diff options
author | Stephen Gallagher <sgallagh@redhat.com> | 2010-12-22 11:00:22 -0500 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-12-22 13:22:28 -0500 |
commit | c71ff1e4615ec8560b90ca7d4827d99424ad0355 (patch) | |
tree | 5f1ccd75d8e6dfcb9d5a3898ebc9368dabcca261 /src/responder/pam | |
parent | 7da6ae5558059218d660d879057f6e39864c3493 (diff) | |
download | sssd-c71ff1e4615ec8560b90ca7d4827d99424ad0355.tar.gz sssd-c71ff1e4615ec8560b90ca7d4827d99424ad0355.tar.bz2 sssd-c71ff1e4615ec8560b90ca7d4827d99424ad0355.zip |
Update the ID cache for any PAM request
Also adds an option to limit how often we check the ID provider,
so that conversations with multiple PAM requests won't update the
cache multiple times.
https://fedorahosted.org/sssd/ticket/749
Diffstat (limited to 'src/responder/pam')
-rw-r--r-- | src/responder/pam/pamsrv.c | 9 | ||||
-rw-r--r-- | src/responder/pam/pamsrv.h | 1 | ||||
-rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 19 |
3 files changed, 21 insertions, 8 deletions
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c index 61e7ce7a..91ee4a89 100644 --- a/src/responder/pam/pamsrv.c +++ b/src/responder/pam/pamsrv.c @@ -108,6 +108,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, struct be_conn *iter; struct pam_ctx *pctx; int ret, max_retries; + int id_timeout; pctx = talloc_zero(mem_ctx, struct pam_ctx); if (!pctx) { @@ -153,6 +154,14 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, &pctx->neg_timeout); if (ret != EOK) goto done; + /* Set up the PAM identity timeout */ + ret = confdb_get_int(cdb, pctx, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_ID_TIMEOUT, 5, + &id_timeout); + if (ret != EOK) goto done; + + pctx->id_timeout = (size_t)id_timeout; + ret = sss_ncache_init(pctx, &pctx->ncache); if (ret != EOK) { DEBUG(0, ("fatal error initializing negative cache\n")); diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h index 3ada4cfd..3ffc1708 100644 --- a/src/responder/pam/pamsrv.h +++ b/src/responder/pam/pamsrv.h @@ -35,6 +35,7 @@ struct pam_ctx { struct resp_ctx *rctx; struct sss_nc_ctx *ncache; int neg_timeout; + time_t id_timeout; }; struct pam_auth_req { diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 48341aab..6a8f1dbb 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -790,14 +790,12 @@ static int pam_check_user_search(struct pam_auth_req *preq) /* make sure to update the preq if we changed domain */ preq->domain = dom; - /* TODO: check negative cache ? */ - - /* Always try to refresh the cache first on authentication */ - if (preq->check_provider && - (preq->pd->cmd == SSS_PAM_AUTHENTICATE || - preq->pd->cmd == SSS_PAM_SETCRED)) { - - /* call provider first */ + /* Refresh the user's cache entry on any PAM query + * We put a timeout in the client context so that we limit + * the number of updates within a reasonable timeout + */ + if (preq->check_provider && cctx->pam_timeout < time(NULL)) { + /* Call provider first */ break; } @@ -909,6 +907,8 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min, { struct pam_auth_req *preq = talloc_get_type(ptr, struct pam_auth_req); int ret; + struct pam_ctx *pctx = + talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); if (err_maj) { DEBUG(2, ("Unable to get information from Data Provider\n" @@ -916,6 +916,9 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min, (unsigned int)err_maj, (unsigned int)err_min, err_msg)); } + /* Make sure we don't go to the ID provider too often */ + preq->cctx->pam_timeout = time(NULL) + pctx->id_timeout; + ret = pam_check_user_search(preq); if (ret == EOK) { pam_dom_forwarder(preq); |