From 6c4e8869ba6121ddbc6e1eca880c39b0af3391e0 Mon Sep 17 00:00:00 2001

From: Alexander Bokovoy <abokovoy@redhat.com>

Date: Wed, 25 Oct 2017 11:38:55 +0300

Subject: [PATCH 15/17] configure.ac: detect extended NSS API provided by SSSD

SSSD exposes an extended NSS API via libsss_nss_idmap. This API allows

to query getpwnam()/getgrnam()/getgruid()/getpwuid()/getgrouplist()

information with a timeout per request. As result, an application has

possibility to cancel too long request.

This API also allows to ignore SSSD cache or invalidate it when

requesting certain information. slapi-nis needs this functionality when

invalidating own entries as result of changes done by other LDAP clients

in the areas which slapi-nis doesn't track directly.

For example, an update of ID override in the Default Trust View should

invalidate user or group entry for that AD object. Since retrieval of

the user/group information relies on SSSD, SSSD needs to be notified

that there is a change in ID override and evict the entry from its cache

as well.

---

 configure.ac | 6 ++++++

 1 file changed, 6 insertions(+)

diff --git a/configure.ac b/configure.ac

index f82a47e..a958607 100644

--- a/configure.ac

+++ b/configure.ac

@@ -361,8 +361,13 @@ if test "x$use_nsswitch" != xno ; then

 			SSS_NSS_IDMAP_LIBS=

 		fi

 	fi

+

 	AC_SUBST(SSS_NSS_IDMAP_CFLAGS)

 	AC_SUBST(SSS_NSS_IDMAP_LIBS)

+	AC_CHECK_LIB(sss_nss_idmap,sss_nss_getpwnam_timeout)

+	if test "x$ac_cv_lib_sss_nss_idmap_sss_nss_getpwnam_timeout" = xyes ; then

+		AC_DEFINE(USE_SSS_NSS_TIMEOUT,1,[Use extended NSS API provided by SSSD])

+	fi

 	if test "x$use_pam" != xno ; then

 		AC_CHECK_HEADERS(security/pam_appl.h)

@@ -384,6 +389,7 @@ if test "x$use_nsswitch" != xno ; then

 	fi

 	AC_DEFINE(USE_NSSWITCH,1,[Use nsswitch API to lookup users and groups not found in the LDAP tree])

 fi

+AM_CONDITIONAL([USE_SSS_NSS_TIMEOUT], [test "x$ac_cv_lib_sss_nss_idmap_sss_nss_getpwnam_timeout" = xyes])

 use_idviews=true

 AC_ARG_WITH(idviews,

-- 

2.13.6