summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* sss_client: Fix race condition in memory cacherhel6.6Lukas Slebodnik2015-04-014-13/+59
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Thread safe initialisation was fixed in ticket #2380, but there is still race condition in reinitialisation. If caches is invalidated with command sss_cache -U (-G or -E) then client code will need to reinitialize fast memory cache. Let say we have two threads. The 1st thread find out that memory cache should be reinitialized; therefore the fast memory cached is unmapped and context destroyed. In the same time, 2nd thread tried to check header of memory cache whether it is initialized and valid. As a result of previously unmapped memory the 2nd thread access out of bound memory (SEGFAULT). The destroying of fast memory cache cannot be done any time. We need to be sure that there isn't any other thread which uses mmaped memory. The new counter of active threads was added for this purpose. The state of fast memory cache was converted from boolean to three value state (UNINITIALIZED, INITIALIZED, RECYCLED) UNINITIALIZED - the fast memory cache need to be initialized. - if there is a problem with initialisation the state will not change - after successful initialisation, the state will change to INITIALIZED INITIALIZED - if the cahe was invalidated or there is any other problem was detected in memory cache header the state will change to RECYCLED and memory cache IS NOT destroyed. RECYCLED - nothing will be done is there are any active threads which may use the data from mmaped memory - if there aren't active threads the fast memory cahe is destroyed and state is changed to UNINITIALIZED. https://fedorahosted.org/sssd/ticket/2445 Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 6a60e29468fc6b4043a4dc52d3aab73e8465db70)
* sss_client: Extract destroying of mmap cache to functionLukas Slebodnik2015-04-011-16/+14
| | | | | Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 19f6a6733b5c6cf7dd2f6f746cfa5c787706331c)
* IPA: use ipaUserGroup object class for groupsPavel Březina2014-11-181-1/+1
| | | | | | | | | | | | | | dfb34c6c82ed5014599bf70de6791e6d79106fc2 changed object class of IPA groups from posixGroups to more general groupOfNames. However, this object class is used also for roles, permissions and privileges which caused SSSD to consider those objects to be groups as well during initgroups. Resolves: https://fedorahosted.org/sssd/ticket/2471 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 3937736546e2a4b7cccc58fded3efdff9ae690fc)
* LDAP: Disable token groups by defaultLukas Slebodnik2014-11-182-2/+2
| | | | | | | | | | | | | | | | | We tried to speed up processing of initgroup lookups with tokenGroups even for the LDAP provider (if remote server is Active Directory), but it turns out that there are too many corner cases that we didn't catch during development that break. For instance, groups from other trusted domains might appear in TG and the LDAP provider isn't equipped to handle them. Overall, users who wish to use the added speed benefits of tokenGroups are advised to use the AD provider. Resolves: https://fedorahosted.org/sssd/ticket/2483 Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 5febf5ed0cfb4ba7665d8c3e36ee6941988da773)
* LDAP: Do not clobber return value when multiple controls are returnedJakub Hrozek2014-09-251-3/+4
| | | | | | | | We loop over the array of returned controls and set 'ret' based on the control value. In case multiple controls were returned, the 'ret' variable might be clobbered with result of a string-to-int conversion. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* Use the alternative objectclass in group maps.Michal Zidek2014-09-157-29/+117
| | | | | | | | | | | Use the alternative group objectclass in queries. Fixes: https://fedorahosted.org/sssd/ticket/2436 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 7ba70236daccb48432350147d0560b3302518cee) (cherry picked from commit 9e99c000a4e2647328e71b4db272b4b73a7189c5)
* Add alternative objectClass to group attribute mapsMichal Zidek2014-09-154-1/+7
| | | | | | | | | | | | | | | In IPA we sometimes need to use posixGroup and sometimes groupOfNames objectclass to query the groups. This patch adds the possibility to specify alternative objectclass in group maps. By default it is only set for IPA. Fixes: https://fedorahosted.org/sssd/ticket/2436 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 6f91c61426c8cfbfec52d5e77ae4650007694e69) (cherry picked from commit cfa74fcb5f6ba23f41a9ddaa76c3ebae6156da86)
* AD: process non-posix nested groups using tokenGroupsPavel Reichl2014-09-041-8/+1
| | | | | | | | When initgr is performed for AD supporting tokenGroups, do not skip non-posix groups. Resolves: https://fedorahosted.org/sssd/ticket/2343
* AD: process non-posix nested groups w/o tokenGroupsPavel Reichl2014-09-041-5/+1
| | | | | | | | When initgr is performed for AD not supporting tokenGroups, do not filter out groups without gid attribute or with gid equal to zero. Resolves: https://fedorahosted.org/sssd/ticket/2343
