From 6830f45b6586c97b87a58d520cd5c56e3e3f8d72 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Nov 14 2012 09:48:59 +0000 Subject: Run IPA subdomain provider if IPA ID provider is configured To make configuration easier the IPA subdomain provider should be always loaded if the IPA ID provider is configured and the subdomain provider is not explicitly disabled. But to avoid the overhead of regular subdomain requests in setups where no subdomains are used the IPA subdomain provider should behave differently if configured explicit or implicit. If the IPA subdomain provider is configured explicitly, i.e. 'subdomains_provider = ipa' can be found in the domain section of sssd.conf subdomain request are always send to the server if needed. If it is configured implicitly and a request to the server fails with an indication that the server currently does not support subdomains at all, e.g. is not configured to handle trust relationships, a new request will be only send to the server after a long timeout or after a going-online event. To be able to make this distinction this patch save the configuration status to the subdomain context. Fixes https://fedorahosted.org/sssd/ticket/1613 --- diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index c7abea9..4a3aed8 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -581,6 +581,29 @@ + + SUBDOMAINS PROVIDER + + The IPA subdomains provider behaves slightly differently + if it is configured explicitly or implicitly. + + + If the option 'subdomains_provider = ipa' is found in the + domain section of sssd.conf, the IPA subdomains provider is + configured explicitly, and all subdomain requests are sent to the + IPA server if necessary. + + + If the option 'subdomains_provider' is not set in the domain + section of sssd.conf but there is the option 'id_provider = ipa', + the IPA subdomains provider is configured implictly. In this case, + if a subdomain request fails and indicates that the server does not + support subdomains, i.e. is not configured for trusts, the IPA + subdomains provider is disabled. After an hour or after the IPA + provider goes online, the subdomains provider is enabled again. + + + diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 33d99c7..9f487fa 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -1411,8 +1411,9 @@ override_homedir = /home/%u subdomains_provider (string) - The provider which should handle fetching of subdomains. - This value should be always the same as id_provider. + The provider which should handle fetching of + subdomains. This value should be always the same as + id_provider. Supported subdomain providers are: @@ -1421,13 +1422,16 @@ override_homedir = /home/%u sssd-ipa 5 - for more information on configuring IPA. + for more information on configuring + IPA. - none disallows fetching subdomains explicitly. + none disallows fetching subdomains + explicitly. - Default: none + Default: The value of id_provider is + used if it is set. diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c index 2865cae..fc4c8cc 100644 --- a/src/providers/data_provider_be.c +++ b/src/providers/data_provider_be.c @@ -2317,7 +2317,8 @@ int be_process_init(TALLOC_CTX *mem_ctx, } ret = load_backend_module(ctx, BET_SUBDOMAINS, - &ctx->bet_info[BET_SUBDOMAINS], NULL); + &ctx->bet_info[BET_SUBDOMAINS], + ctx->bet_info[BET_ID].mod_name); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, ("Subdomains are not supported for [%s] !!\n", be_domain)); } else { diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c index 36ffafd..0bf2e5d 100644 --- a/src/providers/ipa/ipa_subdomains.c +++ b/src/providers/ipa/ipa_subdomains.c @@ -47,6 +47,7 @@ /* refresh automatically every 4 hours */ #define IPA_SUBDOMAIN_REFRESH_PERIOD (3600 * 4) +#define IPA_SUBDOMAIN_DISABLED_PERIOD 3600 /* the directory domain - realm mappings are written to */ #define IPA_SUBDOMAIN_MAPPING_DIR PUBCONF_PATH"/krb5.include.d" @@ -74,6 +75,8 @@ struct ipa_subdomains_ctx { time_t last_refreshed; struct tevent_timer *timer_event; + bool configured_explicit; + time_t disabled_until; /* subdomain map cache */ int num_subdoms; @@ -899,6 +902,12 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req) * and we don't have the master domain record */ DEBUG(SSSDBG_CRIT_FAILURE, ("Master domain record not found!\n")); + + if (!ctx->sd_ctx->configured_explicit) { + ctx->sd_ctx->disabled_until = time(NULL) + + IPA_SUBDOMAIN_DISABLED_PERIOD; + } + ret = EIO; goto done; } @@ -932,6 +941,7 @@ static void ipa_subdom_online_cb(void *pvt) return; } + ctx->disabled_until = 0; ipa_subdomains_retrieve(ctx, NULL); tv = tevent_timeval_current_ofs(IPA_SUBDOMAIN_REFRESH_PERIOD, 0); @@ -953,9 +963,48 @@ static void ipa_subdom_offline_cb(void *pvt) } } +static errno_t get_config_status(struct be_ctx *be_ctx, + bool *configured_explicit) +{ + int ret; + TALLOC_CTX *tmp_ctx = NULL; + char *tmp_str; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("talloc_new failed.\n")); + return ENOMEM; + } + + ret = confdb_get_string(be_ctx->cdb, tmp_ctx, be_ctx->conf_path, + CONFDB_DOMAIN_SUBDOMAINS_PROVIDER, NULL, + &tmp_str); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("confdb_get_string failed.\n")); + goto done; + } + + if (tmp_str == NULL) { + *configured_explicit = false; + } else { + *configured_explicit = true; + } + + DEBUG(SSSDBG_TRACE_ALL, ("IPA subdomain provider is configured %s.\n", + *configured_explicit ? "explicit" : "implicit")); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + void ipa_subdomains_handler(struct be_req *be_req) { struct ipa_subdomains_ctx *ctx; + time_t now; ctx = talloc_get_type(be_req->be_ctx->bet_info[BET_SUBDOMAINS].pvt_bet_data, struct ipa_subdomains_ctx); @@ -964,7 +1013,15 @@ void ipa_subdomains_handler(struct be_req *be_req) return; } - if (ctx->last_refreshed > time(NULL) - IPA_SUBDOMAIN_REFRESH_LIMIT) { + now = time(NULL); + + if (ctx->disabled_until > now) { + DEBUG(SSSDBG_TRACE_ALL, ("Subdomain provider disabled.\n")); + ipa_subdomains_reply(be_req, DP_ERR_OK, EOK); + return; + } + + if (ctx->last_refreshed > now - IPA_SUBDOMAIN_REFRESH_LIMIT) { ipa_subdomains_reply(be_req, DP_ERR_OK, EOK); return; } @@ -984,6 +1041,13 @@ int ipa_subdom_init(struct be_ctx *be_ctx, { struct ipa_subdomains_ctx *ctx; int ret; + bool configured_explicit = false; + + ret = get_config_status(be_ctx, &configured_explicit); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("get_config_status failed.\n")); + return ret; + } ctx = talloc_zero(id_ctx, struct ipa_subdomains_ctx); if (ctx == NULL) { @@ -996,6 +1060,8 @@ int ipa_subdom_init(struct be_ctx *be_ctx, ctx->search_bases = id_ctx->ipa_options->subdomains_search_bases; ctx->master_search_bases = id_ctx->ipa_options->master_domain_search_bases; ctx->ranges_search_bases = id_ctx->ipa_options->ranges_search_bases; + ctx->configured_explicit = configured_explicit; + ctx->disabled_until = 0; *ops = &ipa_subdomains_ops; *pvt_data = ctx;