Blame SOURCES/0029-NSS-make-memcache-size-configurable.patch

0ff280
From 80e7163b7bf512a45e2fa31494f3bdff9e9e2dce Mon Sep 17 00:00:00 2001
0ff280
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
0ff280
Date: Wed, 4 Mar 2020 16:26:18 +0100
0ff280
Subject: [PATCH 29/35] NSS: make memcache size configurable
0ff280
0ff280
Added options to configure memcache size:
0ff280
memcache_size_passwd
0ff280
memcache_size_group
0ff280
memcache_size_initgroups
0ff280
0ff280
Related:
0ff280
https://github.com/SSSD/sssd/issues/4578
0ff280
0ff280
Reviewed-by: Sumit Bose <sbose@redhat.com>
0ff280
---
0ff280
 src/confdb/confdb.h                  |   3 +
0ff280
 src/config/SSSDConfig/sssdoptions.py |   3 +
0ff280
 src/config/cfg_rules.ini             |   3 +
0ff280
 src/man/sssd.conf.5.xml              |  78 +++++++++
0ff280
 src/responder/nss/nsssrv.c           | 104 ++++++++----
0ff280
 src/tests/intg/test_memory_cache.py  | 236 +++++++++++++++++++++++++++
0ff280
 6 files changed, 398 insertions(+), 29 deletions(-)
0ff280
0ff280
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
0ff280
index a5d35fd70..c96896da5 100644
0ff280
--- a/src/confdb/confdb.h
0ff280
+++ b/src/confdb/confdb.h
0ff280
@@ -115,6 +115,9 @@
0ff280
 #define CONFDB_NSS_SHELL_FALLBACK "shell_fallback"
0ff280
 #define CONFDB_NSS_DEFAULT_SHELL "default_shell"
0ff280
 #define CONFDB_MEMCACHE_TIMEOUT "memcache_timeout"
0ff280
+#define CONFDB_NSS_MEMCACHE_SIZE_PASSWD "memcache_size_passwd"
0ff280
+#define CONFDB_NSS_MEMCACHE_SIZE_GROUP "memcache_size_group"
0ff280
+#define CONFDB_NSS_MEMCACHE_SIZE_INITGROUPS "memcache_size_initgroups"
0ff280
 #define CONFDB_NSS_HOMEDIR_SUBSTRING "homedir_substring"
0ff280
 #define CONFDB_DEFAULT_HOMEDIR_SUBSTRING "/home"
0ff280
 
0ff280
diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
0ff280
index 9c071f70a..16d85cfa3 100644
0ff280
--- a/src/config/SSSDConfig/sssdoptions.py
0ff280
+++ b/src/config/SSSDConfig/sssdoptions.py
0ff280
@@ -72,6 +72,9 @@ class SSSDOptions(object):
0ff280
         'shell_fallback': _('If a shell stored in central directory is allowed but not available, use this fallback'),
0ff280
         'default_shell': _('Shell to use if the provider does not list one'),
0ff280
         'memcache_timeout': _('How long will be in-memory cache records valid'),
0ff280
+        'memcache_size_passwd': _('Number of slots in fast in-memory cache for passwd requests'),
0ff280
+        'memcache_size_group': _('Number of slots in fast in-memory cache for group requests'),
0ff280
+        'memcache_size_initgroups': _('Number of slots in fast in-memory cache for initgroups requests'),
0ff280
         'homedir_substring': _('The value of this option will be used in the expansion of the override_homedir option '
0ff280
                                'if the template contains the format string %H.'),
0ff280
         'get_domains_timeout': _('Specifies time in seconds for which the list of subdomains will be considered '
0ff280
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
0ff280
index 1a7e2c5cd..2874ea048 100644
0ff280
--- a/src/config/cfg_rules.ini
0ff280
+++ b/src/config/cfg_rules.ini
0ff280
@@ -92,6 +92,9 @@ option = shell_fallback
0ff280
 option = default_shell
0ff280
 option = get_domains_timeout
0ff280
 option = memcache_timeout
0ff280
+option = memcache_size_passwd
0ff280
+option = memcache_size_group
0ff280
+option = memcache_size_initgroups
0ff280
 