* IPA: process non-posix nested groupsPavel Reichl2014-09-042-2/+2
| | | | | | | | Do not expect objectClass to be posixGroup but rather more general groupofnames. Resolves: https://fedorahosted.org/sssd/ticket/2343
* SDAP: Update groups for user just once.Lukas Slebodnik2014-08-261-20/+78
| | | | | | | | | | | | | | | | | | | | | | | | | | | The function sdap_ad_tokengroups_update_members finds the differences between list of groups from sysdb and list of groups from LDAP (input argument). For each new group, connections are created between user and group. The other connections are removed. The problem was that in some cases function sdap_ad_tokengroups_update_members was called twice (sdap_ad_tokengroups_initgr_posix_tg_done and sdap_ad_tokengroups_initgr_posix_sids_done). The first call created connection between user and groups resolved from tokengroups and the second call update groups from missing SIDs, but previously created connections were removed. The worst case was when there weren't any missing groups. This behaviour caused missing groups in some cases (for users in child ad domain) This patch join array of groups obtained from token group and array of groups obtained from missing SIDs. The function sdap_ad_tokengroups_update_members is called just once with single array. Resolves: https://fedorahosted.org/sssd/ticket/2407 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 99f53d551a1db5d8023b4271eb691d554257624c)
* SDAP: Use different talloc_context for array of namesLukas Slebodnik2014-08-261-1/+1
| | | | | | | It will be easier to steal whole array to another talloc context Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 174e9ec6f88d709b6e9481ed06a322c0fc495842)
* SDAP: Immediately finish request for empty arrayLukas Slebodnik2014-08-261-1/+1
| | | | | | | | | If array of sids is empty we needn't try to resolve them and we can immediately finish request in function sdap_ad_resolve_sids_send This patch is just a small optimisation. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 21f2821a4420291c8eb3ee9d427e9e1b0a1d9989)
* LDAP: Use randomized ccname for storing credentialsJakub Hrozek2014-08-261-5/+39
| | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2410 If two ldap_child processes attempt to prime the ccache at the same time for the same domain, the ldap_child might fail with: [ldap_child_get_tgt_sync] (0x0040): Failed to init ccache: Internal credentials cache error [main] (0x0020): ldap_child_get_tgt_sync failed. To avoid the race-condition, the ldap_child process now creates the ccache randomized and before returning to the caller, renames the randomized ccache to a permanent one. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Use tmp_ctx in ldap_child for temporary dataJakub Hrozek2014-08-261-7/+15
| | | | | | | Using a global memory context for short-lived private data might lead to memory growth. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Don't add a user member twice when adding a primary groupJakub Hrozek2014-08-261-5/+33
| | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2406 In the AD case, deployments sometimes add groups as parents of the primary GID group. These groups are then returned during initgroups in the tokenGroups attribute and member/memberof links are established between the user and the group. However, any update of these groups would remove the links, so a sequence of calls: id -G user; id user; id -G user would return different group memberships. Our code errored out in the rare case when the user was *also* an LDAP member of his primary group. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* LDAP: Split out linking primary group members into a separate functionJakub Hrozek2014-08-261-7/+16
| | | | | | | The function sdap_fill_memberships did several tasks. It's more readable to split linking the primary members into a separate function. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* LDAP: Do not shortcut on ret != EOK during password expiry checkJakub Hrozek2014-08-221-15/+0
| | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2323 The functions that check for password expiration can return non-zero return codes not only on internal failure, but also to indicate that the password was expired. The code would in this case shortcut in the error handler instead of making its way to the switch-case code below that translates the SSSD error codes into PAM error codes. We don't lose the error reporting, because any internal error would translate into PAM_SYSTEM_ERROR anyway. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 06ba69972e6728f97f5adbcc3cc4df811a831f53) (cherry picked from commit 7454855b9b5117a13fe86fb93b9cc870323ccd20)
* sss_client: Fix "struct sss_cli_mc_ctx" reinitialize-on-errorsNalin Dahyabhai2014-08-221-0/+2
