap_enum_ctx); diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h index 7c9ed3e01..f449ec7c3 100644 --- a/src/providers/ldap/ldap_opts.h +++ b/src/providers/ldap/ldap_opts.h @@ -63,7 +63,7 @@ struct dp_option default_basic_opts[] = { { "ldap_offline_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER }, { "ldap_force_upper_case_realm", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_enumeration_refresh_timeout", DP_OPT_NUMBER, { .number = 300 }, NULL_NUMBER }, - { "ldap_purge_cache_timeout", DP_OPT_NUMBER, { .number = 10800 }, NULL_NUMBER }, + { "ldap_purge_cache_timeout", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, { "ldap_tls_cacert", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_tls_cacertdir", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_tls_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING }, |