From cffe3135f29c737f2598f3c1384bfba1694fb843 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 28 Apr 2015 17:20:05 +0200 Subject: IPA: update initgr expire timestamp conditionally Newer versions of the extdom plugin return the full list of group-memberships during user lookups. As a result the lifetime of the group-membership data is updates in those cases. But if the user is not looked up directly but is resolved as a group member during a group lookup SSSD does not resolve all group-membership of the user to avoid deep recursion and eventually a complete enumeration of the user and group base. In this case the lifetime of the group-memberships should not be updated because it might be incomplete. Related to https://fedorahosted.org/sssd/ticket/2633 Reviewed-by: Jakub Hrozek --- src/providers/ipa/ipa_s2n_exop.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c index 3830a2b4b..daebd6885 100644 --- a/src/providers/ipa/ipa_s2n_exop.c +++ b/src/providers/ipa/ipa_s2n_exop.c @@ -685,7 +685,8 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, struct resp_attrs *attrs, struct resp_attrs *simple_attrs, const char *view_name, - struct sysdb_attrs *override_attrs); + struct sysdb_attrs *override_attrs, + bool update_initgr_timeout); static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx, char *retoid, @@ -1118,7 +1119,7 @@ static errno_t ipa_s2n_get_fqlist_save_step(struct tevent_req *req) ret = ipa_s2n_save_objects(state->dom, &state->req_input, state->attrs, NULL, state->ipa_ctx->view_name, - state->override_attrs); + state->override_attrs, false); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n"); return ret; @@ -1617,7 +1618,7 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq) || strcmp(state->ipa_ctx->view_name, SYSDB_DEFAULT_VIEW_NAME) == 0) { ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs, - state->simple_attrs, NULL, NULL); + state->simple_attrs, NULL, NULL, true); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n"); goto done; @@ -1739,7 +1740,8 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, struct resp_attrs *attrs, struct resp_attrs *simple_attrs, const char *view_name, - struct sysdb_attrs *override_attrs) + struct sysdb_attrs *override_attrs, + bool update_initgr_timeout) { int ret; time_t now; @@ -1938,7 +1940,8 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, } } - if (attrs->response_type == RESP_USER_GROUPLIST) { + if (attrs->response_type == RESP_USER_GROUPLIST + && update_initgr_timeout) { /* Since RESP_USER_GROUPLIST contains all group memberships it * is effectively an initgroups request hence * SYSDB_INITGR_EXPIRE will be set.*/ @@ -2209,7 +2212,7 @@ static void ipa_s2n_get_fqlist_done(struct tevent_req *subreq) &sid_str); if (ret == ENOENT) { ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs, - state->simple_attrs, NULL, NULL); + state->simple_attrs, NULL, NULL, true); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n"); goto fail; @@ -2249,7 +2252,7 @@ static void ipa_s2n_get_fqlist_done(struct tevent_req *subreq) ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs, state->simple_attrs, state->ipa_ctx->view_name, - state->override_attrs); + state->override_attrs, true); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n"); tevent_req_error(req, ret); @@ -2285,7 +2288,7 @@ static void ipa_s2n_get_user_get_override_done(struct tevent_req *subreq) ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs, state->simple_attrs, state->ipa_ctx->view_name, - override_attrs); + override_attrs, true); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n"); tevent_req_error(req, ret); -- cgit