summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/config/SSSDConfig.py2
-rw-r--r--src/config/etc/sssd.api.d/sssd-ipa.conf1
-rw-r--r--src/config/etc/sssd.api.d/sssd-ldap.conf1
-rw-r--r--src/man/sssd-ldap.5.xml17
-rw-r--r--src/providers/ipa/ipa_common.c3
-rw-r--r--src/providers/ipa/ipa_common.h2
-rw-r--r--src/providers/ldap/ldap_common.c3
-rw-r--r--src/providers/ldap/sdap.h1
-rw-r--r--src/providers/ldap/sdap_async_connection.c12
9 files changed, 39 insertions, 3 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 84c9bdc5..cb55d3de 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -160,6 +160,8 @@ option_strings = {
'ldap_entry_usn' : _('entryUSN attribute'),
'ldap_rootdse_last_usn' : _('lastUSN attribute'),
+ 'ldap_connection_expiration_timeout' : _('How long to retain a connection to the LDAP server before disconnecting'),
+
# [provider/ldap/id]
'ldap_search_timeout' : _('Length of time to wait for a search request'),
'ldap_enumeration_search_timeout' : _('Length of time to wait for a enumeration request'),
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index bd10d794..2c12e842 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -40,6 +40,7 @@ ldap_dns_service_name = str, None, false
ldap_deref = str, None, false
ldap_page_size = int, None, false
ldap_deref_threshold = int, None, false
+ldap_connection_expire_timeout = int, None, false;
[provider/ipa/id]
ldap_search_timeout = int, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index dcd1586c..9a89bfe2 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -32,6 +32,7 @@ ldap_page_size = int, None, false
ldap_deref_threshold = int, None, false
ldap_sasl_canonicalize = bool, None, false
ldap_sasl_minssf = int, None, false
+ldap_connection_expire_timeout = int, None, false
[provider/ldap/id]
ldap_search_timeout = int, None, false
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 75bc764e..2f441df3 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -965,6 +965,23 @@
</varlistentry>
<varlistentry>
+ <term>ldap_connection_expire_timeout (integer)</term>
+ <listitem>
+ <para>
+ Specifies a timeout (in seconds) that a connection
+ to an LDAP server will be maintained. After this
+ time, the connection will be re-established. If
+ used in parallel with SASL/GSSAPI, the sooner of
+ the two values (this value vs. the TGT lifetime)
+ will be used.
+ </para>
+ <para>
+ Default: 900 (15 minutes)
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>ldap_page_size (integer)</term>
<listitem>
<para>
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 47242531..f437580a 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -102,7 +102,8 @@ struct dp_option ipa_def_ldap_opts[] = {
{ "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER },
{ "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
- { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }
+ { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }
};
struct sdap_attr_map ipa_attr_map[] = {
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 22f4bc63..f7ab5efd 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -35,7 +35,7 @@ struct ipa_service {
/* the following defines are used to keep track of the options in the ldap
* module, so that if they change and ipa is not updated correspondingly
* this will trigger a runtime abort error */
-#define IPA_OPTS_BASIC_TEST 54
+#define IPA_OPTS_BASIC_TEST 55
/* the following define is used to keep track of the options in the krb5
* module, so that if they change and ipa is not updated correspondingly
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 170720c3..f9627ac1 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -91,7 +91,8 @@ struct dp_option default_basic_opts[] = {
{ "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER },
{ "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
- { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }
+ { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }
};
struct sdap_attr_map generic_attr_map[] = {
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 3ab726aa..f08200c9 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -203,6 +203,7 @@ enum sdap_basic_opt {
SDAP_PAGE_SIZE,
SDAP_DEREF_THRESHOLD,
SDAP_SASL_CANONICALIZE,
+ SDAP_EXPIRE_TIMEOUT,
SDAP_OPTS_BASIC /* opts counter */
};
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index 6350e337..e1099a17 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -1502,6 +1502,8 @@ static void sdap_cli_auth_step(struct tevent_req *req)
struct sdap_cli_connect_state *state = tevent_req_data(req,
struct sdap_cli_connect_state);
struct tevent_req *subreq;
+ time_t now;
+ int expire_timeout;
if (!state->do_auth) {
/* No authentication requested or GSSAPI auth forced off */
@@ -1509,6 +1511,16 @@ static void sdap_cli_auth_step(struct tevent_req *req)
return;
}
+ /* Set the LDAP expiration time
+ * If SASL has already set it, use the sooner of the two
+ */
+ now = time(NULL);
+ expire_timeout = dp_opt_get_int(state->opts->basic, SDAP_EXPIRE_TIMEOUT);
+ if (!state->sh->expire_time
+ || (state->sh->expire_time > (now + expire_timeout))) {
+ state->sh->expire_time = now + expire_timeout;
+ }
+
subreq = sdap_auth_send(state,
state->ev,
state->sh,