| | | | | | | | | | | | | | | | | | | | When we have difficulty setting up an sss_cli_mc_ctx structure, we try to clean things up so that we'll be ready to try again the next time we're called. Part of that is closing the descriptor of the file if we've opened it and using memset() to clear the structure. Now that sss_nss_mc_get_ctx() does its work in two phases, and each one may end up doing the cleanup, each needs to be careful to reset the descriptor field so that the new value provided by memset() (0) isn't mistakenly treated as a file which should be closed by the other. Resolves: https://fedorahosted.org/sssd/ticket/2409 Reviewed-by: Simo Sorce <simo@redhat.com> (cherry picked from commit 5a4df83d769ace54f92513f0be78e753e0985a25)
* SDAP: free subrequest in sdap_dyndns_update_addrs_doneLukas Slebodnik2014-08-221-0/+1
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit f55d45b931ce6c01e005ae94a69e93abda0d2f1c)
* test_dyndns: sss_iface_addr_list_get can return more valuesLukas Slebodnik2014-08-221-0/+46
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2405 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 1a783fb0be9a48a0abdfe8b52fce551d530487ce)
* dyndns: Fix talloc hierarchy of "struct sss_iface_addr"Lukas Slebodnik2014-08-221-0/+9
| | | | | | | | | | | | | | | | Structure "struct sdap_dyndns_update_state" has two linked lists of structures "struct sss_iface_addr": addresses, dns_addrlist In *_recv functions, linked list was talloc stealed to structure sss_iface_addr, but just 1st member was moved to "state" talloc context. Other member of link list were freed with removing subrequest, which caused use after free problem. Resolves: https://fedorahosted.org/sssd/ticket/2405 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 0060992d68ba843d4d90b491a1500b6290789a5c)
* TESTS: leak_check functions shouldn't be called with NULL contextLukas Slebodnik2014-08-221-0/+8
| | | | | | | Memory leaks will not be detected if talloc context is NULL. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 24000ed5b08499b49595436b8a3b348fcd4012de)
* test_dyndns: Use different talloc context in wrapped functions.Lukas Slebodnik2014-08-221-2/+21
| | | | | | | | | | | | | Real functions use own allocation strategy. We use talloc in wrapped functions. But wrapped functions should not use global_talloc_context, leak_check_teardown will report false positive memory leaks. leak_check_teardown() ./src/tests/cmocka/test_dyndns.c:378: error: Failure! [ FAILED ] dyndns_test_ok_dyndns_test_teardown Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 12e7e87ccbae0d5c2f338cd019ca51556cbcd3ae)
* responder-get-domains-tests: fix checking of leaksLukas Slebodnik2014-08-221-3/+2
| | | | | | | | | | | global_talloc_context should not be NULL in tests. It should be initialised with function leak_check_setup otherwise memory leak will not be detected. check_leaks_pop should not be directly called for global_talloc_context. It is a purpose of function leak_check_teardown Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit bf65fbdd8c3fecd38a66363c3517e7a2679b8186)
* dyndns_test: Use right socket length of for IPv4 address.Lukas Slebodnik2014-08-221-1/+1
| | | | | | | | | | | | | | | man inet_ntop says: The caller specifies the number of bytes available in this buffer in the argument size. AF_INET src points to a struct in_addr (in network byte order) which is converted to an IPv4 network address in the dotted-decimal format, "ddd.ddd.ddd.ddd". The buffer dst must be at least INET_ADDRSTRLEN bytes long. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit e210ed5da220acebb6751db4466fe352de08eaeb)
* MAN: options 'lockout' and 'ldap_pwdlockout_dn'Pavel Reichl2014-08-191-0/+27
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2364
* SDAP: account lockout to restrict access via ssh keyPavel Reichl2014-08-193-0/+568
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Be able to configure sssd to honor openldap account lock to restrict access via ssh key. Introduce new ldap_access_order value ('lock') for enabling/disabling this feature. Account is considered locked if pwdAccountLockedTime attribut has value of 000001010000Z. ------------------------------------------------------------------------ Quotation from man slapo-ppolicy: pwdAccountLockedTime This attribute contains the time that the user's account was locked. If the account has been locked, the password may no longer be used to authenticate the user to the directory. If pwdAccountLockedTime is set to 000001010000Z, the user's account has been permanently locked and may only be unlocked by an administrator. Note that account locking only takes effect when the pwdLockout password policy attribute is set to "TRUE". ------------------------------------------------------------------------ Also set default value for sdap_pwdlockout_dn to cn=ppolicy,ou=policies,${search_base} Resolves: https://fedorahosted.org/sssd/ticket/2364
* SDAP: new option - DN to ppolicy on LDAPPavel Reichl2014-08-198-0/+8
| | | | | | | | To check value of pwdLockout attribute on LDAP server, DN of ppolicy must be set. Resolves: https://fedorahosted.org/sssd/ticket/2364
* SDAP: refactor AC offline checksPavel Reichl2014-08-191-9/+12
| | | | Prepare code for other access control checks.
