diff options
Diffstat (limited to 'src/responder/pam')
| -rw-r--r-- | src/responder/pam/pamsrv.c | 9 | ||||
| -rw-r--r-- | src/responder/pam/pamsrv.h | 1 | ||||
| -rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 19 |
3 files changed, 21 insertions, 8 deletions
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c index 61e7ce7a..91ee4a89 100644 --- a/src/responder/pam/pamsrv.c +++ b/src/responder/pam/pamsrv.c @@ -108,6 +108,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, struct be_conn *iter; struct pam_ctx *pctx; int ret, max_retries; + int id_timeout; pctx = talloc_zero(mem_ctx, struct pam_ctx); if (!pctx) { @@ -153,6 +154,14 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, &pctx->neg_timeout); if (ret != EOK) goto done; + /* Set up the PAM identity timeout */ + ret = confdb_get_int(cdb, pctx, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_ID_TIMEOUT, 5, + &id_timeout); + if (ret != EOK) goto done; + + pctx->id_timeout = (size_t)id_timeout; + ret = sss_ncache_init(pctx, &pctx->ncache); if (ret != EOK) { DEBUG(0, ("fatal error initializing negative cache\n")); diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h index 3ada4cfd..3ffc1708 100644 --- a/src/responder/pam/pamsrv.h +++ b/src/responder/pam/pamsrv.h @@ -35,6 +35,7 @@ struct pam_ctx { struct resp_ctx *rctx; struct sss_nc_ctx *ncache; int neg_timeout; + time_t id_timeout; }; struct pam_auth_req { diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 48341aab..6a8f1dbb 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -790,14 +790,12 @@ static int pam_check_user_search(struct pam_auth_req *preq) /* make sure to update the preq if we changed domain */ preq->domain = dom; - /* TODO: check negative cache ? */ - - /* Always try to refresh the cache first on authentication */ - if (preq->check_provider && - (preq->pd->cmd == SSS_PAM_AUTHENTICATE || - preq->pd->cmd == SSS_PAM_SETCRED)) { - - /* call provider first */ + /* Refresh the user's cache entry on any PAM query + * We put a timeout in the client context so that we limit + * the number of updates within a reasonable timeout + */ + if (preq->check_provider && cctx->pam_timeout < time(NULL)) { + /* Call provider first */ break; } @@ -909,6 +907,8 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min, { struct pam_auth_req *preq = talloc_get_type(ptr, struct pam_auth_req); int ret; + struct pam_ctx *pctx = + talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); if (err_maj) { DEBUG(2, ("Unable to get information from Data Provider\n" @@ -916,6 +916,9 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min, (unsigned int)err_maj, (unsigned int)err_min, err_msg)); } + /* Make sure we don't go to the ID provider too often */ + preq->cctx->pam_timeout = time(NULL) + pctx->id_timeout; + ret = pam_check_user_search(preq); if (ret == EOK) { pam_dom_forwarder(preq); |