diff options
-rw-r--r-- | src/config/SSSDConfig.py | 2 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ipa.conf | 1 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ldap.conf | 1 | ||||
-rw-r--r-- | src/man/sssd-ldap.5.xml | 17 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.c | 3 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.h | 2 | ||||
-rw-r--r-- | src/providers/ldap/ldap_common.c | 3 | ||||
-rw-r--r-- | src/providers/ldap/sdap.h | 1 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_connection.c | 12 |
9 files changed, 39 insertions, 3 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index 84c9bdc5..cb55d3de 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -160,6 +160,8 @@ option_strings = { 'ldap_entry_usn' : _('entryUSN attribute'), 'ldap_rootdse_last_usn' : _('lastUSN attribute'), + 'ldap_connection_expiration_timeout' : _('How long to retain a connection to the LDAP server before disconnecting'), + # [provider/ldap/id] 'ldap_search_timeout' : _('Length of time to wait for a search request'), 'ldap_enumeration_search_timeout' : _('Length of time to wait for a enumeration request'), diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index bd10d794..2c12e842 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -40,6 +40,7 @@ ldap_dns_service_name = str, None, false ldap_deref = str, None, false ldap_page_size = int, None, false ldap_deref_threshold = int, None, false +ldap_connection_expire_timeout = int, None, false; [provider/ipa/id] ldap_search_timeout = int, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf index dcd1586c..9a89bfe2 100644 --- a/src/config/etc/sssd.api.d/sssd-ldap.conf +++ b/src/config/etc/sssd.api.d/sssd-ldap.conf @@ -32,6 +32,7 @@ ldap_page_size = int, None, false ldap_deref_threshold = int, None, false ldap_sasl_canonicalize = bool, None, false ldap_sasl_minssf = int, None, false +ldap_connection_expire_timeout = int, None, false [provider/ldap/id] ldap_search_timeout = int, None, false diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 75bc764e..2f441df3 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -965,6 +965,23 @@ </varlistentry> <varlistentry> + <term>ldap_connection_expire_timeout (integer)</term> + <listitem> + <para> + Specifies a timeout (in seconds) that a connection + to an LDAP server will be maintained. After this + time, the connection will be re-established. If + used in parallel with SASL/GSSAPI, the sooner of + the two values (this value vs. the TGT lifetime) + will be used. + </para> + <para> + Default: 900 (15 minutes) + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>ldap_page_size (integer)</term> <listitem> <para> diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 47242531..f437580a 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -102,7 +102,8 @@ struct dp_option ipa_def_ldap_opts[] = { { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER }, { "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, - { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE } + { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER } }; struct sdap_attr_map ipa_attr_map[] = { diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 22f4bc63..f7ab5efd 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -35,7 +35,7 @@ struct ipa_service { /* the following defines are used to keep track of the options in the ldap * module, so that if they change and ipa is not updated correspondingly * this will trigger a runtime abort error */ -#define IPA_OPTS_BASIC_TEST 54 +#define IPA_OPTS_BASIC_TEST 55 /* the following define is used to keep track of the options in the krb5 * module, so that if they change and ipa is not updated correspondingly diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index 170720c3..f9627ac1 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -91,7 +91,8 @@ struct dp_option default_basic_opts[] = { { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER }, { "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, - { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE } + { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER } }; struct sdap_attr_map generic_attr_map[] = { diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index 3ab726aa..f08200c9 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -203,6 +203,7 @@ enum sdap_basic_opt { SDAP_PAGE_SIZE, SDAP_DEREF_THRESHOLD, SDAP_SASL_CANONICALIZE, + SDAP_EXPIRE_TIMEOUT, SDAP_OPTS_BASIC /* opts counter */ }; diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c index 6350e337..e1099a17 100644 --- a/src/providers/ldap/sdap_async_connection.c +++ b/src/providers/ldap/sdap_async_connection.c @@ -1502,6 +1502,8 @@ static void sdap_cli_auth_step(struct tevent_req *req) struct sdap_cli_connect_state *state = tevent_req_data(req, struct sdap_cli_connect_state); struct tevent_req *subreq; + time_t now; + int expire_timeout; if (!state->do_auth) { /* No authentication requested or GSSAPI auth forced off */ @@ -1509,6 +1511,16 @@ static void sdap_cli_auth_step(struct tevent_req *req) return; } + /* Set the LDAP expiration time + * If SASL has already set it, use the sooner of the two + */ + now = time(NULL); + expire_timeout = dp_opt_get_int(state->opts->basic, SDAP_EXPIRE_TIMEOUT); + if (!state->sh->expire_time + || (state->sh->expire_time > (now + expire_timeout))) { + state->sh->expire_time = now + expire_timeout; + } + subreq = sdap_auth_send(state, state->ev, state->sh, |