From 440d7fb430f83b3547f98f79c67a232ab2220296 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Thu, 8 Dec 2011 16:14:52 -0500
Subject: Add sdap_connection_expire_timeout option

https://fedorahosted.org/sssd/ticket/1036
---
 src/config/SSSDConfig.py                   |  2 ++
 src/config/etc/sssd.api.d/sssd-ipa.conf    |  1 +
 src/config/etc/sssd.api.d/sssd-ldap.conf   |  1 +
 src/man/sssd-ldap.5.xml                    | 17 +++++++++++++++++
 src/providers/ipa/ipa_common.c             |  3 ++-
 src/providers/ipa/ipa_common.h             |  2 +-
 src/providers/ldap/ldap_common.c           |  3 ++-
 src/providers/ldap/sdap.h                  |  1 +
 src/providers/ldap/sdap_async_connection.c | 12 ++++++++++++
 9 files changed, 39 insertions(+), 3 deletions(-)

diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 84c9bdc52..cb55d3de1 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -160,6 +160,8 @@ option_strings = {
     'ldap_entry_usn' : _('entryUSN attribute'),
     'ldap_rootdse_last_usn' : _('lastUSN attribute'),
 
+    'ldap_connection_expiration_timeout' : _('How long to retain a connection to the LDAP server before disconnecting'),
+
     # [provider/ldap/id]
     'ldap_search_timeout' : _('Length of time to wait for a search request'),
     'ldap_enumeration_search_timeout' : _('Length of time to wait for a enumeration request'),
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index bd10d7944..2c12e8422 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -40,6 +40,7 @@ ldap_dns_service_name = str, None, false
 ldap_deref = str, None, false
 ldap_page_size = int, None, false
 ldap_deref_threshold = int, None, false
+ldap_connection_expire_timeout = int, None, false;
 
 [provider/ipa/id]
 ldap_search_timeout = int, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index dcd1586c1..9a89bfe2d 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -32,6 +32,7 @@ ldap_page_size = int, None, false
 ldap_deref_threshold = int, None, false
 ldap_sasl_canonicalize = bool, None, false
 ldap_sasl_minssf = int, None, false
+ldap_connection_expire_timeout = int, None, false
 
 [provider/ldap/id]
 ldap_search_timeout = int, None, false
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 75bc764ec..2f441df3a 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -964,6 +964,23 @@
                     </listitem>
                 </varlistentry>
 
+                <varlistentry>
+                    <term>ldap_connection_expire_timeout (integer)</term>
+                    <listitem>
+                        <para>
+                            Specifies a timeout (in seconds) that a connection
+                            to an LDAP server will be maintained. After this
+                            time, the connection will be re-established. If
+                            used in parallel with SASL/GSSAPI, the sooner of
+                            the two values (this value vs. the TGT lifetime)
+                            will be used.
+                        </para>
+                        <para>
+                            Default: 900 (15 minutes)
+                        </para>
+                    </listitem>
+                </varlistentry>
+
                 <varlistentry>
                     <term>ldap_page_size (integer)</term>
                     <listitem>
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 472425312..f437580a7 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -102,7 +102,8 @@ struct dp_option ipa_def_ldap_opts[] = {
     { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER },
     { "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
-    { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }
+    { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+    { "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }
 };
 
 struct sdap_attr_map ipa_attr_map[] = {
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 22f4bc634..f7ab5efdc 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -35,7 +35,7 @@ struct ipa_service {
 /* the following defines are used to keep track of the options in the ldap
  * module, so that if they change and ipa is not updated correspondingly
  * this will trigger a runtime abort error */
-#define IPA_OPTS_BASIC_TEST 54
+#define IPA_OPTS_BASIC_TEST 55
 
 /* the following define is used to keep track of the options in the krb5
  * module, so that if they change and ipa is not updated correspondingly
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 170720c3f..f9627ac1d 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -91,7 +91,8 @@ struct dp_option default_basic_opts[] = {
     { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER },
     { "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
-    { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }
+    { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+    { "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }
 };
 
 struct sdap_attr_map generic_attr_map[] = {
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 3ab726aad..f08200c95 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -203,6 +203,7 @@ enum sdap_basic_opt {
     SDAP_PAGE_SIZE,
     SDAP_DEREF_THRESHOLD,
     SDAP_SASL_CANONICALIZE,
+    SDAP_EXPIRE_TIMEOUT,
 
     SDAP_OPTS_BASIC /* opts counter */
 };
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index 6350e337e..e1099a17d 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -1502,6 +1502,8 @@ static void sdap_cli_auth_step(struct tevent_req *req)
     struct sdap_cli_connect_state *state = tevent_req_data(req,
                                              struct sdap_cli_connect_state);
     struct tevent_req *subreq;
+    time_t now;
+    int expire_timeout;
 
     if (!state->do_auth) {
         /* No authentication requested or GSSAPI auth forced off */
@@ -1509,6 +1511,16 @@ static void sdap_cli_auth_step(struct tevent_req *req)
         return;
     }
 
+    /* Set the LDAP expiration time
+     * If SASL has already set it, use the sooner of the two
+     */
+    now = time(NULL);
+    expire_timeout = dp_opt_get_int(state->opts->basic, SDAP_EXPIRE_TIMEOUT);
+    if (!state->sh->expire_time
+            || (state->sh->expire_time > (now + expire_timeout))) {
+        state->sh->expire_time = now + expire_timeout;
+    }
+
     subreq = sdap_auth_send(state,
                             state->ev,
                             state->sh,
-- 
cgit