diff options
Diffstat (limited to 'src/providers')
-rw-r--r-- | src/providers/ipa/ipa_access.c | 16 | ||||
-rw-r--r-- | src/providers/ipa/ipa_access.h | 2 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.c | 3 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.h | 1 |
4 files changed, 21 insertions, 1 deletions
diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c index 18cf31043..2a6588ebf 100644 --- a/src/providers/ipa/ipa_access.c +++ b/src/providers/ipa/ipa_access.c @@ -114,6 +114,7 @@ void ipa_access_handler(struct be_req *be_req) ipa_access_ctx = talloc_get_type( be_req->be_ctx->bet_info[BET_ACCESS].pvt_bet_data, struct ipa_access_ctx); + hbac_ctx->access_ctx = ipa_access_ctx; hbac_ctx->sdap_ctx = ipa_access_ctx->sdap_ctx; hbac_ctx->ipa_options = ipa_access_ctx->ipa_options; hbac_ctx->tr_ctx = ipa_access_ctx->tr_ctx; @@ -145,10 +146,22 @@ static int hbac_retry(struct hbac_ctx *hbac_ctx) struct tevent_req *subreq; int ret; bool offline; + time_t now, refresh_interval; + struct ipa_access_ctx *access_ctx = hbac_ctx->access_ctx; offline = be_is_offline(hbac_ctx->be_req->be_ctx); DEBUG(9, ("Connection status is [%s].\n", offline ? "offline" : "online")); + refresh_interval = dp_opt_get_int(hbac_ctx->ipa_options, + IPA_HBAC_REFRESH); + + now = time(NULL); + if (now < access_ctx->last_update + refresh_interval) { + /* Simulate offline mode and just go to the cache */ + DEBUG(6, ("Performing cached HBAC evaluation\n")); + offline = true; + } + if (!offline) { if (hbac_ctx->sdap_op == NULL) { hbac_ctx->sdap_op = sdap_id_op_create(hbac_ctx, @@ -505,6 +518,9 @@ static void hbac_sysdb_save(struct tevent_req *req) */ hbac_clear_rule_data(hbac_ctx); + + access_ctx->last_update = time(NULL); + /* Now evaluate the request against the rules */ ipa_hbac_evaluate_rules(hbac_ctx); diff --git a/src/providers/ipa/ipa_access.h b/src/providers/ipa/ipa_access.h index da43fea2b..2a6bdad50 100644 --- a/src/providers/ipa/ipa_access.h +++ b/src/providers/ipa/ipa_access.h @@ -43,10 +43,12 @@ struct ipa_access_ctx { struct sdap_id_ctx *sdap_ctx; struct dp_option *ipa_options; struct time_rules_ctx *tr_ctx; + time_t last_update; }; struct hbac_ctx { struct sdap_id_ctx *sdap_ctx; + struct ipa_access_ctx *access_ctx; struct sdap_id_op *sdap_op; struct dp_option *ipa_options; struct time_rules_ctx *tr_ctx; diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 9972c3411..0995e0f1a 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -37,7 +37,8 @@ struct dp_option ipa_basic_opts[] = { { "ipa_dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ipa_dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING}, { "ipa_hbac_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING}, - { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING} + { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING}, + { "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER } }; struct dp_option ipa_def_ldap_opts[] = { diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 8f0f35a82..1c1f72215 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -50,6 +50,7 @@ enum ipa_basic_opt { IPA_DYNDNS_IFACE, IPA_HBAC_SEARCH_BASE, IPA_KRB5_REALM, + IPA_HBAC_REFRESH, IPA_OPTS_BASIC /* opts counter */ }; |