diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2010-02-16 14:11:00 +0100 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-02-23 16:16:25 -0500 |
| commit | af81aaa57f82eab78647113c391bd84247f96150 (patch) | |
| tree | b68313b8e8a5f71c76fda78e5750cf86f794c72d /src/providers/ldap/ldap_common.c | |
| parent | f8c6a449412c6d5aa86609584fe4e530fd51a4b1 (diff) | |
| download | sssd-af81aaa57f82eab78647113c391bd84247f96150.tar.gz sssd-af81aaa57f82eab78647113c391bd84247f96150.tar.xz sssd-af81aaa57f82eab78647113c391bd84247f96150.zip | |
Better cleanup task handling
Implements a different mechanism for cleanup task. Instead of just
deleting expired entries, this patch adds a new option
account_cache_expiration for domains. If an entry is expired and the last
login was more days in the past that account_cache_expiration, the entry is
deleted.
Groups are deleted if they are expired and and no user references them
(no user has memberof: attribute pointing at that group).
The parameter account_cache_expiration is not LDAP-specific, so that other
future backends might use the same timeout setting.
Fixes: #391
Diffstat (limited to 'src/providers/ldap/ldap_common.c')
| -rw-r--r-- | src/providers/ldap/ldap_common.c | 47 |
1 files changed, 46 insertions, 1 deletions
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index 61cba03e7..a67ea3626 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -62,7 +62,8 @@ struct dp_option default_basic_opts[] = { /* use the same parm name as the krb5 module so we set it only once */ { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_pwd_policy", DP_OPT_STRING, { "none" } , NULL_STRING }, - { "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE } + { "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER } }; struct sdap_attr_map generic_attr_map[] = { @@ -166,6 +167,8 @@ int ldap_get_options(TALLOC_CTX *memctx, char *schema; const char *pwd_policy; int ret; + int account_cache_expiration; + int offline_credentials_expiration; opts = talloc_zero(memctx, struct sdap_options); if (!opts) return ENOMEM; @@ -217,6 +220,48 @@ int ldap_get_options(TALLOC_CTX *memctx, goto done; } + /* account_cache_expiration must be >= than offline_credentials_expiration */ + ret = confdb_get_int(cdb, memctx, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_CRED_TIMEOUT, 0, + &offline_credentials_expiration); + if (ret != EOK) { + DEBUG(1, ("Cannot get value of %s from confdb \n", + CONFDB_PAM_CRED_TIMEOUT)); + goto done; + } + + account_cache_expiration = dp_opt_get_int(opts->basic, + SDAP_ACCOUNT_CACHE_EXPIRATION); + + /* account cache_expiration must not be smaller than + * offline_credentials_expiration to prevent deleting entries that + * still contain credentials valid for offline login. + * + * offline_credentials_expiration == 0 is a special case that says + * that the cached credentials are valid forever. Therefore, the cached + * entries must not be purged from cache. + */ + if (!offline_credentials_expiration && account_cache_expiration) { + DEBUG(1, ("Conflicting values for options %s (unlimited) " + "and %s (%d)\n", + opts->basic[SDAP_ACCOUNT_CACHE_EXPIRATION].opt_name, + CONFDB_PAM_CRED_TIMEOUT, + offline_credentials_expiration)); + ret = EINVAL; + goto done; + } + if (offline_credentials_expiration && account_cache_expiration && + offline_credentials_expiration >= account_cache_expiration) { + DEBUG(1, ("Value of %s (now %d) must be larger " + "than value of %s (now %d)\n", + opts->basic[SDAP_ACCOUNT_CACHE_EXPIRATION].opt_name, + account_cache_expiration, + CONFDB_PAM_CRED_TIMEOUT, + offline_credentials_expiration)); + ret = EINVAL; + goto done; + } + #ifndef HAVE_LDAP_CONNCB bool ldap_referrals; |