|
 |
d15e81 |
From ab9cc3894af6fc0e768c631da23446287cd6e8e2 Mon Sep 17 00:00:00 2001
|
|
|
d15e81 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
d15e81 |
Date: Tue, 28 Apr 2015 17:20:05 +0200
|
|
|
d15e81 |
Subject: [PATCH 212/214] IPA: update initgr expire timestamp conditionally
|
|
|
d15e81 |
|
|
|
d15e81 |
Newer versions of the extdom plugin return the full list of
|
|
|
d15e81 |
group-memberships during user lookups. As a result the lifetime of the
|
|
|
d15e81 |
group-membership data is updates in those cases. But if the user is not
|
|
|
d15e81 |
looked up directly but is resolved as a group member during a group
|
|
|
d15e81 |
lookup SSSD does not resolve all group-membership of the user to avoid
|
|
|
d15e81 |
deep recursion and eventually a complete enumeration of the user and
|
|
|
d15e81 |
group base. In this case the lifetime of the group-memberships should
|
|
|
d15e81 |
not be updated because it might be incomplete.
|
|
|
d15e81 |
|
|
|
d15e81 |
Related to https://fedorahosted.org/sssd/ticket/2633
|
|
|
d15e81 |
|
|
|
d15e81 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
d15e81 |
(cherry picked from commit cffe3135f29c737f2598f3c1384bfba1694fb843)
|
|
|
d15e81 |
(cherry picked from commit f643fadbd072a9d3725f5f750340d5b13628ce6a)
|
|
|
d15e81 |
---
|
|
|
d15e81 |
src/providers/ipa/ipa_s2n_exop.c | 19 +++++++++++--------
|
|
|
d15e81 |
1 file changed, 11 insertions(+), 8 deletions(-)
|
|
|
d15e81 |
|
|
|
d15e81 |
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
|
|
|
d15e81 |
index 03264fcd7f6f42dfa68db4f331184da32529818f..2f1974d2c250ad2f8283659de4ddc319500ac6a5 100644
|
|
|
d15e81 |
--- a/src/providers/ipa/ipa_s2n_exop.c
|
|
|
d15e81 |
+++ b/src/providers/ipa/ipa_s2n_exop.c
|
|
|
d15e81 |
@@ -676,7 +676,8 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
|
|
d15e81 |
struct resp_attrs *attrs,
|
|
|
d15e81 |
struct resp_attrs *simple_attrs,
|
|
|
d15e81 |
const char *view_name,
|
|
|
d15e81 |
- struct sysdb_attrs *override_attrs);
|
|
|
d15e81 |
+ struct sysdb_attrs *override_attrs,
|
|
|
d15e81 |
+ bool update_initgr_timeout);
|
|
|
d15e81 |
|
|
|
d15e81 |
static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx,
|
|
|
d15e81 |
char *retoid,
|
|
|
d15e81 |
@@ -1109,7 +1110,7 @@ static errno_t ipa_s2n_get_fqlist_save_step(struct tevent_req *req)
|
|
|
d15e81 |
|
|
|
d15e81 |
ret = ipa_s2n_save_objects(state->dom, &state->req_input, state->attrs,
|
|
|
d15e81 |
NULL, state->ipa_ctx->view_name,
|
|
|
d15e81 |
- state->override_attrs);
|
|
|
d15e81 |
+ state->override_attrs, false);
|
|
|
d15e81 |
if (ret != EOK) {
|
|
|
d15e81 |
DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n");
|
|
|
d15e81 |
return ret;
|
|
|
d15e81 |
@@ -1607,7 +1608,7 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq)
|
|
|
d15e81 |
|| strcmp(state->ipa_ctx->view_name,
|
|
|
d15e81 |
SYSDB_DEFAULT_VIEW_NAME) == 0) {
|
|
|
d15e81 |
ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs,
|
|
|
d15e81 |
- state->simple_attrs, NULL, NULL);
|
|
|
d15e81 |
+ state->simple_attrs, NULL, NULL, true);
|
|
|
d15e81 |
if (ret != EOK) {
|
|
|
d15e81 |
DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n");
|
|
|
d15e81 |
goto done;
|
|
|
d15e81 |
@@ -1729,7 +1730,8 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
|
|
d15e81 |
struct resp_attrs *attrs,
|
|
|
d15e81 |
struct resp_attrs *simple_attrs,
|
|
|
d15e81 |
const char *view_name,
|
|
|
d15e81 |
- struct sysdb_attrs *override_attrs)
|
|
|
d15e81 |
+ struct sysdb_attrs *override_attrs,
|
|
|
d15e81 |
+ bool update_initgr_timeout)
|
|
|
d15e81 |
{
|
|
|
d15e81 |
int ret;
|
|
|
d15e81 |
time_t now;
|
|
|
d15e81 |
@@ -1929,7 +1931,8 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
|
|
d15e81 |
}
|
|
|
d15e81 |
}
|
|
|
d15e81 |
|
|
|
d15e81 |
- if (attrs->response_type == RESP_USER_GROUPLIST) {
|
|
|
d15e81 |
+ if (attrs->response_type == RESP_USER_GROUPLIST
|
|
|
d15e81 |
+ && update_initgr_timeout) {
|
|
|
d15e81 |
/* Since RESP_USER_GROUPLIST contains all group memberships it
|
|
|
d15e81 |
* is effectively an initgroups request hence
|
|
|
d15e81 |
* SYSDB_INITGR_EXPIRE will be set.*/
|
|
|
d15e81 |
@@ -2231,7 +2234,7 @@ static void ipa_s2n_get_fqlist_done(struct tevent_req *subreq)
|
|
|
d15e81 |
&sid_str);
|
|
|
d15e81 |
if (ret == ENOENT) {
|
|
|
d15e81 |
ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs,
|
|
|
d15e81 |
- state->simple_attrs, NULL, NULL);
|
|
|
d15e81 |
+ state->simple_attrs, NULL, NULL, true);
|
|
|
d15e81 |
if (ret != EOK) {
|
|
|
d15e81 |
DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n");
|
|
|
d15e81 |
goto fail;
|
|
|
d15e81 |
@@ -2271,7 +2274,7 @@ static void ipa_s2n_get_fqlist_done(struct tevent_req *subreq)
|
|
|
d15e81 |
ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs,
|
|
|
d15e81 |
state->simple_attrs,
|
|
|
d15e81 |
state->ipa_ctx->view_name,
|
|
|
d15e81 |
- state->override_attrs);
|
|
|
d15e81 |
+ state->override_attrs, true);
|
|
|
d15e81 |
if (ret != EOK) {
|
|
|
d15e81 |
DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n");
|
|
|
d15e81 |
tevent_req_error(req, ret);
|
|
|
d15e81 |
@@ -2307,7 +2310,7 @@ static void ipa_s2n_get_user_get_override_done(struct tevent_req *subreq)
|
|
|
d15e81 |
|
|
|
d15e81 |
ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs,
|
|
|
d15e81 |
state->simple_attrs, state->ipa_ctx->view_name,
|
|
|
d15e81 |
- override_attrs);
|
|
|
d15e81 |
+ override_attrs, true);
|
|
|
d15e81 |
if (ret != EOK) {
|
|
|
d15e81 |
DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n");
|
|
|
d15e81 |
tevent_req_error(req, ret);
|
|
|
d15e81 |
--
|
|
|
d15e81 |
2.4.3
|
|
|
d15e81 |
|