0ff280
 [rule/allowed_pam_options]
0ff280
 validator = ini_allowed_options
0ff280
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
0ff280
index 9a9679a4b..9bc2e26e5 100644
0ff280
--- a/src/man/sssd.conf.5.xml
0ff280
+++ b/src/man/sssd.conf.5.xml
0ff280
@@ -1100,6 +1100,84 @@ fallback_homedir = /home/%u
0ff280
                         </para>
0ff280
                     </listitem>
0ff280
                 </varlistentry>
0ff280
+                <varlistentry>
0ff280
+                    <term>memcache_size_passwd (integer)</term>
0ff280
+                    <listitem>
0ff280
+                        <para>
0ff280
+                            Number of slots allocated inside fast in-memory
0ff280
+                            cache for passwd requests. Note that one entry
0ff280
+                            in fast in-memory cache can occupy more than one slot.
0ff280
+                            Setting the size to 0 will disable the passwd in-memory
0ff280
+                            cache.
0ff280
+                        </para>
0ff280
+                        <para>
0ff280
+                            Default: 200000
0ff280
+                        </para>
0ff280
+                        <para>
0ff280
+                            WARNING: Disabled or too small in-memory cache can
0ff280
+                            have significant negative impact on SSSD's
0ff280
+                            performance.
0ff280
+                        </para>
0ff280
+                        <para>
0ff280
+                            NOTE: If the environment variable
0ff280
+                            SSS_NSS_USE_MEMCACHE is set to "NO", client
0ff280
+                            applications will not use the fast in-memory
0ff280
+                            cache.
0ff280
+                        </para>
0ff280
+                    </listitem>
0ff280
+                </varlistentry>
0ff280
+                <varlistentry>
0ff280
+                    <term>memcache_size_group (integer)</term>
0ff280
+                    <listitem>
0ff280
+                        <para>
0ff280
+                            Number of slots allocated inside fast in-memory
0ff280
+                            cache for group requests. Note that one entry
0ff280
+                            in fast in-memory cache can occupy more than one
0ff280
+                            slot. Setting the size to 0 will disable the group
0ff280
+                            in-memory cache.
0ff280
+                        </para>
0ff280
+                        <para>
0ff280
+                            Default: 150000
0ff280
+                        </para>
0ff280
+                        <para>
0ff280
+                            WARNING: Disabled or too small in-memory cache can
0ff280
+                            have significant negative impact on SSSD's
0ff280
+                            performance.
0ff280
+                        </para>
0ff280
+                        <para>
0ff280
+                            NOTE: If the environment variable
0ff280
+                            SSS_NSS_USE_MEMCACHE is set to "NO", client
0ff280
+                            applications will not use the fast in-memory
0ff280
+                            cache.
0ff280
+                        </para>
0ff280
+                    </listitem>
0ff280
+                </varlistentry>
0ff280
+                <varlistentry>
0ff280
+                    <term>memcache_size_initgroups (integer)</term>
0ff280
+                    <listitem>
0ff280
+                        <para>
0ff280
+                            Number of slots allocated inside fast in-memory
0ff280
+                            cache for initgroups requests. Note that one entry
0ff280
+                            in fast in-memory cache can occupy more than one
0ff280
+                            slot. Setting the size to 0 will disable the
0ff280
+                            initgroups in-memory cache.
0ff280
+                        </para>
0ff280
+                        <para>
0ff280
+                            Default: 250000
0ff280
+                        </para>
0ff280
+                        <para>
0ff280
+                            WARNING: Disabled or too small in-memory cache can
0ff280
+                            have significant negative impact on SSSD's
0ff280
+                            performance.
0ff280
+                        </para>
0ff280
+                        <para>
0ff280
+                            NOTE: If the environment variable
0ff280
+                            SSS_NSS_USE_MEMCACHE is set to "NO", client
0ff280
+                            applications will not use the fast in-memory
0ff280
+                            cache.
0ff280
+                        </para>
0ff280
+                    </listitem>
0ff280
+                </varlistentry>
0ff280
                 <varlistentry>
0ff280
                     <term>user_attributes (string)</term>
0ff280
                     <listitem>
0ff280
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
0ff280
index 21d93ae77..0a201d3ae 100644
0ff280
--- a/src/responder/nss/nsssrv.c
0ff280
+++ b/src/responder/nss/nsssrv.c
0ff280
@@ -209,13 +209,16 @@ done:
0ff280
 
