summaryrefslogtreecommitdiff
path: root/src/providers/ldap
diff options
context:
space:
mode:
Diffstat (limited to 'src/providers/ldap')
-rw-r--r--src/providers/ldap/ldap_common.c3
-rw-r--r--src/providers/ldap/sdap.h1
-rw-r--r--src/providers/ldap/sdap_async_connection.c12
3 files changed, 15 insertions, 1 deletions
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 170720c3..f9627ac1 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -91,7 +91,8 @@ struct dp_option default_basic_opts[] = {
{ "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER },
{ "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
- { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }
+ { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }
};
struct sdap_attr_map generic_attr_map[] = {
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 3ab726aa..f08200c9 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -203,6 +203,7 @@ enum sdap_basic_opt {
SDAP_PAGE_SIZE,
SDAP_DEREF_THRESHOLD,
SDAP_SASL_CANONICALIZE,
+ SDAP_EXPIRE_TIMEOUT,
SDAP_OPTS_BASIC /* opts counter */
};
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index 6350e337..e1099a17 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -1502,6 +1502,8 @@ static void sdap_cli_auth_step(struct tevent_req *req)
struct sdap_cli_connect_state *state = tevent_req_data(req,
struct sdap_cli_connect_state);
struct tevent_req *subreq;
+ time_t now;
+ int expire_timeout;
if (!state->do_auth) {
/* No authentication requested or GSSAPI auth forced off */
@@ -1509,6 +1511,16 @@ static void sdap_cli_auth_step(struct tevent_req *req)
return;
}
+ /* Set the LDAP expiration time
+ * If SASL has already set it, use the sooner of the two
+ */
+ now = time(NULL);
+ expire_timeout = dp_opt_get_int(state->opts->basic, SDAP_EXPIRE_TIMEOUT);
+ if (!state->sh->expire_time
+ || (state->sh->expire_time > (now + expire_timeout))) {
+ state->sh->expire_time = now + expire_timeout;
+ }
+
subreq = sdap_auth_send(state,
state->ev,
state->sh,