* SDAP: don't log error on access deniedPavel Reichl2014-08-191-1/+6
| | | | | | Don't log error if access is denied in function sdap_access_done(). Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: refactor sdap_access_filter_donePavel Reichl2014-08-191-18/+37
| | | | | | | | | | | | As preparation for ticket #2364 move code from sdap_access_filter_done() into sdap_access_done() to make its reuse possible and thus avoid code duplication. Rename check_next_rule() to sdap_access_check_next_rule(). Update definition order of tevent-using functions by time of execution. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: nitpicks in sdap_access_filter_get_access_donePavel Reichl2014-08-191-7/+5
| | | | | | Fixed typo and replaced duplicated string by macro definition. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: refactor sdap_access_filter_sendPavel Reichl2014-08-191-16/+30
| | | | | | | | | As preparation for ticket #2364 separate code for parsing user basedn to a new function sdap_get_basedn_user_entry(). We actually do not need to call strdup on basedn, instead we can just point to address in user_entry as it's allocated on parent memory context. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: split sdap_access_filter_get_access_donePavel Reichl2014-08-191-20/+39
| | | | | | | As a preparation for ticket #2364 separate code for storing user bool values into sysdb to a new function sdap_save_user_cache_bool(). Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: handle searches by SID in apply_subdomain_homedirJakub Hrozek2014-08-191-4/+9
| | | | | | | | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2391 apply_subdomain_homedir() didn't handle the situation where an entity that doesn't match was requested from the cache. For user and group lookups this wasn't a problem because the negative match was caught sooner. But SID lookups can match either user or group. When a group SID was requested, the preceding LDAP request matched the SID and stored the group in the cache. Then apply_subdomain_homedir() only tried to search user by SID, didn't find the entry and accessed a NULL pointer. A simple reproducer is: $ python >>> import pysss_nss_idmap >>> pysss_nss_idmap.getnamebysid(group_sid) The group_sid can be anything, including Domain Users (XXX-513) Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 82347f452febe3cbffc36b0a3308ffb462515442)
* sudo: work with correct D-Bus iteratorPavel Březina2014-08-191-3/+4
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit a8e9aedbf7f6ada4e9f505da5fad8a61e4066684)
* MAN: How much time sssd spends offlineMichal Zidek2014-08-191-4/+41
| | | | | | | Added note to man page about how the time SSSD spends offline is calculated. Reviewed-by: Dan Lavu <side_control@runlevelone.net>
* SUDO: Use the override_space optionJakub Hrozek2014-08-142-2/+8
| | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2397 With this path, a user whose name is "space user" would match a sudo rule while using the override_default_space option. Please note that the option is only a client-side override, so the sudoUser attribute must contain the space in order to match the original name. In other words, when substituting space ( ) for underscore (_), this attribute would match: sudoUser: space user this would not: sudoUser: space_user Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 3b96d478851fbbe391ab30e3d6a0afdb9ecdd4a0)
* IFP: Use the override_space optionJakub Hrozek2014-08-141-2/+51
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2397 The input of the InfoPipe responder substitutes the configured character for space and the GetUserAttrs and GetUserGroups functions substitute space for the configured character in their output. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit fcfd1cb69762c49ba56326dfc85008c1d83333b2)
* PAM: Use the override_space optionJakub Hrozek2014-08-141-0/+8
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2397 When using the override_default_space option, this patch allows to log in using both the original name (space user) as well as the normalized name (space_user). Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 0fcc9ed1c66bed7ef3a0bcd6c517280a82391d2b)
* Make the space override responder-agnosticJakub Hrozek2014-08-148-32/+59
