rpms / sssd

Clone
Source Code
GIT

Files

  1.   d6181b5810c43306f4897237162410fa1c2ada02
  2.   SOURCES
  3.   0045-IPA-AD-LDAP-Increase-the-initgrExpireTimestamp-after.patch
Blob Blame History Raw 
From 073f79ecb75ded427d93c5f8925076646b736b1c Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 1 Jul 2019 14:26:38 +0200
Subject: [PATCH 45/48] IPA/AD/LDAP: Increase the initgrExpireTimestamp after
 finishing refresh request

Related: https://pagure.io/SSSD/sssd/issue/4012

Calls sysdb_set_initgr_expire_timestamp() after each successfull refresh
of initgroups data to make sure the initgrExpireTimestamp attribute is
increased.

If you're wondering why the timestamp is not set by the initgroups operation
itself, see tickets #3744 or #2634 for examples of bugs caused by setting
the initgrExpireTimestamp too soon.

Reviewed-by: Sumit Bose <sbose@redhat.com>
---
 src/providers/ad/ad_refresh.c     | 12 ++++++++++++
 src/providers/ipa/ipa_refresh.c   | 12 ++++++++++++
 src/providers/ldap/sdap_refresh.c | 12 ++++++++++++
 3 files changed, 36 insertions(+)

diff --git a/src/providers/ad/ad_refresh.c b/src/providers/ad/ad_refresh.c
index 0c2ebce5e..7aa56f33e 100644
--- a/src/providers/ad/ad_refresh.c
+++ b/src/providers/ad/ad_refresh.c
@@ -26,6 +26,7 @@ struct ad_refresh_state {
     struct be_ctx *be_ctx;
     struct dp_id_data *account_req;
     struct ad_id_ctx *id_ctx;
+    struct sss_domain_info *domain;
     char **names;
     size_t index;
 };
@@ -60,6 +61,7 @@ static struct tevent_req *ad_refresh_send(TALLOC_CTX *mem_ctx,
 
     state->ev = ev;
     state->be_ctx = be_ctx;
+    state->domain = domain;
     state->id_ctx = talloc_get_type(pvt, struct ad_id_ctx);
     state->names = names;
     state->index = 0;
@@ -167,6 +169,16 @@ static void ad_refresh_done(struct tevent_req *subreq)
         goto done;
     }
 
+    if (state->account_req->entry_type == BE_REQ_INITGROUPS) {
+        ret = sysdb_set_initgr_expire_timestamp(state->domain,
+                                                state->account_req->filter_value);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "Failed to set initgroups expiration for [%s]\n",
+                  state->account_req->filter_value);
+        }
+    }
+
     ret = ad_refresh_step(req);
     if (ret == EAGAIN) {
         return;
diff --git a/src/providers/ipa/ipa_refresh.c b/src/providers/ipa/ipa_refresh.c
index 13c38dff9..64f8db812 100644
--- a/src/providers/ipa/ipa_refresh.c
+++ b/src/providers/ipa/ipa_refresh.c
@@ -26,6 +26,7 @@ struct ipa_refresh_state {
     struct be_ctx *be_ctx;
     struct dp_id_data *account_req;
     struct ipa_id_ctx *id_ctx;
+    struct sss_domain_info *domain;
     char **names;
     size_t index;
 };
@@ -59,6 +60,7 @@ static struct tevent_req *ipa_refresh_send(TALLOC_CTX *mem_ctx,
 
     state->ev = ev;
     state->be_ctx = be_ctx;
+    state->domain = domain;
     state->id_ctx = talloc_get_type(pvt, struct ipa_id_ctx);
     state->names = names;
     state->index = 0;
@@ -147,6 +149,16 @@ static void ipa_refresh_done(struct tevent_req *subreq)
         goto done;
     }
 
+    if (state->account_req->entry_type == BE_REQ_INITGROUPS) {
+        ret = sysdb_set_initgr_expire_timestamp(state->domain,
+                                                state->account_req->filter_value);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "Failed to set initgroups expiration for [%s]\n",
+                  state->account_req->filter_value);
+        }
+    }
+
     ret = ipa_refresh_step(req);
     if (ret == EAGAIN) {
         return;
diff --git a/src/providers/ldap/sdap_refresh.c b/src/providers/ldap/sdap_refresh.c
index 4e464b2f6..402db53a9 100644
--- a/src/providers/ldap/sdap_refresh.c
+++ b/src/providers/ldap/sdap_refresh.c
@@ -29,6 +29,7 @@ struct sdap_refresh_state {
     struct be_ctx *be_ctx;
     struct dp_id_data *account_req;
     struct sdap_id_ctx *id_ctx;
+    struct sss_domain_info *domain;
     struct sdap_domain *sdom;
     char **names;
     size_t index;
@@ -63,6 +64,7 @@ static struct tevent_req *sdap_refresh_send(TALLOC_CTX *mem_ctx,
 
     state->ev = ev;
     state->be_ctx = be_ctx;
+    state->domain = domain;
     state->id_ctx = talloc_get_type(pvt, struct sdap_id_ctx);
     state->names = names;
     state->index = 0;
@@ -165,6 +167,16 @@ static void sdap_refresh_done(struct tevent_req *subreq)
         goto done;
     }
 
+    if (state->account_req->entry_type == BE_REQ_INITGROUPS) {
+        ret = sysdb_set_initgr_expire_timestamp(state->domain,
+                                                state->account_req->filter_value);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "Failed to set initgroups expiration for [%s]\n",
+                  state->account_req->filter_value);
+        }
+    }
+
     ret = sdap_refresh_step(req);
     if (ret == EAGAIN) {
         return;
-- 
2.20.1

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation