summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/confdb/confdb.h1
-rw-r--r--src/config/SSSDConfig.py1
-rw-r--r--src/config/etc/sssd.api.conf1
-rw-r--r--src/man/sssd.conf.5.xml22
-rw-r--r--src/responder/common/responder.h2
-rw-r--r--src/responder/pam/pamsrv.c9
-rw-r--r--src/responder/pam/pamsrv.h1
-rw-r--r--src/responder/pam/pamsrv_cmd.c19
8 files changed, 48 insertions, 8 deletions
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index eccb98d3..5e55f255 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -81,6 +81,7 @@
#define CONFDB_PAM_FAILED_LOGIN_DELAY "offline_failed_login_delay"
#define CONFDB_DEFAULT_PAM_FAILED_LOGIN_DELAY 5
#define CONFDB_PAM_VERBOSITY "pam_verbosity"
+#define CONFDB_PAM_ID_TIMEOUT "pam_id_timeout"
/* Data Provider */
#define CONFDB_DP_CONF_ENTRY "config/dp"
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index b1177178..d23641c9 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -64,6 +64,7 @@ option_strings = {
'offline_failed_login_attempts' : _('How many failed logins attempts are allowed when offline'),
'offline_failed_login_delay' : _('How long (minutes) to deny login after offline_failed_login_attempts has been reached'),
'pam_verbosity' : _('What kind of messages are displayed to the user during authentication'),
+ 'pam_id_timeout' : _('How many seconds to keep identity information cached for PAM requests'),
# [provider]
'id_provider' : _('Identity provider'),
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 3bd0cc49..5127b852 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -34,6 +34,7 @@ offline_credentials_expiration = int, None, false
offline_failed_login_attempts = int, None, false
offline_failed_login_delay = int, None, false
pam_verbosity = int, None, false
+pam_id_timeout = int, None, false
[provider]
#Available provider types
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 7392dd09..96b7a4c3 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -440,6 +440,28 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>pam_id_timeout (integer)</term>
+ <listitem>
+ <para>
+ For any PAM request while SSSD is online, the SSSD will
+ attempt to immediately update the cached identity
+ information for the user in order to ensure that
+ authentication takes place with the latest information.
+ </para>
+ <para>
+ A complete PAM conversation may perform multiple PAM
+ requests, such as account management and session
+ opening. This option controls (on a
+ per-client-application basis) how long (in seconds) we
+ can cache the identity information to avoid excessive
+ round-trips to the identity provider.
+ </para>
+ <para>
+ Default: 5
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
</refsect1>
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
index 783f9e40..6b81aada 100644
--- a/src/responder/common/responder.h
+++ b/src/responder/common/responder.h
@@ -118,6 +118,8 @@ struct cli_ctx {
char *netgr_name;
int netgrent_cur;
+
+ time_t pam_timeout;
};
struct sss_cmd_table {
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index 61e7ce7a..91ee4a89 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -108,6 +108,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
struct be_conn *iter;
struct pam_ctx *pctx;
int ret, max_retries;
+ int id_timeout;
pctx = talloc_zero(mem_ctx, struct pam_ctx);
if (!pctx) {
@@ -153,6 +154,14 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
&pctx->neg_timeout);
if (ret != EOK) goto done;
+ /* Set up the PAM identity timeout */
+ ret = confdb_get_int(cdb, pctx, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_ID_TIMEOUT, 5,
+ &id_timeout);
+ if (ret != EOK) goto done;
+
+ pctx->id_timeout = (size_t)id_timeout;
+
ret = sss_ncache_init(pctx, &pctx->ncache);
if (ret != EOK) {
DEBUG(0, ("fatal error initializing negative cache\n"));
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 3ada4cfd..3ffc1708 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -35,6 +35,7 @@ struct pam_ctx {
struct resp_ctx *rctx;
struct sss_nc_ctx *ncache;
int neg_timeout;
+ time_t id_timeout;
};
struct pam_auth_req {
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 48341aab..6a8f1dbb 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -790,14 +790,12 @@ static int pam_check_user_search(struct pam_auth_req *preq)
/* make sure to update the preq if we changed domain */
preq->domain = dom;
- /* TODO: check negative cache ? */
-
- /* Always try to refresh the cache first on authentication */
- if (preq->check_provider &&
- (preq->pd->cmd == SSS_PAM_AUTHENTICATE ||
- preq->pd->cmd == SSS_PAM_SETCRED)) {
-
- /* call provider first */
+ /* Refresh the user's cache entry on any PAM query
+ * We put a timeout in the client context so that we limit
+ * the number of updates within a reasonable timeout
+ */
+ if (preq->check_provider && cctx->pam_timeout < time(NULL)) {
+ /* Call provider first */
break;
}
@@ -909,6 +907,8 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,
{
struct pam_auth_req *preq = talloc_get_type(ptr, struct pam_auth_req);
int ret;
+ struct pam_ctx *pctx =
+ talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
if (err_maj) {
DEBUG(2, ("Unable to get information from Data Provider\n"
@@ -916,6 +916,9 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,
(unsigned int)err_maj, (unsigned int)err_min, err_msg));
}
+ /* Make sure we don't go to the ID provider too often */
+ preq->cctx->pam_timeout = time(NULL) + pctx->id_timeout;
+
ret = pam_check_user_search(preq);
if (ret == EOK) {
pam_dom_forwarder(preq);