summaryrefslogtreecommitdiff
path: root/src/responder/pam
diff options
context:
space:
mode:
Diffstat (limited to 'src/responder/pam')
-rw-r--r--src/responder/pam/pamsrv.c9
-rw-r--r--src/responder/pam/pamsrv.h1
-rw-r--r--src/responder/pam/pamsrv_cmd.c19
3 files changed, 21 insertions, 8 deletions
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index 61e7ce7a..91ee4a89 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -108,6 +108,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
struct be_conn *iter;
struct pam_ctx *pctx;
int ret, max_retries;
+ int id_timeout;
pctx = talloc_zero(mem_ctx, struct pam_ctx);
if (!pctx) {
@@ -153,6 +154,14 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
&pctx->neg_timeout);
if (ret != EOK) goto done;
+ /* Set up the PAM identity timeout */
+ ret = confdb_get_int(cdb, pctx, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_ID_TIMEOUT, 5,
+ &id_timeout);
+ if (ret != EOK) goto done;
+
+ pctx->id_timeout = (size_t)id_timeout;
+
ret = sss_ncache_init(pctx, &pctx->ncache);
if (ret != EOK) {
DEBUG(0, ("fatal error initializing negative cache\n"));
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 3ada4cfd..3ffc1708 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -35,6 +35,7 @@ struct pam_ctx {
struct resp_ctx *rctx;
struct sss_nc_ctx *ncache;
int neg_timeout;
+ time_t id_timeout;
};
struct pam_auth_req {
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 48341aab..6a8f1dbb 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -790,14 +790,12 @@ static int pam_check_user_search(struct pam_auth_req *preq)
/* make sure to update the preq if we changed domain */
preq->domain = dom;
- /* TODO: check negative cache ? */
-
- /* Always try to refresh the cache first on authentication */
- if (preq->check_provider &&
- (preq->pd->cmd == SSS_PAM_AUTHENTICATE ||
- preq->pd->cmd == SSS_PAM_SETCRED)) {
-
- /* call provider first */
+ /* Refresh the user's cache entry on any PAM query
+ * We put a timeout in the client context so that we limit
+ * the number of updates within a reasonable timeout
+ */
+ if (preq->check_provider && cctx->pam_timeout < time(NULL)) {
+ /* Call provider first */
break;
}
@@ -909,6 +907,8 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,
{
struct pam_auth_req *preq = talloc_get_type(ptr, struct pam_auth_req);
int ret;
+ struct pam_ctx *pctx =
+ talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
if (err_maj) {
DEBUG(2, ("Unable to get information from Data Provider\n"
@@ -916,6 +916,9 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,
(unsigned int)err_maj, (unsigned int)err_min, err_msg));
}
+ /* Make sure we don't go to the ID provider too often */
+ preq->cctx->pam_timeout = time(NULL) + pctx->id_timeout;
+
ret = pam_check_user_search(preq);
if (ret == EOK) {
pam_dom_forwarder(preq);