diff options
| -rw-r--r-- | src/man/sssd-ldap.5.xml | 9 | ||||
| -rw-r--r-- | src/providers/ad/ad_opts.h | 2 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_opts.h | 2 | ||||
| -rw-r--r-- | src/providers/ldap/ldap_id_enum.c | 19 | ||||
| -rw-r--r-- | src/providers/ldap/ldap_opts.h | 2 |
5 files changed, 29 insertions, 5 deletions
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 83ec9b668..9756a5547 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -719,10 +719,15 @@ </para> <para> Setting this option to zero will disable the - cache cleanup operation. + cache cleanup operation. Please note that if + enumeration is enabled, the cleanup task is + required in order to detect entries removed from + the server and can't be disabled. By default, + the cleanup task will run every 3 hours with + enumeration enabled. </para> <para> - Default: 10800 (3 hours) + Default: 0 (disabled) </para> </listitem> </varlistentry> diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h index 0b7255a82..15b140434 100644 --- a/src/providers/ad/ad_opts.h +++ b/src/providers/ad/ad_opts.h @@ -86,7 +86,7 @@ struct dp_option ad_def_ldap_opts[] = { { "ldap_offline_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER }, { "ldap_force_upper_case_realm", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ldap_enumeration_refresh_timeout", DP_OPT_NUMBER, { .number = 300 }, NULL_NUMBER }, - { "ldap_purge_cache_timeout", DP_OPT_NUMBER, { .number = 10800 }, NULL_NUMBER }, + { "ldap_purge_cache_timeout", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, { "ldap_tls_cacert", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_tls_cacertdir", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_tls_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING }, diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h index f2f164bc3..8a0764265 100644 --- a/src/providers/ipa/ipa_opts.h +++ b/src/providers/ipa/ipa_opts.h @@ -98,7 +98,7 @@ struct dp_option ipa_def_ldap_opts[] = { { "ldap_offline_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER }, { "ldap_force_upper_case_realm", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ldap_enumeration_refresh_timeout", DP_OPT_NUMBER, { .number = 300 }, NULL_NUMBER }, - { "ldap_purge_cache_timeout", DP_OPT_NUMBER, { .number = 3600 }, NULL_NUMBER }, + { "ldap_purge_cache_timeout", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, { "ldap_tls_cacert", DP_OPT_STRING, { "/etc/ipa/ca.crt" }, NULL_STRING }, { "ldap_tls_cacertdir", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_tls_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING }, diff --git a/src/providers/ldap/ldap_id_enum.c b/src/providers/ldap/ldap_id_enum.c index 1aec91a99..89c305c0d 100644 --- a/src/providers/ldap/ldap_id_enum.c +++ b/src/providers/ldap/ldap_id_enum.c @@ -27,6 +27,8 @@ #include "providers/ldap/ldap_common.h" #include "providers/ldap/sdap_async_enum.h" +#define LDAP_ENUM_PURGE_TIMEOUT 10800 + errno_t ldap_setup_enumeration(struct be_ctx *be_ctx, struct sdap_options *opts, struct sdap_domain *sdom, @@ -37,6 +39,7 @@ errno_t ldap_setup_enumeration(struct be_ctx *be_ctx, errno_t ret; time_t first_delay; time_t period; + time_t cleanup; bool has_enumerated; struct ldap_enum_ctx *ectx; @@ -65,6 +68,22 @@ errno_t ldap_setup_enumeration(struct be_ctx *be_ctx, first_delay = 0; } + cleanup = dp_opt_get_int(opts->basic, SDAP_CACHE_PURGE_TIMEOUT); + if (cleanup == 0) { + /* We need to cleanup the cache once in a while when enumerating, otherwise + * enumeration would only download deltas since the previous lastUSN and would + * not detect removed entries + */ + ret = dp_opt_set_int(opts->basic, SDAP_CACHE_PURGE_TIMEOUT, + LDAP_ENUM_PURGE_TIMEOUT); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot set cleanup timeout, enumeration wouldn't " + "detect removed entries!\n"); + return ret; + } + } + period = dp_opt_get_int(opts->basic, SDAP_ENUM_REFRESH_TIMEOUT); ectx = talloc(sdom, struct ldap_enum_ctx); diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h index 7c9ed3e01..f449ec7c3 100644 --- a/src/providers/ldap/ldap_opts.h +++ b/src/providers/ldap/ldap_opts.h @@ -63,7 +63,7 @@ struct dp_option default_basic_opts[] = { { "ldap_offline_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER }, { "ldap_force_upper_case_realm", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_enumeration_refresh_timeout", DP_OPT_NUMBER, { .number = 300 }, NULL_NUMBER }, - { "ldap_purge_cache_timeout", DP_OPT_NUMBER, { .number = 10800 }, NULL_NUMBER }, + { "ldap_purge_cache_timeout", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, { "ldap_tls_cacert", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_tls_cacertdir", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_tls_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING }, |