diff options
Diffstat (limited to 'src/responder/pam/pamsrv_cmd.c')
-rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 19 |
1 files changed, 11 insertions, 8 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 48341aab4..6a8f1dbb5 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -790,14 +790,12 @@ static int pam_check_user_search(struct pam_auth_req *preq) /* make sure to update the preq if we changed domain */ preq->domain = dom; - /* TODO: check negative cache ? */ - - /* Always try to refresh the cache first on authentication */ - if (preq->check_provider && - (preq->pd->cmd == SSS_PAM_AUTHENTICATE || - preq->pd->cmd == SSS_PAM_SETCRED)) { - - /* call provider first */ + /* Refresh the user's cache entry on any PAM query + * We put a timeout in the client context so that we limit + * the number of updates within a reasonable timeout + */ + if (preq->check_provider && cctx->pam_timeout < time(NULL)) { + /* Call provider first */ break; } @@ -909,6 +907,8 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min, { struct pam_auth_req *preq = talloc_get_type(ptr, struct pam_auth_req); int ret; + struct pam_ctx *pctx = + talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); if (err_maj) { DEBUG(2, ("Unable to get information from Data Provider\n" @@ -916,6 +916,9 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min, (unsigned int)err_maj, (unsigned int)err_min, err_msg)); } + /* Make sure we don't go to the ID provider too often */ + preq->cctx->pam_timeout = time(NULL) + pctx->id_timeout; + ret = pam_check_user_search(preq); if (ret == EOK) { pam_dom_forwarder(preq); |