From 3366a3cdbf93eea757123e11a32307a005c05443 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Mon, 21 Sep 2015 15:53:50 +0200 Subject: IPA: Only re-fetch the keytab if modifyTimestamp is newer than last LDAP connection Resolves: https://fedorahosted.org/sssd/ticket/2639 When a subdomain account lookup errors out, try to re-setup the trust object. Only do this, if the connection was established after the last re-set of the trust object. Internally, the setup function looks at the modifyTimestamp operational attribute of the TDO. If the modifyTimestamp is newer than the last keytab check, then the trust was re-created and we need to fetch the keytab again. Marking the back end as online re-sets the TDO check timestamp so that after cycling the sssd, the keytab would always be checked. --- src/providers/ipa/ipa_id.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src/providers/ipa/ipa_id.c') diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c index e81ccb34d..1e91fc599 100644 --- a/src/providers/ipa/ipa_id.c +++ b/src/providers/ipa/ipa_id.c @@ -1293,5 +1293,9 @@ void ipa_check_online(struct be_req *be_req) ipa_ctx = talloc_get_type(be_ctx->bet_info[BET_ID].pvt_bet_data, struct ipa_id_ctx); + if (ipa_ctx->server_mode == NULL) { + ipa_subdom_reset_trust(ipa_ctx->server_mode); + } + return sdap_do_online_check(be_req, ipa_ctx->sdap_id_ctx); } -- cgit