rpms / sssd

Clone
Source Code
GIT

Files

  1.   8d357883328c710af3e344fa8627516c8b183637
  2.   SOURCES
  3.   0064-IPA-AD-LDAP-Increase-the-initgrExpireTimestamp-after.patch
Blob Blame History Raw 
From e20452153abfc6bd6e941ba10d2e2cd2bc811139 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 1 Jul 2019 14:26:38 +0200
Subject: [PATCH 64/64] IPA/AD/LDAP: Increase the initgrExpireTimestamp after
 finishing refresh request

Related: https://pagure.io/SSSD/sssd/issue/4012

Calls sysdb_set_initgr_expire_timestamp() after each successfull refresh
of initgroups data to make sure the initgrExpireTimestamp attribute is
increased.

If you're wondering why the timestamp is not set by the initgroups operation
itself, see tickets #3744 or #2634 for examples of bugs caused by setting
the initgrExpireTimestamp too soon.

Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit cdc44a05d11ae614eb55f219f70150d241cd850f)

Reviewed-by: Sumit Bose <sbose@redhat.com>
---
 src/providers/ad/ad_refresh.c     | 12 ++++++++++++
 src/providers/ipa/ipa_refresh.c   | 12 ++++++++++++
 src/providers/ldap/sdap_refresh.c | 12 ++++++++++++
 3 files changed, 36 insertions(+)

diff --git a/src/providers/ad/ad_refresh.c b/src/providers/ad/ad_refresh.c
index 0c2ebce5e..7aa56f33e 100644
--- a/src/providers/ad/ad_refresh.c
+++ b/src/providers/ad/ad_refresh.c
@@ -26,6 +26,7 @@ struct ad_refresh_state {
     struct be_ctx *be_ctx;
     struct dp_id_data *account_req;
     struct ad_id_ctx *id_ctx;
+    struct sss_domain_info *domain;
     char **names;
     size_t index;
 };
@@ -60,6 +61,7 @@ static struct tevent_req *ad_refresh_send(TALLOC_CTX *mem_ctx,
 
     state->ev = ev;
     state->be_ctx = be_ctx;
+    state->domain = domain;
     state->id_ctx = talloc_get_type(pvt, struct ad_id_ctx);
     state->names = names;
     state->index = 0;
@@ -167,6 +169,16 @@ static void ad_refresh_done(struct tevent_req *subreq)
         goto done;
     }
 
+    if (state->account_req->entry_type == BE_REQ_INITGROUPS) {
+        ret = sysdb_set_initgr_expire_timestamp(state->domain,
+                                                state->account_req->filter_value);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "Failed to set initgroups expiration for [%s]\n",
+                  state->account_req->filter_value);
+        }
+    }
+
     ret = ad_refresh_step(req);
     if (ret == EAGAIN) {
         return;
diff --git a/src/providers/ipa/ipa_refresh.c b/src/providers/ipa/ipa_refresh.c
index 13c38dff9..64f8db812 100644
--- a/src/providers/ipa/ipa_refresh.c
+++ b/src/providers/ipa/ipa_refresh.c
@@ -26,6 +26,7 @@ struct ipa_refresh_state {
     struct be_ctx *be_ctx;
     struct dp_id_data *account_req;
     struct ipa_id_ctx *id_ctx;
+    struct sss_domain_info *domain;
     char **names;
     size_t index;
 };
@@ -59,6 +60,7 @@ static struct tevent_req *ipa_refresh_send(TALLOC_CTX *mem_ctx,
 
     state->ev = ev;
     state->be_ctx = be_ctx;
+    state->domain = domain;
     state->id_ctx = talloc_get_type(pvt, struct ipa_id_ctx);
     state->names = names;
     state->index = 0;
@@ -147,6 +149,16 @@ static void ipa_refresh_done(struct tevent_req *subreq)
         goto done;
     }
 
+    if (state->account_req->entry_type == BE_REQ_INITGROUPS) {
+        ret = sysdb_set_initgr_expire_timestamp(state->domain,
+                                                state->account_req->filter_value);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "Failed to set initgroups expiration for [%s]\n",
+                  state->account_req->filter_value);
+        }
+    }
+
     ret = ipa_refresh_step(req);
     if (ret == EAGAIN) {
         return;
diff --git a/src/providers/ldap/sdap_refresh.c b/src/providers/ldap/sdap_refresh.c
index 4e464b2f6..402db53a9 100644
--- a/src/providers/ldap/sdap_refresh.c
+++ b/src/providers/ldap/sdap_refresh.c
@@ -29,6 +29,7 @@ struct sdap_refresh_state {
     struct be_ctx *be_ctx;
     struct dp_id_data *account_req;
     struct sdap_id_ctx *id_ctx;
+    struct sss_domain_info *domain;
     struct sdap_domain *sdom;
     char **names;
     size_t index;
@@ -63,6 +64,7 @@ static struct tevent_req *sdap_refresh_send(TALLOC_CTX *mem_ctx,
 
     state->ev = ev;
     state->be_ctx = be_ctx;
+    state->domain = domain;
     state->id_ctx = talloc_get_type(pvt, struct sdap_id_ctx);
     state->names = names;
     state->index = 0;
@@ -165,6 +167,16 @@ static void sdap_refresh_done(struct tevent_req *subreq)
         goto done;
     }
 
+    if (state->account_req->entry_type == BE_REQ_INITGROUPS) {
+        ret = sysdb_set_initgr_expire_timestamp(state->domain,
+                                                state->account_req->filter_value);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "Failed to set initgroups expiration for [%s]\n",
+                  state->account_req->filter_value);
+        }
+    }
+
     ret = sdap_refresh_step(req);
     if (ret == EAGAIN) {
         return;
-- 
2.20.1

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation