SSSD / sssd

Clone

e354ec7 DP/LDAP: Only increase the initgrTimestamp when the full initgroups DP request finishes

2 files Authored by jhrozek 5 years ago, Committed by fidencio 5 years ago,
raw patch tree parent
2 files changed. 83 lines added. 56 lines removed.
src/providers/data_provider/dp_target_id.c
file modified
+67 -0
src/providers/ldap/ldap_id.c
file modified
+16 -56 
    DP/LDAP: Only increase the initgrTimestamp when the full initgroups DP request finishes
    
    An initgroups request for an AD user consists of two parts - resolving
    the AD user, which internally calls an LDAP request and adding the IPA
    external group memberships. For (probably?) historical reasons from the
    time before we had any notion of subdomains, the initgrTimestamp
    attribute is written down at the LDAP request level when it finishes --
    which means the initgrTimestamp is written before the IPA external group
    membership is evaluated.
    
    When two requests for initgroups arrive semi-concurrently, it can happen
    that the first request will trigger the whole machinery while the other
    one would evaluate the initgrTimestamp attribute that was just bumped,
    but the IPA group memberships were not yet written to the cache.
    
    The result is that the second racing request only returns AD groups.
    
    This fix removes writing the timestamp from the generic LDAP code and
    instead writes the timestamp only when the Data Provider request fully
    returns.
    
    Resolves:
    https://pagure.io/SSSD/sssd/issue/3744
    
    Reviewed-by: Pavel Březina <pbrezina@redhat.com>
file modified
+67 -0
file modified
+16 -56
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.