summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/config/SSSDConfig.py1
-rw-r--r--src/config/etc/sssd.api.d/sssd-ipa.conf1
-rw-r--r--src/man/sssd-ipa.5.xml15
-rw-r--r--src/providers/ipa/ipa_access.c16
-rw-r--r--src/providers/ipa/ipa_access.h2
-rw-r--r--src/providers/ipa/ipa_common.c3
-rw-r--r--src/providers/ipa/ipa_common.h1
7 files changed, 38 insertions, 1 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 5114a178..21a4d16c 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -97,6 +97,7 @@ option_strings = {
'ipa_dyndns_update' : _("Whether to automatically update the client's DNS entry in FreeIPA"),
'ipa_dyndns_iface' : _("The interface whose IP should be used for dynamic DNS updates"),
'ipa_hbac_search_base' : _("Search base for HBAC related objects"),
+ 'ipa_hbac_refresh' : _("The amount of time between lookups of the HBAC rules against the IPA server"),
# [provider/krb5]
'krb5_kdcip' : _('Kerberos server address'),
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 75222250..b1ca5027 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -102,6 +102,7 @@ krb5_renew_interval = int, None, false
krb5_use_fast = str, None, false
[provider/ipa/access]
+ipa_hbac_refresh = int, None, false
[provider/ipa/chpass]
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index 4604c55e..f728e9cc 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -175,6 +175,21 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>ipa_hbac_refresh (integer)</term>
+ <listitem>
+ <para>
+ The amount of time between lookups of the HBAC
+ rules against the IPA server. This will reduce the
+ latency and load on the IPA server if there are
+ many access-control requests made in a short
+ period.
+ </para>
+ <para>
+ Default: 5 (seconds)
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</para>
diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
index 18cf3104..2a6588eb 100644
--- a/src/providers/ipa/ipa_access.c
+++ b/src/providers/ipa/ipa_access.c
@@ -114,6 +114,7 @@ void ipa_access_handler(struct be_req *be_req)
ipa_access_ctx = talloc_get_type(
be_req->be_ctx->bet_info[BET_ACCESS].pvt_bet_data,
struct ipa_access_ctx);
+ hbac_ctx->access_ctx = ipa_access_ctx;
hbac_ctx->sdap_ctx = ipa_access_ctx->sdap_ctx;
hbac_ctx->ipa_options = ipa_access_ctx->ipa_options;
hbac_ctx->tr_ctx = ipa_access_ctx->tr_ctx;
@@ -145,10 +146,22 @@ static int hbac_retry(struct hbac_ctx *hbac_ctx)
struct tevent_req *subreq;
int ret;
bool offline;
+ time_t now, refresh_interval;
+ struct ipa_access_ctx *access_ctx = hbac_ctx->access_ctx;
offline = be_is_offline(hbac_ctx->be_req->be_ctx);
DEBUG(9, ("Connection status is [%s].\n", offline ? "offline" : "online"));
+ refresh_interval = dp_opt_get_int(hbac_ctx->ipa_options,
+ IPA_HBAC_REFRESH);
+
+ now = time(NULL);
+ if (now < access_ctx->last_update + refresh_interval) {
+ /* Simulate offline mode and just go to the cache */
+ DEBUG(6, ("Performing cached HBAC evaluation\n"));
+ offline = true;
+ }
+
if (!offline) {
if (hbac_ctx->sdap_op == NULL) {
hbac_ctx->sdap_op = sdap_id_op_create(hbac_ctx,
@@ -505,6 +518,9 @@ static void hbac_sysdb_save(struct tevent_req *req)
*/
hbac_clear_rule_data(hbac_ctx);
+
+ access_ctx->last_update = time(NULL);
+
/* Now evaluate the request against the rules */
ipa_hbac_evaluate_rules(hbac_ctx);
diff --git a/src/providers/ipa/ipa_access.h b/src/providers/ipa/ipa_access.h
index da43fea2..2a6bdad5 100644
--- a/src/providers/ipa/ipa_access.h
+++ b/src/providers/ipa/ipa_access.h
@@ -43,10 +43,12 @@ struct ipa_access_ctx {
struct sdap_id_ctx *sdap_ctx;
struct dp_option *ipa_options;
struct time_rules_ctx *tr_ctx;
+ time_t last_update;
};
struct hbac_ctx {
struct sdap_id_ctx *sdap_ctx;
+ struct ipa_access_ctx *access_ctx;
struct sdap_id_op *sdap_op;
struct dp_option *ipa_options;
struct time_rules_ctx *tr_ctx;
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 9972c341..0995e0f1 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -37,7 +37,8 @@ struct dp_option ipa_basic_opts[] = {
{ "ipa_dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ipa_dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING},
{ "ipa_hbac_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING},
- { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING}
+ { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING},
+ { "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }
};
struct dp_option ipa_def_ldap_opts[] = {
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 8f0f35a8..1c1f7221 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -50,6 +50,7 @@ enum ipa_basic_opt {
IPA_DYNDNS_IFACE,
IPA_HBAC_SEARCH_BASE,
IPA_KRB5_REALM,
+ IPA_HBAC_REFRESH,
IPA_OPTS_BASIC /* opts counter */
};