212 lines
8.7 KiB
Diff
212 lines
8.7 KiB
Diff
From 4a311702045b065a97a0c0fc0ccc7a1fc84b38cf Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
Date: Thu, 17 Aug 2017 19:49:22 +0200
|
|
Subject: [PATCH 62/93] DESKPROFILE: Add ipa_deskprofile_request_interval
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
This option has been added to avoid contacting the Data Provider when no
|
|
rules were found in the previous request.
|
|
|
|
By adding this configurable option we avoid contacting the Data Provider
|
|
too often in the case described above and also when the server doesn't
|
|
support Desktop Profile's integration.
|
|
|
|
Resolves: https://pagure.io/SSSD/sssd/issue/3482
|
|
|
|
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
---
|
|
src/config/SSSDConfig/__init__.py.in | 1 +
|
|
src/config/cfg_rules.ini | 1 +
|
|
src/config/etc/sssd.api.d/sssd-ipa.conf | 1 +
|
|
src/man/sssd-ipa.5.xml | 14 ++++++++++++++
|
|
src/providers/ipa/ipa_common.h | 1 +
|
|
src/providers/ipa/ipa_opts.c | 1 +
|
|
src/providers/ipa/ipa_session.c | 33 ++++++++++++++++++++++++++++++++-
|
|
src/providers/ipa/ipa_session.h | 2 ++
|
|
8 files changed, 53 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
|
index 2a19b60a987c5f2c5c59ac2466f8f6821803e146..8c56e4efa4ae7c648f670bb6a67290b6e835f581 100644
|
|
--- a/src/config/SSSDConfig/__init__.py.in
|
|
+++ b/src/config/SSSDConfig/__init__.py.in
|
|
@@ -220,6 +220,7 @@ option_strings = {
|
|
'ipa_group_override_object_class': _("Objectclass for group override objects"),
|
|
'ipa_deskprofile_search_base': _("Search base for Desktop Profile related objects"),
|
|
'ipa_deskprofile_refresh': _("The amount of time in seconds between lookups of the Desktop Profile rules against the IPA server"),
|
|
+ 'ipa_deskprofile_request_interval': _("The amount of time in minutes between lookups of Desktop Profiles rules against the IPA server when the last request did not find any rule"),
|
|
|
|
# [provider/ad]
|
|
'ad_domain' : _('Active Directory domain'),
|
|
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
index 3ebd39e93cec6d1ddf547d7ebdb49884e637f8c7..ae60c73c871e1ac18a26124232e1f9f7c9f8fabb 100644
|
|
--- a/src/config/cfg_rules.ini
|
|
+++ b/src/config/cfg_rules.ini
|
|
@@ -440,6 +440,7 @@ option = ipa_anchor_uuid
|
|
option = ipa_automount_location
|
|
option = ipa_backup_server
|
|
option = ipa_deskprofile_refresh
|
|
+option = ipa_deskprofile_request_interval
|
|
option = ipa_deskprofile_search_base
|
|
option = ipa_domain
|
|
option = ipa_dyndns_iface
|
|
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
|
|
index 8178b123e3b42cb92029db8b879d26f1fd16cf3e..ab9634c7a69026099fcc8f59aa26a89a43671f0a 100644
|
|
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
|
|
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
|
|
@@ -195,6 +195,7 @@ ldap_autofs_search_base = str, None, false
|
|
|
|
[provider/ipa/session]
|
|
ipa_deskprofile_refresh = int, None, false
|
|
+ipa_deskprofile_request_interval = int, None, false
|
|
ipa_host_object_class = str, None, false
|
|
ipa_host_name = str, None, false
|
|
ipa_host_fqdn = str, None, false
|
|
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
|
|
index 4d1c3c8a11dea956c31be690f5bdceea94252fd2..4cf07142c53798ea154032bdc560a8160e1c585a 100644
|
|
--- a/src/man/sssd-ipa.5.xml
|
|
+++ b/src/man/sssd-ipa.5.xml
|
|
@@ -476,6 +476,20 @@
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
+ <varlistentry>
|
|
+ <term>ipa_deskprofile_request_interval (integer)</term>
|
|
+ <listitem>
|
|
+ <para>
|
|
+ The amount of time between lookups of the Desktop
|
|
+ Profile rules against the IPA server in case the
|
|
+ last request did not return any rule.