0ff280
 static int setup_memcaches(struct nss_ctx *nctx)
0ff280
 {
0ff280
-    /* TODO: read cache sizes from configuration */
0ff280
+    /* Default memcache sizes */
0ff280
     static const size_t SSS_MC_CACHE_PASSWD_SLOTS    = 200000;  /*  8mb */
0ff280
     static const size_t SSS_MC_CACHE_GROUP_SLOTS     = 150000;  /*  6mb */
0ff280
     static const size_t SSS_MC_CACHE_INITGROUP_SLOTS = 250000;  /* 10mb */
0ff280
 
0ff280
     int ret;
0ff280
     int memcache_timeout;
0ff280
+    int mc_size_passwd;
0ff280
+    int mc_size_group;
0ff280
+    int mc_size_initgroups;
0ff280
 
0ff280
     /* Remove the CLEAR_MC_FLAG file if exists. */
0ff280
     ret = unlink(SSS_NSS_MCACHE_DIR"/"CLEAR_MC_FLAG);
0ff280
@@ -243,34 +246,77 @@ static int setup_memcaches(struct nss_ctx *nctx)
0ff280
         return EOK;
0ff280
     }
0ff280
 
0ff280
-    ret = sss_mmap_cache_init(nctx, "passwd",
0ff280
-                              nctx->mc_uid, nctx->mc_gid,
0ff280
-                              SSS_MC_PASSWD,
0ff280
-                              SSS_MC_CACHE_PASSWD_SLOTS,
0ff280
-                              (time_t)memcache_timeout,
0ff280
-                              &nctx->pwd_mc_ctx);
0ff280
-    if (ret) {
0ff280
-        DEBUG(SSSDBG_CRIT_FAILURE, "passwd mmap cache is DISABLED\n");
0ff280
-    }
0ff280
-
0ff280
-    ret = sss_mmap_cache_init(nctx, "group",
0ff280
-                              nctx->mc_uid, nctx->mc_gid,
0ff280
-                              SSS_MC_GROUP,
0ff280
-                              SSS_MC_CACHE_GROUP_SLOTS,
0ff280
-                              (time_t)memcache_timeout,
0ff280
-                              &nctx->grp_mc_ctx);
0ff280
-    if (ret) {
0ff280
-        DEBUG(SSSDBG_CRIT_FAILURE, "group mmap cache is DISABLED\n");
0ff280
-    }
0ff280
-
0ff280
-    ret = sss_mmap_cache_init(nctx, "initgroups",
0ff280
-                              nctx->mc_uid, nctx->mc_gid,
0ff280
-                              SSS_MC_INITGROUPS,
0ff280
-                              SSS_MC_CACHE_INITGROUP_SLOTS,
0ff280
-                              (time_t)memcache_timeout,
0ff280
-                              &nctx->initgr_mc_ctx);
0ff280
-    if (ret) {
0ff280
-        DEBUG(SSSDBG_CRIT_FAILURE, "initgroups mmap cache is DISABLED\n");
0ff280
+    /* Get all memcache sizes from confdb (pwd, grp, initgr) */
0ff280
+
0ff280
+    ret = confdb_get_int(nctx->rctx->cdb,
0ff280
+                         CONFDB_NSS_CONF_ENTRY,
0ff280
+                         CONFDB_NSS_MEMCACHE_SIZE_PASSWD,
0ff280
+                         SSS_MC_CACHE_PASSWD_SLOTS,
0ff280
+                         &mc_size_passwd);
0ff280
+    if (ret != EOK) {
0ff280
+        DEBUG(SSSDBG_FATAL_FAILURE,
0ff280
+              "Failed to get 'memcache_size_passwd' option from confdb.\n");
0ff280
+        return ret;
0ff280
+    }
0ff280
+
0ff280
+    ret = confdb_get_int(nctx->rctx->cdb,
0ff280
+                         CONFDB_NSS_CONF_ENTRY,
0ff280
+                         CONFDB_NSS_MEMCACHE_SIZE_GROUP,