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2397 In order to make the override_space option usable by other responders, we need to move the override_space option to the generic responder structure. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit f3a5ac1a50c1fccd0801023658e42d2093e1a33a)
* Only replace space with the specified substitutionJakub Hrozek2014-08-1411-218/+110
| | | | | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2397 - make sss_replace_whitespaces only replace space (' ') not any whitespace - make sss_replace_whitespaces only replace a single char, not the whole string - rename CONFDB_NSS_OVERRIDE_DEFAULT_WHITESPACE to CONFDB_NSS_OVERRIDE_DEFAULT_SPACE - rename the override_default_whitespace option to override_space - rename sss_replace_whitespaces() to sss_replace_space() - rename sss_reverse_replace_whitespaces() to sss_reverse_replace_space() - rename nctx->override_default_wsp_str to nctx->override_space - make the return value of sss_replace_space non-const to avoid freeing the result without compilation warnings Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 1f3127e88a87953f059c9a70d3582ae1719594b1)
* LDAP SUDO: sudo provider doesn't fetch 'EntryUSN'Michal Šrubař2014-08-141-0/+1
| | | | | | | | | | | | The EntryUSN is not fetched by the sudo LDAP provider when it downloads the rules because sudorule_map is missing this attribute. We forgot to add the SDAP_AT_SUDO_RUNAS into sdap_sudorule_attrs when we added support for sudoRunAs. Related to: https://fedorahosted.org/sssd/ticket/2212 (cherry picked from commit a1e89ede4995f948abc1acc364246161df7cca2c)
* NSS: Ignore default_domain for netgroupsJakub Hrozek2014-08-141-1/+1
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2400 Netgroups often have members that will not process correctly when we require a fully-qualified name. This patch simply ignores the default_domain setting for netgroup lookups - we ignore FQDN only domains for netgroup lookups since 1933ff17513da1d979dd22776a03478341ef5e6b anyway. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit e6d441518531e7931e29dd8c65a3448a213e3865)
* ad initgroups: continue if resolved SID is still missingPavel Březina2014-08-141-6/+13
| | | | | | | https://fedorahosted.org/sssd/ticket/2389 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 983983dd1629ab33eab340a40d9ee83965a339c6)
* RPM: Restart service in %posttrans, not %postJakub Hrozek2014-08-141-3/+2
| | | | | | | | | | | | | | | | When upgrading from a 1.9 version with monolithic packaging to 1.10 or later with per-provider subpackage, sssd-common can be upgraded (and restarted) before the new sssd-$provider is restarted. This can lead to a startup failure, because the sssd_be process from already upgraded sssd-common would attempt to load a sssd_$provider.so from the legacy sssd package. Restarting the service in %posttrans makes sure all the packages are in place when we restart the service. Resolves: https://fedorahosted.org/sssd/ticket/2399 (cherry picked from commit 192027debeaa991690160c3cb68480fe54ad8fdf)
* IFP: Fix lookups with fully-qualified namesJakub Hrozek2014-08-141-2/+2
| | | | | | | | | | | | | | The Data Provider lookup code user the original input string as the lookup key instead of the parsed name component. For example, for an input joe@mydomain, the backend would have searched for: (&(cn=joe@mydomain)(objectclass=user)) This patch fixes the lookup to use the parsed name. https://fedorahosted.org/sssd/ticket/2402 Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit d8b8995ef1c3f2a6c85dc141aaff7eef3faf05c1)
* sudo: replace asterisk with escape sequence in host filterPavel Březina2014-08-141-1/+1
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2377 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 8c4abd227035169e75cb081424765e65c52b5266)
* Exit offline mode only if server is available.Michal Zidek2014-07-312-7/+43
| | | | | | | | | | | | | | | | | | | | This patch adds periodic check to test if backend can exit offline mode and only marks backend as not offline if server for the service is available. Prior to this patch we marked backend as not offline if the offline_timeout was reached without checking for the server availability and when the next request failed again we switched back to the offline mode. This caused significant slowdowns in some edge cases. Fixes: https://fedorahosted.org/sssd/ticket/2355 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>