|
|
+ </para>
|
|
+ <para>
|
|
+ Default: 60 (minutes)
|
|
+ </para>
|
|
+ </listitem>
|
|
+ </varlistentry>
|
|
+
|
|
<varlistentry>
|
|
<term>ipa_hbac_refresh (integer)</term>
|
|
<listitem>
|
|
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
|
|
index 5b3507cd47aab75a4a7bbc16a8146d82411f2d16..5197a9af08f86e042244c495cc37e728fae63cc5 100644
|
|
--- a/src/providers/ipa/ipa_common.h
|
|
+++ b/src/providers/ipa/ipa_common.h
|
|
@@ -58,6 +58,7 @@ enum ipa_basic_opt {
|
|
IPA_KRB5_CONFD_PATH,
|
|
IPA_DESKPROFILE_SEARCH_BASE,
|
|
IPA_DESKPROFILE_REFRESH,
|
|
+ IPA_DESKPROFILE_REQUEST_INTERVAL,
|
|
|
|
IPA_OPTS_BASIC /* opts counter */
|
|
};
|
|
diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c
|
|
index 4836445dad82c4d3ecaecc32d22cb6f9730f0fcb..09b78f726caa4efa4106ad741066018565f1ace1 100644
|
|
--- a/src/providers/ipa/ipa_opts.c
|
|
+++ b/src/providers/ipa/ipa_opts.c
|
|
@@ -50,6 +50,7 @@ struct dp_option ipa_basic_opts[] = {
|
|
{ "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING },
|
|
{ "ipa_deskprofile_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
|
{ "ipa_deskprofile_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
|
|
+ { "ipa_deskprofile_request_interval", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
|
|
DP_OPTION_TERMINATOR
|
|
};
|
|
|
|
diff --git a/src/providers/ipa/ipa_session.c b/src/providers/ipa/ipa_session.c
|
|
index 7adf8b6d7dfef9b2c29c1ee42f47842131773e90..8559284c9b453129400626e0cf93e70275e80301 100644
|
|
--- a/src/providers/ipa/ipa_session.c
|
|
+++ b/src/providers/ipa/ipa_session.c
|
|
@@ -42,6 +42,8 @@
|
|
#define SSS_FLEETCOMMANDERCLIENT_PATH "/org/freedesktop/FleetCommanderClient"
|
|
#define SSS_FLEETCOMMANDERCLIENT_IFACE "org.freedesktop.FleetCommanderClient"
|
|
|
|
+#define MINUTE_IN_SECONDS 60
|
|
+
|
|
struct ipa_fetch_deskprofile_state {
|
|
struct tevent_context *ev;
|
|
struct be_ctx *be_ctx;
|
|
@@ -80,6 +82,8 @@ ipa_fetch_deskprofile_send(TALLOC_CTX *mem_ctx,
|
|
struct tevent_req *req;
|
|
time_t now;
|
|
time_t refresh_interval;
|
|
+ time_t request_interval;
|
|
+ time_t next_request;
|
|
bool offline;
|
|
errno_t ret;
|
|
|
|
@@ -122,13 +126,34 @@ ipa_fetch_deskprofile_send(TALLOC_CTX *mem_ctx,
|
|
goto immediately;
|
|
}
|
|
|
|
+ now = time(NULL);
|
|
+
|
|
+ request_interval = dp_opt_get_int(state->ipa_options,
|
|
+ IPA_DESKPROFILE_REQUEST_INTERVAL);
|
|
+ /* This value is in minutes ... */
|
|
+ request_interval *= MINUTE_IN_SECONDS;
|
|
+
|
|
+ if (state->session_ctx->no_rules_found &&
|
|
+ now < session_ctx->last_request + request_interval) {
|
|
+ next_request = (session_ctx->last_request + request_interval - now);
|
|
+ /* This value is in seconds ... */
|
|
+ next_request /= 60;
|
|
+ DEBUG(SSSDBG_TRACE_FUNC,
|
|
+ "No rules were found in the last request.\n"
|
|
+ "Next request will happen in any login after %"PRIu64" minutes\n",
|
|
+ next_request);
|
|
+ ret = ENOENT;
|
|
+ goto immediately;
|
|
+ }
|
|
+
|
|
+ state->session_ctx->no_rules_found = false;
|
|
+
|
|
offline = be_is_offline(be_ctx);
|
|
DEBUG(SSSDBG_TRACE_ALL, "Connection status is [%s].\n",
|
|
offline ? "offline" : "online");
|
|
|
|
refresh_interval = dp_opt_get_int(state->ipa_options,
|
|
IPA_DESKPROFILE_REFRESH);
|
|
- now = time(NULL);
|
|
|
|
if (offline || now < session_ctx->last_update + refresh_interval) {
|
|
DEBUG(SSSDBG_TRACE_FUNC,
|
|
@@ -540,6 +565,10 @@ ipa_pam_session_handler_done(struct tevent_req *subreq)
|
|
|
|
if (ret == ENOENT) {
|
|
DEBUG(SSSDBG_IMPORTANT_INFO, "No Desktop Profile rules found\n");
|
|
+ if (!state->session_ctx->no_rules_found) {
|
|
+ state->session_ctx->no_rules_found = true;
|
|
+ state->session_ctx->last_request = time(NULL);
|
|
+ }
|
|
state->pd->pam_status = PAM_SUCCESS;
|
|
goto done;
|
|
} else if (ret != EOK) {
|
|
@@ -550,6 +579,8 @@ ipa_pam_session_handler_done(struct tevent_req *subreq)
|
|
goto done;
|
|
}
|
|
|
|
+ state->session_ctx->last_request = time(NULL);
|
|
+
|
|
hostname = dp_opt_get_string(state->session_ctx->ipa_options, IPA_HOSTNAME);
|
|
ret = ipa_pam_session_handler_save_deskprofile_rules(state->be_ctx,
|
|
state->be_ctx->domain,
|
|
diff --git a/src/providers/ipa/ipa_session.h b/src/providers/ipa/ipa_session.h
|
|
index aac99844df0c0d158b63ad67bd89896611891551..0c4d54f8555dd1eeaca43299500b12b1d81b872f 100644
|
|
--- a/src/providers/ipa/ipa_session.h
|
|
+++ b/src/providers/ipa/ipa_session.h
|
|
@@ -31,6 +31,8 @@ struct ipa_session_ctx {
|
|
struct sdap_id_ctx *sdap_ctx;
|
|
struct dp_option *ipa_options;
|
|
time_t last_update;
|
|
+ time_t last_request;
|
|
+ bool no_rules_found;
|
|
|
|
struct sdap_attr_map *host_map;
|
|
struct sdap_attr_map *hostgroup_map;
|
|
--
|
|
2.14.1
|
|
|