0ff280
+                         SSS_MC_CACHE_GROUP_SLOTS,
0ff280
+                         &mc_size_group);
0ff280
+    if (ret != EOK) {
0ff280
+        DEBUG(SSSDBG_FATAL_FAILURE,
0ff280
+              "Failed to get 'memcache_size_group' option from confdb.\n");
0ff280
+        return ret;
0ff280
+    }
0ff280
+
0ff280
+    ret = confdb_get_int(nctx->rctx->cdb,
0ff280
+                         CONFDB_NSS_CONF_ENTRY,
0ff280
+                         CONFDB_NSS_MEMCACHE_SIZE_INITGROUPS,
0ff280
+                         SSS_MC_CACHE_INITGROUP_SLOTS,
0ff280
+                         &mc_size_initgroups);
0ff280
+    if (ret != EOK) {
0ff280
+        DEBUG(SSSDBG_FATAL_FAILURE,
0ff280
+              "Failed to get 'memcache_size_nitgroups' option from confdb.\n");
0ff280
+        return ret;
0ff280
+    }
0ff280
+
0ff280
+    /* Initialize the fast in-memory caches if they were not disabled */
0ff280
+
0ff280
+    if (mc_size_passwd != 0) {
0ff280
+        ret = sss_mmap_cache_init(nctx, "passwd",
0ff280
+                                  nctx->mc_uid, nctx->mc_gid,
0ff280
+                                  SSS_MC_PASSWD,
0ff280
+                                  mc_size_passwd,
0ff280
+                                  (time_t)memcache_timeout,
0ff280
+                                  &nctx->pwd_mc_ctx);
0ff280
+        if (ret) {
0ff280
+            DEBUG(SSSDBG_CRIT_FAILURE, "passwd mmap cache is DISABLED\n");
0ff280
+        }
0ff280
+    }
0ff280
+
0ff280
+    if (mc_size_group != 0) {
0ff280
+        ret = sss_mmap_cache_init(nctx, "group",
0ff280
+                                  nctx->mc_uid, nctx->mc_gid,
0ff280
+                                  SSS_MC_GROUP,
0ff280
+                                  mc_size_group,
0ff280
+                                  (time_t)memcache_timeout,
0ff280
+                                  &nctx->grp_mc_ctx);
0ff280
+        if (ret) {
0ff280
+            DEBUG(SSSDBG_CRIT_FAILURE, "group mmap cache is DISABLED\n");
0ff280
+        }
0ff280
+    }
0ff280
+
0ff280
+    if (mc_size_initgroups != 0) {
0ff280
+        ret = sss_mmap_cache_init(nctx, "initgroups",
0ff280
+                                  nctx->mc_uid, nctx->mc_gid,
0ff280
+                                  SSS_MC_INITGROUPS,
0ff280
+                                  mc_size_initgroups,
0ff280
+                                  (time_t)memcache_timeout,
0ff280
+                                  &nctx->initgr_mc_ctx);
0ff280
+        if (ret) {
0ff280
+            DEBUG(SSSDBG_CRIT_FAILURE, "initgroups mmap cache is DISABLED\n");
0ff280
+        }
0ff280
     }
0ff280
 
0ff280
     return EOK;
0ff280
diff --git a/src/tests/intg/test_memory_cache.py b/src/tests/intg/test_memory_cache.py
0ff280
index 322f76fe0..6ed696e00 100644
0ff280
--- a/src/tests/intg/test_memory_cache.py
0ff280
+++ b/src/tests/intg/test_memory_cache.py
0ff280
@@ -135,6 +135,112 @@ def load_data_to_ldap(request, ldap_conn):
0ff280
     create_ldap_fixture(request, ldap_conn, ent_list)
0ff280
 
