summaryrefslogtreecommitdiffstats
path: root/src/responder
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2010-12-22 11:00:22 -0500
committerStephen Gallagher <sgallagh@redhat.com>2010-12-22 13:22:28 -0500
commitc71ff1e4615ec8560b90ca7d4827d99424ad0355 (patch)
tree5f1ccd75d8e6dfcb9d5a3898ebc9368dabcca261 /src/responder
parent7da6ae5558059218d660d879057f6e39864c3493 (diff)
downloadsssd-c71ff1e4615ec8560b90ca7d4827d99424ad0355.tar.gz
sssd-c71ff1e4615ec8560b90ca7d4827d99424ad0355.tar.xz
sssd-c71ff1e4615ec8560b90ca7d4827d99424ad0355.zip
Update the ID cache for any PAM request
Also adds an option to limit how often we check the ID provider, so that conversations with multiple PAM requests won't update the cache multiple times. https://fedorahosted.org/sssd/ticket/749
Diffstat (limited to 'src/responder')
-rw-r--r--src/responder/common/responder.h2
-rw-r--r--src/responder/pam/pamsrv.c9
-rw-r--r--src/responder/pam/pamsrv.h1
-rw-r--r--src/responder/pam/pamsrv_cmd.c19
4 files changed, 23 insertions, 8 deletions
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
index 783f9e405..6b81aadac 100644
--- a/src/responder/common/responder.h
+++ b/src/responder/common/responder.h
@@ -118,6 +118,8 @@ struct cli_ctx {
char *netgr_name;
int netgrent_cur;
+
+ time_t pam_timeout;
};
struct sss_cmd_table {
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index 61e7ce7a3..91ee4a899 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -108,6 +108,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
struct be_conn *iter;
struct pam_ctx *pctx;
int ret, max_retries;
+ int id_timeout;
pctx = talloc_zero(mem_ctx, struct pam_ctx);
if (!pctx) {
@@ -153,6 +154,14 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
&pctx->neg_timeout);
if (ret != EOK) goto done;
+ /* Set up the PAM identity timeout */
+ ret = confdb_get_int(cdb, pctx, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_ID_TIMEOUT, 5,
+ &id_timeout);
+ if (ret != EOK) goto done;
+
+ pctx->id_timeout = (size_t)id_timeout;
+
ret = sss_ncache_init(pctx, &pctx->ncache);
if (ret != EOK) {
DEBUG(0, ("fatal error initializing negative cache\n"));
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 3ada4cfd8..3ffc17087 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -35,6 +35,7 @@ struct pam_ctx {
struct resp_ctx *rctx;
struct sss_nc_ctx *ncache;
int neg_timeout;
+ time_t id_timeout;
};
struct pam_auth_req {
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 48341aab4..6a8f1dbb5 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -790,14 +790,12 @@ static int pam_check_user_search(struct pam_auth_req *preq)
/* make sure to update the preq if we changed domain */
preq->domain = dom;
- /* TODO: check negative cache ? */
-
- /* Always try to refresh the cache first on authentication */
- if (preq->check_provider &&
- (preq->pd->cmd == SSS_PAM_AUTHENTICATE ||
- preq->pd->cmd == SSS_PAM_SETCRED)) {
-
- /* call provider first */
+ /* Refresh the user's cache entry on any PAM query
+ * We put a timeout in the client context so that we limit
+ * the number of updates within a reasonable timeout
+ */
+ if (preq->check_provider && cctx->pam_timeout < time(NULL)) {
+ /* Call provider first */
break;
}
@@ -909,6 +907,8 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,
{
struct pam_auth_req *preq = talloc_get_type(ptr, struct pam_auth_req);
int ret;
+ struct pam_ctx *pctx =
+ talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
if (err_maj) {
DEBUG(2, ("Unable to get information from Data Provider\n"
@@ -916,6 +916,9 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,
(unsigned int)err_maj, (unsigned int)err_min, err_msg));
}
+ /* Make sure we don't go to the ID provider too often */
+ preq->cctx->pam_timeout = time(NULL) + pctx->id_timeout;
+
ret = pam_check_user_search(preq);
if (ret == EOK) {
pam_dom_forwarder(preq);