diff options
author | Pavel Březina <pbrezina@redhat.com> | 2016-01-12 12:15:03 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2016-01-19 14:33:51 +0100 |
commit | 8bd44a13de231d025882810c720dd07ca4ee564d (patch) | |
tree | d998c9cf1fb99eea07dd609dfbf5639dd7fb1bb7 | |
parent | 43bbf5b158ec3152806791ca49ae224ee978de24 (diff) | |
download | sssd-8bd44a13de231d025882810c720dd07ca4ee564d.tar.gz sssd-8bd44a13de231d025882810c720dd07ca4ee564d.tar.xz sssd-8bd44a13de231d025882810c720dd07ca4ee564d.zip |
SUDO: assume zero if usn is unknown
When we switched to be_ptaks full_refresh_done has become obsolete since
timing is handled in a better way. In case of unknown USN we assume zero
which allows us to disable full refresh completely in configuration.
Reviewed-by: Sumit Bose <sbose@redhat.com>
-rw-r--r-- | src/providers/ipa/ipa_sudo.h | 2 | ||||
-rw-r--r-- | src/providers/ipa/ipa_sudo_refresh.c | 18 | ||||
-rw-r--r-- | src/providers/ldap/sdap_sudo.c | 4 | ||||
-rw-r--r-- | src/providers/ldap/sdap_sudo_refresh.c | 19 |
4 files changed, 13 insertions, 30 deletions
diff --git a/src/providers/ipa/ipa_sudo.h b/src/providers/ipa/ipa_sudo.h index 3c346c837..8b8660019 100644 --- a/src/providers/ipa/ipa_sudo.h +++ b/src/providers/ipa/ipa_sudo.h @@ -28,8 +28,6 @@ struct ipa_sudo_ctx { struct ipa_options *ipa_opts; struct sdap_options *sdap_opts; - bool full_refresh_done; - /* sudo */ struct sdap_attr_map *sudocmdgroup_map; struct sdap_attr_map *sudorule_map; diff --git a/src/providers/ipa/ipa_sudo_refresh.c b/src/providers/ipa/ipa_sudo_refresh.c index c8fb7d921..5934a8f11 100644 --- a/src/providers/ipa/ipa_sudo_refresh.c +++ b/src/providers/ipa/ipa_sudo_refresh.c @@ -105,8 +105,6 @@ ipa_sudo_full_refresh_done(struct tevent_req *subreq) goto done; } - state->sudo_ctx->full_refresh_done = true; - ret = sysdb_sudo_set_last_full_refresh(state->domain, time(NULL)); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, "Unable to save time of " @@ -165,17 +163,13 @@ ipa_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx, return NULL; } - if (!sudo_ctx->full_refresh_done - || srv_opts == NULL || srv_opts->max_sudo_value == NULL) { - /* Perform full refresh first */ - DEBUG(SSSDBG_TRACE_FUNC, "USN value is unknown, " - "waiting for full refresh!\n"); - ret = EINVAL; - goto immediately; - } - /* Download all rules from LDAP that are newer than usn */ - usn = srv_opts->max_sudo_value; + if (srv_opts == NULL || srv_opts->max_sudo_value == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "USN value is unknown, ssuming zero.\n"); + usn = "0"; + } else { + usn = srv_opts->max_sudo_value; + } cmdgroups_filter = talloc_asprintf(state, "(&(%s>=%s)(!(%s=%s)))", diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c index 10067e9ba..e653c4636 100644 --- a/src/providers/ldap/sdap_sudo.c +++ b/src/providers/ldap/sdap_sudo.c @@ -71,10 +71,6 @@ int sdap_sudo_init(struct be_ctx *be_ctx, *ops = &sdap_sudo_ops; *pvt_data = sudo_ctx; - /* we didn't do any full refresh now, - * so we don't have current usn values available */ - sudo_ctx->full_refresh_done = false; - ret = ldap_get_sudo_options(be_ctx->cdb, be_ctx->conf_path, id_ctx->opts, &sudo_ctx->use_host_filter, diff --git a/src/providers/ldap/sdap_sudo_refresh.c b/src/providers/ldap/sdap_sudo_refresh.c index f1fb6a924..61f24efa1 100644 --- a/src/providers/ldap/sdap_sudo_refresh.c +++ b/src/providers/ldap/sdap_sudo_refresh.c @@ -115,8 +115,6 @@ static void sdap_sudo_full_refresh_done(struct tevent_req *subreq) goto done; } - state->sudo_ctx->full_refresh_done = true; - /* save the time in the sysdb */ ret = sysdb_sudo_set_last_full_refresh(state->domain, time(NULL)); if (ret != EOK) { @@ -178,20 +176,17 @@ struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx, return NULL; } - if (!sudo_ctx->full_refresh_done - || srv_opts == NULL || srv_opts->max_sudo_value == NULL) { - /* Perform full refresh first */ - DEBUG(SSSDBG_TRACE_FUNC, "USN value is unknown, " - "waiting for full refresh!\n"); - ret = EINVAL; - goto immediately; - } - state->id_ctx = id_ctx; state->sysdb = id_ctx->be->domain->sysdb; /* Download all rules from LDAP that are newer than usn */ - usn = srv_opts->max_sudo_value; + if (srv_opts == NULL || srv_opts->max_sudo_value == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "USN value is unknown, ssuming zero.\n"); + usn = "0"; + } else { + usn = srv_opts->max_sudo_value; + } + search_filter = talloc_asprintf(state, "(&(objectclass=%s)(%s>=%s)(!(%s=%s)))", map[SDAP_OC_SUDORULE].name, |