0ff280
 
0ff280
+@pytest.fixture
0ff280
+def disable_memcache_rfc2307(request, ldap_conn):
0ff280
+    load_data_to_ldap(request, ldap_conn)
0ff280
+
0ff280
+    conf = unindent("""\
0ff280
+        [sssd]
0ff280
+        domains             = LDAP
0ff280
+        services            = nss
0ff280
+
0ff280
+        [nss]
0ff280
+        memcache_size_group = 0
0ff280
+        memcache_size_passwd = 0
0ff280
+        memcache_size_initgroups = 0
0ff280
+
0ff280
+        [domain/LDAP]
0ff280
+        ldap_auth_disable_tls_never_use_in_production = true
0ff280
+        ldap_schema         = rfc2307
0ff280
+        id_provider         = ldap
0ff280
+        auth_provider       = ldap
0ff280
+        sudo_provider       = ldap
0ff280
+        ldap_uri            = {ldap_conn.ds_inst.ldap_url}
0ff280
+        ldap_search_base    = {ldap_conn.ds_inst.base_dn}
0ff280
+    """).format(**locals())
0ff280
+    create_conf_fixture(request, conf)
0ff280
+    create_sssd_fixture(request)
0ff280
+    return None
0ff280
+
0ff280
+
0ff280
+@pytest.fixture
0ff280
+def disable_pwd_mc_rfc2307(request, ldap_conn):
0ff280
+    load_data_to_ldap(request, ldap_conn)
0ff280
+
0ff280
+    conf = unindent("""\
0ff280
+        [sssd]
0ff280
+        domains             = LDAP
0ff280
+        services            = nss
0ff280
+
0ff280
+        [nss]
0ff280
+        memcache_size_passwd = 0
0ff280
+
0ff280
+        [domain/LDAP]
0ff280
+        ldap_auth_disable_tls_never_use_in_production = true
0ff280
+        ldap_schema         = rfc2307
0ff280
+        id_provider         = ldap
0ff280
+        auth_provider       = ldap
0ff280
+        sudo_provider       = ldap
0ff280
+        ldap_uri            = {ldap_conn.ds_inst.ldap_url}
0ff280
+        ldap_search_base    = {ldap_conn.ds_inst.base_dn}
0ff280
+    """).format(**locals())
0ff280
+    create_conf_fixture(request, conf)
0ff280
+    create_sssd_fixture(request)
0ff280
+    return None
0ff280
+
0ff280
+
0ff280
+@pytest.fixture
0ff280
+def disable_grp_mc_rfc2307(request, ldap_conn):
0ff280
+    load_data_to_ldap(request, ldap_conn)
0ff280
+
0ff280
+    conf = unindent("""\
0ff280
+        [sssd]
0ff280
+        domains             = LDAP
0ff280
+        services            = nss
0ff280
+
0ff280
+        [nss]
0ff280
+        memcache_size_group = 0
0ff280
+
0ff280
+        [domain/LDAP]
0ff280
+        ldap_auth_disable_tls_never_use_in_production = true
0ff280
+        ldap_schema         = rfc2307
0ff280
+        id_provider         = ldap
0ff280
+        auth_provider       = ldap
0ff280
+        sudo_provider       = ldap
0ff280
+        ldap_uri            = {ldap_conn.ds_inst.ldap_url}
0ff280
+        ldap_search_base    = {ldap_conn.ds_inst.base_dn}
0ff280
+    """).format(**locals())
0ff280
+    create_conf_fixture(request, conf)
0ff280
+    create_sssd_fixture(request)
0ff280
+    return None
0ff280
+
0ff280
+
0ff280
+@pytest.fixture
0ff280
+def disable_initgr_mc_rfc2307(request, ldap_conn):
0ff280
+    load_data_to_ldap(request, ldap_conn)
0ff280
+
0ff280
+    conf = unindent("""\
0ff280
+        [sssd]
0ff280
+        domains             = LDAP
0ff280
+        services            = nss
0ff280
+
0ff280
+        [nss]
0ff280
+        memcache_size_initgroups = 0
0ff280
+
0ff280
+        [domain/LDAP]
0ff280
+        ldap_auth_disable_tls_never_use_in_production = true
0ff280
+        ldap_schema         = rfc2307
0ff280
+        id_provider         = ldap
0ff280
+        auth_provider       = ldap
0ff280
+        sudo_provider       = ldap
0ff280
+        ldap_uri            = {ldap_conn.ds_inst.ldap_url}
0ff280
+        ldap_search_base    = {ldap_conn.ds_inst.base_dn}
0ff280
+    """).format(**locals())
0ff280
+    create_conf_fixture(request, conf)
0ff280
+    create_sssd_fixture(request)
0ff280
+    return None
0ff280
+
0ff280
+
0ff280
 @pytest.fixture
0ff280
 def sanity_rfc2307(request, ldap_conn):
0ff280
     load_data_to_ldap(request, ldap_conn)
0ff280
@@ -354,6 +460,19 @@ def test_getgrnam_simple_with_mc(ldap_conn, sanity_rfc2307):
0ff280
     test_getgrnam_simple(ldap_conn, sanity_rfc2307)
0ff280
 
