diff options
author | Lukas Slebodnik <lslebodn@redhat.com> | 2015-05-15 15:05:28 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-05-22 12:30:57 +0200 |
commit | d0cc678d20d8bde829450eb50bec1b7397cea3e1 (patch) | |
tree | 7546bcf3bf54564dfa5234391c17615f88ac480d /src/providers/ldap | |
parent | fd60528321fd52720222ec35b895ade54cccb48d (diff) | |
download | sssd-d0cc678d20d8bde829450eb50bec1b7397cea3e1.tar.gz sssd-d0cc678d20d8bde829450eb50bec1b7397cea3e1.tar.xz sssd-d0cc678d20d8bde829450eb50bec1b7397cea3e1.zip |
SDAP: Set initgroups expire attribute at the end
Initgrups consisted of two main steps:
1. store user to cache
2. store all user groups to cache.
Previously the attribute SYSDB_INITGR_EXPIRE was set in the first step.
So in case of epmty cache and parallel initgroups request in responders
there was a small period when SYSDB_INITGR_EXPIRE was valid but groups were
not cached. Therefore sometime responder could return zero supplementary
groups.
This patch moves the setting of initgroups expire attribute from 1st step
to the end of 2nd step.
In case of parallel initgroups requests in responder there are two
other ways how we could get correct results even thought there was a bug.
a) Time between two request was too small. User was not stored in cache
yet and 2nd request waited for response from DP.
b) Time between two request was big enough. All users groups were
successfully stored in cache and 2nd request returned correct results.
Resolves:
https://fedorahosted.org/sssd/ticket/2634
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Diffstat (limited to 'src/providers/ldap')
-rw-r--r-- | src/providers/ldap/ldap_id.c | 42 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_users.c | 9 |
2 files changed, 42 insertions, 9 deletions
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index 997313bec..034d5272b 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -978,6 +978,40 @@ static int groups_by_user_retry(struct tevent_req *req); static void groups_by_user_connect_done(struct tevent_req *subreq); static void groups_by_user_done(struct tevent_req *subreq); +static errno_t set_initgroups_expire_attribute(struct sss_domain_info *domain, + const char *name) +{ + errno_t ret; + time_t cache_timeout; + struct sysdb_attrs *attrs; + + attrs = sysdb_new_attrs(NULL); + if (attrs == NULL) { + return ENOMEM; + } + + cache_timeout = domain->user_timeout + ? time(NULL) + domain->user_timeout + : 0; + + ret = sysdb_attrs_add_time_t(attrs, SYSDB_INITGR_EXPIRE, cache_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up attrs\n"); + goto done; + } + + ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to set initgroups expire attribute\n"); + goto done; + } + +done: + talloc_zfree(attrs); + return ret; +} + static struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx, struct tevent_context *ev, struct sdap_id_ctx *ctx, @@ -1122,6 +1156,14 @@ static void groups_by_user_done(struct tevent_req *subreq) } } + ret = set_initgroups_expire_attribute(state->ctx->be->domain, + state->name); + if (ret != EOK) { + state->dp_error = DP_ERR_FATAL; + tevent_req_error(req, ret); + return; + } + state->dp_error = DP_ERR_OK; tevent_req_done(req); } diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c index 82b4df479..89e5ae558 100644 --- a/src/providers/ldap/sdap_async_users.c +++ b/src/providers/ldap/sdap_async_users.c @@ -467,15 +467,6 @@ int sdap_save_user(TALLOC_CTX *memctx, cache_timeout = dom->user_timeout; - if (is_initgr) { - ret = sysdb_attrs_add_time_t(user_attrs, SYSDB_INITGR_EXPIRE, - (cache_timeout ? - (time(NULL) + cache_timeout) : 0)); - if (ret) { - goto done; - } - } - ret = sdap_save_all_names(user_name, attrs, dom, user_attrs); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Failed to save user names\n"); |