From 0aa18cc0bf3447ca734476926724f1632e160807 Mon Sep 17 00:00:00 2001 From: Pavel Reichl Date: Thu, 16 Apr 2015 03:41:58 -0400 Subject: PAM: authenticate agains cache Enable authenticating users from cache even when SSSD is in online mode. Introduce new option `cached_auth_timeout`. Resolves: https://fedorahosted.org/sssd/ticket/1807 Reviewed-by: Jakub Hrozek --- src/confdb/confdb.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++ src/confdb/confdb.h | 2 ++ 2 files changed, 64 insertions(+) (limited to 'src/confdb') diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index 9af754912..3a8a1c01b 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -760,6 +760,59 @@ static uint32_t confdb_get_min_id(struct sss_domain_info *domain) return defval; } +static errno_t init_cached_auth_timeout(struct confdb_ctx *cdb, + struct ldb_message *msg, + uint32_t *_cached_auth_timeout) +{ + int cred_expiration; + int id_timeout; + errno_t ret; + uint32_t cached_auth_timeout; + + ret = get_entry_as_uint32(msg, &cached_auth_timeout, + CONFDB_DOMAIN_CACHED_AUTH_TIMEOUT, 0); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for [%s]\n", CONFDB_DOMAIN_CACHED_AUTH_TIMEOUT); + goto done; + } + + ret = confdb_get_int(cdb, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_CRED_TIMEOUT, 0, &cred_expiration); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to read expiration time of offline credentials.\n"); + goto done; + } + + /* convert from days to seconds */ + cred_expiration *= 3600 * 24; + if (cred_expiration != 0 && + cred_expiration < cached_auth_timeout) { + cached_auth_timeout = cred_expiration; + } + + /* Set up the PAM identity timeout */ + ret = confdb_get_int(cdb, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_ID_TIMEOUT, 5, + &id_timeout); + if (ret != EOK) goto done; + + if (cached_auth_timeout > id_timeout) { + DEBUG(SSSDBG_MINOR_FAILURE, + "cached_auth_timeout is greater than pam_id_timeout so be aware " + "that back end could be called to handle initgroups.\n"); + } + + ret = EOK; + +done: + if (ret == EOK) { + *_cached_auth_timeout = cached_auth_timeout; + } + return ret; +} + static int confdb_get_domain_internal(struct confdb_ctx *cdb, TALLOC_CTX *mem_ctx, const char *name, @@ -1277,6 +1330,15 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, goto done; } + ret = init_cached_auth_timeout(cdb, res->msgs[0], + &domain->cached_auth_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "init_cached_auth_timeout failed: %s:[%d].\n", + sss_strerror(ret), ret); + goto done; + } + domain->has_views = false; domain->view_name = NULL; diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 801a13fc2..b2ec2e0b9 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -188,6 +188,7 @@ #define CONFDB_DOMAIN_REFRESH_EXPIRED_INTERVAL "refresh_expired_interval" #define CONFDB_DOMAIN_OFFLINE_TIMEOUT "offline_timeout" #define CONFDB_DOMAIN_SUBDOMAIN_INHERIT "subdomain_inherit" +#define CONFDB_DOMAIN_CACHED_AUTH_TIMEOUT "cached_auth_timeout" /* Local Provider */ #define CONFDB_LOCAL_DEFAULT_SHELL "default_shell" @@ -248,6 +249,7 @@ struct sss_domain_info { uint32_t refresh_expired_interval; uint32_t subdomain_refresh_interval; + uint32_t cached_auth_timeout; int pwd_expiration_warning; -- cgit