diff options
| -rw-r--r-- | src/man/sssd-ipa.5.xml | 23 | ||||
| -rw-r--r-- | src/man/sssd.conf.5.xml | 14 | ||||
| -rw-r--r-- | src/providers/data_provider_be.c | 3 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_subdomains.c | 68 |
4 files changed, 101 insertions, 7 deletions
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index da5a2ffb..56220c3e 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -595,6 +595,29 @@ </para> </refsect1> + <refsect1 id='subdomains_provider'> + <title>SUBDOMAINS PROVIDER</title> + <para> + The IPA subdomains provider behaves slightly differently + if it is configured explicitly or implicitly. + </para> + <para> + If the option 'subdomains_provider = ipa' is found in the + domain section of sssd.conf, the IPA subdomains provider is + configured explicitly, and all subdomain requests are sent to the + IPA server if necessary. + </para> + <para> + If the option 'subdomains_provider' is not set in the domain + section of sssd.conf but there is the option 'id_provider = ipa', + the IPA subdomains provider is configured implictly. In this case, + if a subdomain request fails and indicates that the server does not + support subdomains, i.e. is not configured for trusts, the IPA + subdomains provider is disabled. After an hour or after the IPA + provider goes online, the subdomains provider is enabled again. + </para> + </refsect1> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" /> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/service_discovery.xml" /> diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 33d99c75..9f487faf 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -1411,8 +1411,9 @@ override_homedir = /home/%u <term>subdomains_provider (string)</term> <listitem> <para> - The provider which should handle fetching of subdomains. - This value should be always the same as id_provider. + The provider which should handle fetching of + subdomains. This value should be always the same as + id_provider. Supported subdomain providers are: </para> <para> @@ -1421,13 +1422,16 @@ override_homedir = /home/%u <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> - </citerefentry> for more information on configuring IPA. + </citerefentry> for more information on configuring + IPA. </para> <para> - <quote>none</quote> disallows fetching subdomains explicitly. + <quote>none</quote> disallows fetching subdomains + explicitly. </para> <para> - Default: none + Default: The value of <quote>id_provider</quote> is + used if it is set. </para> </listitem> </varlistentry> diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c index 253dc46f..685c666a 100644 --- a/src/providers/data_provider_be.c +++ b/src/providers/data_provider_be.c @@ -2317,7 +2317,8 @@ int be_process_init(TALLOC_CTX *mem_ctx, } ret = load_backend_module(ctx, BET_SUBDOMAINS, - &ctx->bet_info[BET_SUBDOMAINS], NULL); + &ctx->bet_info[BET_SUBDOMAINS], + ctx->bet_info[BET_ID].mod_name); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, ("Subdomains are not supported for [%s] !!\n", be_domain)); } else { diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c index 36ffafd9..0bf2e5d8 100644 --- a/src/providers/ipa/ipa_subdomains.c +++ b/src/providers/ipa/ipa_subdomains.c @@ -47,6 +47,7 @@ /* refresh automatically every 4 hours */ #define IPA_SUBDOMAIN_REFRESH_PERIOD (3600 * 4) +#define IPA_SUBDOMAIN_DISABLED_PERIOD 3600 /* the directory domain - realm mappings are written to */ #define IPA_SUBDOMAIN_MAPPING_DIR PUBCONF_PATH"/krb5.include.d" @@ -74,6 +75,8 @@ struct ipa_subdomains_ctx { time_t last_refreshed; struct tevent_timer *timer_event; + bool configured_explicit; + time_t disabled_until; /* subdomain map cache */ int num_subdoms; @@ -899,6 +902,12 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req) * and we don't have the master domain record */ DEBUG(SSSDBG_CRIT_FAILURE, ("Master domain record not found!\n")); + + if (!ctx->sd_ctx->configured_explicit) { + ctx->sd_ctx->disabled_until = time(NULL) + + IPA_SUBDOMAIN_DISABLED_PERIOD; + } + ret = EIO; goto done; } @@ -932,6 +941,7 @@ static void ipa_subdom_online_cb(void *pvt) return; } + ctx->disabled_until = 0; ipa_subdomains_retrieve(ctx, NULL); tv = tevent_timeval_current_ofs(IPA_SUBDOMAIN_REFRESH_PERIOD, 0); @@ -953,9 +963,48 @@ static void ipa_subdom_offline_cb(void *pvt) } } +static errno_t get_config_status(struct be_ctx *be_ctx, + bool *configured_explicit) +{ + int ret; + TALLOC_CTX *tmp_ctx = NULL; + char *tmp_str; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("talloc_new failed.\n")); + return ENOMEM; + } + + ret = confdb_get_string(be_ctx->cdb, tmp_ctx, be_ctx->conf_path, + CONFDB_DOMAIN_SUBDOMAINS_PROVIDER, NULL, + &tmp_str); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("confdb_get_string failed.\n")); + goto done; + } + + if (tmp_str == NULL) { + *configured_explicit = false; + } else { + *configured_explicit = true; + } + + DEBUG(SSSDBG_TRACE_ALL, ("IPA subdomain provider is configured %s.\n", + *configured_explicit ? "explicit" : "implicit")); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + void ipa_subdomains_handler(struct be_req *be_req) { struct ipa_subdomains_ctx *ctx; + time_t now; ctx = talloc_get_type(be_req->be_ctx->bet_info[BET_SUBDOMAINS].pvt_bet_data, struct ipa_subdomains_ctx); @@ -964,7 +1013,15 @@ void ipa_subdomains_handler(struct be_req *be_req) return; } - if (ctx->last_refreshed > time(NULL) - IPA_SUBDOMAIN_REFRESH_LIMIT) { + now = time(NULL); + + if (ctx->disabled_until > now) { + DEBUG(SSSDBG_TRACE_ALL, ("Subdomain provider disabled.\n")); + ipa_subdomains_reply(be_req, DP_ERR_OK, EOK); + return; + } + + if (ctx->last_refreshed > now - IPA_SUBDOMAIN_REFRESH_LIMIT) { ipa_subdomains_reply(be_req, DP_ERR_OK, EOK); return; } @@ -984,6 +1041,13 @@ int ipa_subdom_init(struct be_ctx *be_ctx, { struct ipa_subdomains_ctx *ctx; int ret; + bool configured_explicit = false; + + ret = get_config_status(be_ctx, &configured_explicit); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("get_config_status failed.\n")); + return ret; + } ctx = talloc_zero(id_ctx, struct ipa_subdomains_ctx); if (ctx == NULL) { @@ -996,6 +1060,8 @@ int ipa_subdom_init(struct be_ctx *be_ctx, ctx->search_bases = id_ctx->ipa_options->subdomains_search_bases; ctx->master_search_bases = id_ctx->ipa_options->master_domain_search_bases; ctx->ranges_search_bases = id_ctx->ipa_options->ranges_search_bases; + ctx->configured_explicit = configured_explicit; + ctx->disabled_until = 0; *ops = &ipa_subdomains_ops; *pvt_data = ctx; |