summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2010-12-22 11:00:22 -0500
committerStephen Gallagher <sgallagh@redhat.com>2010-12-22 13:22:28 -0500
commitc71ff1e4615ec8560b90ca7d4827d99424ad0355 (patch)
tree5f1ccd75d8e6dfcb9d5a3898ebc9368dabcca261 /src
parent7da6ae5558059218d660d879057f6e39864c3493 (diff)
downloadsssd-c71ff1e4615ec8560b90ca7d4827d99424ad0355.tar.gz
sssd-c71ff1e4615ec8560b90ca7d4827d99424ad0355.tar.xz
sssd-c71ff1e4615ec8560b90ca7d4827d99424ad0355.zip
Update the ID cache for any PAM request
Also adds an option to limit how often we check the ID provider, so that conversations with multiple PAM requests won't update the cache multiple times. https://fedorahosted.org/sssd/ticket/749
Diffstat (limited to 'src')
-rw-r--r--src/confdb/confdb.h1
-rw-r--r--src/config/SSSDConfig.py1
-rw-r--r--src/config/etc/sssd.api.conf1
-rw-r--r--src/man/sssd.conf.5.xml22
-rw-r--r--src/responder/common/responder.h2
-rw-r--r--src/responder/pam/pamsrv.c9
-rw-r--r--src/responder/pam/pamsrv.h1
-rw-r--r--src/responder/pam/pamsrv_cmd.c19
8 files changed, 48 insertions, 8 deletions
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index eccb98d3..5e55f255 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -81,6 +81,7 @@
#define CONFDB_PAM_FAILED_LOGIN_DELAY "offline_failed_login_delay"
#define CONFDB_DEFAULT_PAM_FAILED_LOGIN_DELAY 5
#define CONFDB_PAM_VERBOSITY "pam_verbosity"
+#define CONFDB_PAM_ID_TIMEOUT "pam_id_timeout"
/* Data Provider */
#define CONFDB_DP_CONF_ENTRY "config/dp"
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index b1177178..d23641c9 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -64,6 +64,7 @@ option_strings = {
'offline_failed_login_attempts' : _('How many failed logins attempts are allowed when offline'),
'offline_failed_login_delay' : _('How long (minutes) to deny login after offline_failed_login_attempts has been reached'),
'pam_verbosity' : _('What kind of messages are displayed to the user during authentication'),
+ 'pam_id_timeout' : _('How many seconds to keep identity information cached for PAM requests'),
# [provider]
'id_provider' : _('Identity provider'),
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 3bd0cc49..5127b852 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -34,6 +34,7 @@ offline_credentials_expiration = int, None, false
offline_failed_login_attempts = int, None, false
offline_failed_login_delay = int, None, false
pam_verbosity = int, None, false
+pam_id_timeout = int, None, false
[provider]
#Available provider types
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 7392dd09..96b7a4c3 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -440,6 +440,28 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>pam_id_timeout (integer)</term>
+ <listitem>
+ <para>
+ For any PAM request while SSSD is online, the SSSD will
+ attempt to immediately update the cached identity
+ information for the user in order to ensure that
+ authentication takes place with the latest information.
+ </para>
+ <para>
+ A complete PAM conversation may perform multiple PAM
+ requests, such as account management and session
+ opening. This option controls (on a
+ per-client-application basis) how long (in seconds) we
+ can cache the identity information to avoid excessive
+ round-trips to the identity provider.
+ </para>
+ <para>
+ Default: 5
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
</refsect1>
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
index 783f9e40..6b81aada 100644
--- a/src/responder/common/responder.h
+++ b/src/responder/common/responder.h
@@ -118,6 +118,8 @@ struct cli_ctx {
char *netgr_name;
int netgrent_cur;
+
+ time_t pam_timeout;
};
struct sss_cmd_table {
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index 61e7ce7a..91ee4a89 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -108,6 +108,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
struct be_conn *iter;
struct pam_ctx *pctx;
int ret, max_retries;
+ int id_timeout;
pctx = talloc_zero(mem_ctx, struct pam_ctx);
if (!pctx) {
@@ -153,6 +154,14 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
&pctx->neg_timeout);
if (ret != EOK) goto done;
+ /* Set up the PAM identity timeout */
+ ret = confdb_get_int(cdb, pctx, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_ID_TIMEOUT, 5,
+ &id_timeout);
+ if (ret != EOK) goto done;
+
+ pctx->id_timeout = (size_t)id_timeout;
+
ret = sss_ncache_init(pctx, &pctx->ncache);
if (ret != EOK) {
DEBUG(0, ("fatal error initializing negative cache\n"));
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 3ada4cfd..3ffc1708 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -35,6 +35,7 @@ struct pam_ctx {
struct resp_ctx *rctx;
struct sss_nc_ctx *ncache;
int neg_timeout;
+ time_t id_timeout;
};
struct pam_auth_req {
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 48341aab..6a8f1dbb 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -790,14 +790,12 @@ static int pam_check_user_search(struct pam_auth_req *preq)
/* make sure to update the preq if we changed domain */
preq->domain = dom;
- /* TODO: check negative cache ? */
-
- /* Always try to refresh the cache first on authentication */
- if (preq->check_provider &&
- (preq->pd->cmd == SSS_PAM_AUTHENTICATE ||
- preq->pd->cmd == SSS_PAM_SETCRED)) {
-
- /* call provider first */
+ /* Refresh the user's cache entry on any PAM query
+ * We put a timeout in the client context so that we limit
+ * the number of updates within a reasonable timeout
+ */
+ if (preq->check_provider && cctx->pam_timeout < time(NULL)) {
+ /* Call provider first */
break;
}
@@ -909,6 +907,8 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,
{
struct pam_auth_req *preq = talloc_get_type(ptr, struct pam_auth_req);
int ret;
+ struct pam_ctx *pctx =
+ talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
if (err_maj) {
DEBUG(2, ("Unable to get information from Data Provider\n"
@@ -916,6 +916,9 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,
(unsigned int)err_maj, (unsigned int)err_min, err_msg));
}
+ /* Make sure we don't go to the ID provider too often */
+ preq->cctx->pam_timeout = time(NULL) + pctx->id_timeout;
+
ret = pam_check_user_search(preq);
if (ret == EOK) {
pam_dom_forwarder(preq);