Update the ID cache for any PAM request

Also adds an option to limit how often we check the ID provider, so that conversations with multiple PAM requests won't update the cache multiple times. https://fedorahosted.org/sssd/ticket/749
author: Stephen Gallagher <sgallagh@redhat.com> 2010-12-22 11:00:22 -0500
committer: Stephen Gallagher <sgallagh@redhat.com> 2010-12-22 13:22:28 -0500
commit: c71ff1e4615ec8560b90ca7d4827d99424ad0355 (patch)
tree: 5f1ccd75d8e6dfcb9d5a3898ebc9368dabcca261 /src
parent: 7da6ae5558059218d660d879057f6e39864c3493 (diff)
download: sssd-c71ff1e4615ec8560b90ca7d4827d99424ad0355.tar.gz
sssd-c71ff1e4615ec8560b90ca7d4827d99424ad0355.tar.xz
sssd-c71ff1e4615ec8560b90ca7d4827d99424ad0355.zip
8 files changed, 48 insertions, 8 deletions
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index eccb98d36..5e55f2558 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -81,6 +81,7 @@
 #define CONFDB_PAM_FAILED_LOGIN_DELAY "offline_failed_login_delay"
 #define CONFDB_DEFAULT_PAM_FAILED_LOGIN_DELAY 5
 #define CONFDB_PAM_VERBOSITY "pam_verbosity"
+#define CONFDB_PAM_ID_TIMEOUT "pam_id_timeout"
 
 /* Data Provider */
 #define CONFDB_DP_CONF_ENTRY "config/dp"
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index b11771788..d23641c9d 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -64,6 +64,7 @@ option_strings = {
     'offline_failed_login_attempts' : _('How many failed logins attempts are allowed when offline'),
     'offline_failed_login_delay' : _('How long (minutes) to deny login after offline_failed_login_attempts has been reached'),
     'pam_verbosity' : _('What kind of messages are displayed to the user during authentication'),
+    'pam_id_timeout' : _('How many seconds to keep identity information cached for PAM requests'),
 
     # [provider]
     'id_provider' : _('Identity provider'),
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 3bd0cc490..5127b852d 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -34,6 +34,7 @@ offline_credentials_expiration = int, None, false
 offline_failed_login_attempts = int, None, false
 offline_failed_login_delay = int, None, false
 pam_verbosity = int, None, false
+pam_id_timeout = int, None, false
 
 [provider]
 #Available provider types
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 7392dd093..96b7a4c3c 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -440,6 +440,28 @@
                         </para>
                     </listitem>
                 </varlistentry>
+                <varlistentry>
+                  <term>pam_id_timeout (integer)</term>
+                  <listitem>
+                    <para>
+                      For any PAM request while SSSD is online, the SSSD will
+                      attempt to immediately update the cached identity
+                      information for the user in order to ensure that
+                      authentication takes place with the latest information.
+                    </para>
+                    <para>
+                      A complete PAM conversation may perform multiple PAM
+                      requests, such as account management and session
+                      opening. This option controls (on a
+                      per-client-application basis) how long (in seconds) we
+                      can cache the identity information to avoid excessive
+                      round-trips to the identity provider.
+                    </para>
+                    <para>
+                      Default: 5
+                    </para>
+                  </listitem>
+                </varlistentry>
             </variablelist>
         </refsect2>
     </refsect1>
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
index 783f9e405..6b81aadac 100644
--- a/src/responder/common/responder.h
+++ b/src/responder/common/responder.h
@@ -118,6 +118,8 @@ struct cli_ctx {
 
     char *netgr_name;
     int netgrent_cur;
+
+    time_t pam_timeout;
 };
 
 struct sss_cmd_table {
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index 61e7ce7a3..91ee4a899 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -108,6 +108,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
     struct be_conn *iter;
     struct pam_ctx *pctx;
     int ret, max_retries;
+    int id_timeout;
 
     pctx = talloc_zero(mem_ctx, struct pam_ctx);
     if (!pctx) {
@@ -153,6 +154,14 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
                          &pctx->neg_timeout);
     if (ret != EOK) goto done;
 
+    /* Set up the PAM identity timeout */
+    ret = confdb_get_int(cdb, pctx, CONFDB_PAM_CONF_ENTRY,
+                         CONFDB_PAM_ID_TIMEOUT, 5,
+                         &id_timeout);
+    if (ret != EOK) goto done;
+
+    pctx->id_timeout = (size_t)id_timeout;
+
     ret = sss_ncache_init(pctx, &pctx->ncache);
     if (ret != EOK) {
         DEBUG(0, ("fatal error initializing negative cache\n"));
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 3ada4cfd8..3ffc17087 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -35,6 +35,7 @@ struct pam_ctx {
     struct resp_ctx *rctx;
     struct sss_nc_ctx *ncache;
     int neg_timeout;
+    time_t id_timeout;
 };
 
 struct pam_auth_req {
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 48341aab4..6a8f1dbb5 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -790,14 +790,12 @@ static int pam_check_user_search(struct pam_auth_req *preq)
         /* make sure to update the preq if we changed domain */
         preq->domain = dom;
 
-        /* TODO: check negative cache ? */
-
-        /* Always try to refresh the cache first on authentication */
-        if (preq->check_provider &&
-            (preq->pd->cmd == SSS_PAM_AUTHENTICATE ||
-             preq->pd->cmd == SSS_PAM_SETCRED)) {
-
-            /* call provider first */
+        /* Refresh the user's cache entry on any PAM query
+         * We put a timeout in the client context so that we limit
+         * the number of updates within a reasonable timeout
+         */
+        if (preq->check_provider && cctx->pam_timeout < time(NULL)) {
+            /* Call provider first */
             break;
         }
 
@@ -909,6 +907,8 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,
 {
     struct pam_auth_req *preq = talloc_get_type(ptr, struct pam_auth_req);
     int ret;
+    struct pam_ctx *pctx =
+            talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
 
     if (err_maj) {
         DEBUG(2, ("Unable to get information from Data Provider\n"
@@ -916,6 +916,9 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,
                   (unsigned int)err_maj, (unsigned int)err_min, err_msg));
     }
 
+    /* Make sure we don't go to the ID provider too often */
+    preq->cctx->pam_timeout = time(NULL) + pctx->id_timeout;
+
     ret = pam_check_user_search(preq);
     if (ret == EOK) {
         pam_dom_forwarder(preq);
author	Stephen Gallagher <sgallagh@redhat.com>	2010-12-22 11:00:22 -0500
committer	Stephen Gallagher <sgallagh@redhat.com>	2010-12-22 13:22:28 -0500
commit	c71ff1e4615ec8560b90ca7d4827d99424ad0355 (patch)
tree	5f1ccd75d8e6dfcb9d5a3898ebc9368dabcca261 /src
parent	7da6ae5558059218d660d879057f6e39864c3493 (diff)
download	sssd-c71ff1e4615ec8560b90ca7d4827d99424ad0355.tar.gz sssd-c71ff1e4615ec8560b90ca7d4827d99424ad0355.tar.xz sssd-c71ff1e4615ec8560b90ca7d4827d99424ad0355.zip