summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--server/confdb/confdb.h2
-rw-r--r--server/config/etc/sssd.api.conf2
-rw-r--r--server/man/sssd.conf.5.xml27
-rw-r--r--server/responder/nss/nsssrv.c11
-rw-r--r--server/responder/nss/nsssrv.h2
-rw-r--r--server/responder/nss/nsssrv_cmd.c20
6 files changed, 49 insertions, 15 deletions
diff --git a/server/confdb/confdb.h b/server/confdb/confdb.h
index 8729aad3..ef8a787c 100644
--- a/server/confdb/confdb.h
+++ b/server/confdb/confdb.h
@@ -55,7 +55,7 @@
/* NSS */
#define CONFDB_NSS_CONF_ENTRY "config/nss"
#define CONFDB_NSS_ENUM_CACHE_TIMEOUT "enum_cache_timeout"
-#define CONFDB_NSS_ENTRY_CACHE_NOWAIT_TIMEOUT "entry_cache_nowait_timeout"
+#define CONFDB_NSS_ENTRY_CACHE_NOWAIT_PERCENTAGE "entry_cache_nowait_percentage"
#define CONFDB_NSS_ENTRY_NEG_TIMEOUT "entry_negative_timeout"
#define CONFDB_NSS_FILTER_USERS_IN_GROUPS "filter_users_in_groups"
#define CONFDB_NSS_FILTER_USERS "filter_users"
diff --git a/server/config/etc/sssd.api.conf b/server/config/etc/sssd.api.conf
index 8177a77e..e8b266bd 100644
--- a/server/config/etc/sssd.api.conf
+++ b/server/config/etc/sssd.api.conf
@@ -21,7 +21,7 @@ full_name_format = str, None
[nss]
# Name service
enum_cache_timeout = int, None
-entry_cache_no_wait_timeout = int, None
+entry_cache_no_wait_percentage = int, None
entry_negative_timeout = int, None
filter_users = list, str, root
filter_groups = list, str, root
diff --git a/server/man/sssd.conf.5.xml b/server/man/sssd.conf.5.xml
index 42bda484..c928f0ba 100644
--- a/server/man/sssd.conf.5.xml
+++ b/server/man/sssd.conf.5.xml
@@ -257,12 +257,31 @@
</listitem>
</varlistentry>
<varlistentry>
- <term>entry_cache_nowait_timeout (integer)</term>
+ <term>entry_cache_nowait_percentage (integer)</term>
<listitem>
<para>
- How long should nss_sss return cached entries before
- initiating an out-of-band cache refresh (0 disables
- this feature)
+ The entry cache can be set to automatically update
+ entries in the background if they are requested
+ beyond a percentage of the entry_cache_timeout
+ value for the domain.
+ </para>
+ <para>
+ For example, if the domain's entry_cache_timeout
+ is set to 30s and entry_cache_nowait_percentage is
+ set to 50 (percent), entries that come in after 15
+ seconds past the last cache update will be
+ returned immediately, but the SSSD will go and
+ update the cache on its own, so that future
+ requests will not need to block waiting for a
+ cache update.
+ </para>
+ <para>
+ Valid values for this option are 0-99 and
+ represent a percentage of the entry_cache_timeout
+ for each domain. For performance reasons, this
+ percentage will never reduce the nowait timeout to
+ less than 10 seconds.
+ (0 disables this feature)
</para>
<para>
Default: 0
diff --git a/server/responder/nss/nsssrv.c b/server/responder/nss/nsssrv.c
index 272cd38b..dad1c7c1 100644
--- a/server/responder/nss/nsssrv.c
+++ b/server/responder/nss/nsssrv.c
@@ -103,13 +103,14 @@ static int nss_get_config(struct nss_ctx *nctx,
ret = confdb_get_int(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
- CONFDB_NSS_ENTRY_CACHE_NOWAIT_TIMEOUT, 0,
- &nctx->cache_refresh_timeout);
+ CONFDB_NSS_ENTRY_CACHE_NOWAIT_PERCENTAGE, 0,
+ &nctx->cache_refresh_percent);
if (ret != EOK) goto done;
- if (nctx->cache_refresh_timeout < 0) {
- DEBUG(0,("Configuration error: EntryCacheNoWaitRefreshTimeout is"
+ if (nctx->cache_refresh_percent < 0 ||
+ nctx->cache_refresh_percent > 99) {
+ DEBUG(0,("Configuration error: entry_cache_nowait_percentage is"
"invalid. Disabling feature.\n"));
- nctx->cache_refresh_timeout = 0;
+ nctx->cache_refresh_percent = 0;
}
ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY,
diff --git a/server/responder/nss/nsssrv.h b/server/responder/nss/nsssrv.h
index 0c2ea487..464481d7 100644
--- a/server/responder/nss/nsssrv.h
+++ b/server/responder/nss/nsssrv.h
@@ -47,7 +47,7 @@ struct nss_ctx {
int neg_timeout;
struct nss_nc_ctx *ncache;
- int cache_refresh_timeout;
+ int cache_refresh_percent;
int enum_cache_timeout;
time_t last_user_enum;
diff --git a/server/responder/nss/nsssrv_cmd.c b/server/responder/nss/nsssrv_cmd.c
index 3d4226fb..8f4f5db8 100644
--- a/server/responder/nss/nsssrv_cmd.c
+++ b/server/responder/nss/nsssrv_cmd.c
@@ -278,10 +278,10 @@ static errno_t check_cache(struct nss_dom_ctx *dctx,
{
errno_t ret;
int timeout;
- int refresh_timeout;
time_t now;
uint64_t lastUpdate;
uint64_t cacheExpire;
+ uint64_t midpoint_refresh;
struct nss_cmd_ctx *cmdctx = dctx->cmdctx;
struct cli_ctx *cctx = cmdctx->cctx;
bool call_provider = false;
@@ -298,13 +298,26 @@ static errno_t check_cache(struct nss_dom_ctx *dctx,
} else if ((req_type == SSS_DP_GROUP) ||
((req_type == SSS_DP_USER) && (res->count == 1))) {
- refresh_timeout = nctx->cache_refresh_timeout;
now = time(NULL);
lastUpdate = ldb_msg_find_attr_as_uint64(res->msgs[0],
SYSDB_LAST_UPDATE, 0);
cacheExpire = ldb_msg_find_attr_as_uint64(res->msgs[0],
SYSDB_CACHE_EXPIRE, 0);
+
+ midpoint_refresh = 0;
+ if(nctx->cache_refresh_percent) {
+ midpoint_refresh = lastUpdate +
+ (cacheExpire - lastUpdate)*nctx->cache_refresh_percent/100;
+ if (midpoint_refresh - lastUpdate < 10) {
+ /* If the percentage results in an expiration
+ * less than ten seconds after the lastUpdate time,
+ * that's too often we will simply set it to 10s
+ */
+ midpoint_refresh = lastUpdate+10;
+ }
+ }
+
if (cacheExpire < now) {
/* This is a cache miss. We need to get the updated user
* information before returning it.
@@ -312,11 +325,12 @@ static errno_t check_cache(struct nss_dom_ctx *dctx,
call_provider = true;
cb = callback;
}
- else if (refresh_timeout && (lastUpdate + refresh_timeout < now)) {
+ else if (midpoint_refresh && midpoint_refresh < now) {
/* We're past the the cache refresh timeout
* We'll return the value from the cache, but we'll also
* queue the cache entry for update out-of-band.
*/
+ DEBUG(6, ("Performing midpoint cache update on [%s]\n", opt_name));
call_provider = true;
cb = NULL;
}