0ff280
 
0ff280
+def test_getgrnam_simple_disabled_pwd_mc(ldap_conn, disable_pwd_mc_rfc2307):
0ff280
+    test_getgrnam_simple(ldap_conn, disable_pwd_mc_rfc2307)
0ff280
+    stop_sssd()
0ff280
+    test_getgrnam_simple(ldap_conn, disable_pwd_mc_rfc2307)
0ff280
+
0ff280
+
0ff280
+def test_getgrnam_simple_disabled_intitgr_mc(ldap_conn,
0ff280
+                                             disable_initgr_mc_rfc2307):
0ff280
+    test_getgrnam_simple(ldap_conn, disable_initgr_mc_rfc2307)
0ff280
+    stop_sssd()
0ff280
+    test_getgrnam_simple(ldap_conn, disable_initgr_mc_rfc2307)
0ff280
+
0ff280
+
0ff280
 def test_getgrnam_membership(ldap_conn, sanity_rfc2307):
0ff280
     ent.assert_group_by_name(
0ff280
         "group1",
0ff280
@@ -919,3 +1038,120 @@ def test_mc_zero_timeout(ldap_conn, zero_timeout_rfc2307):
0ff280
         grp.getgrnam('group1')
0ff280
     with pytest.raises(KeyError):
0ff280
         grp.getgrgid(2001)
0ff280
+
0ff280
+
0ff280
+def test_disabled_mc(ldap_conn, disable_memcache_rfc2307):
0ff280
+    ent.assert_passwd_by_name(
0ff280
+        'user1',
0ff280
+        dict(name='user1', passwd='*', uid=1001, gid=2001,
0ff280
+             gecos='1001', shell='/bin/bash'))
0ff280
+    ent.assert_passwd_by_uid(
0ff280
+        1001,
0ff280
+        dict(name='user1', passwd='*', uid=1001, gid=2001,
0ff280
+             gecos='1001', shell='/bin/bash'))
0ff280
+
0ff280
+    ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
0ff280
+    ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
0ff280
+
0ff280
+    assert_user_gids_equal('user1', [2000, 2001])
0ff280
+
0ff280
+    stop_sssd()
0ff280
+
0ff280
+    # sssd is stopped and the memory cache is disabled;
0ff280
+    # so pytest should not be able to find anything
0ff280
+    with pytest.raises(KeyError):
0ff280
+        pwd.getpwnam('user1')
0ff280
+    with pytest.raises(KeyError):
0ff280
+        pwd.getpwuid(1001)
0ff280
+
0ff280
+    with pytest.raises(KeyError):
0ff280
+        grp.getgrnam('group1')
0ff280
+    with pytest.raises(KeyError):
0ff280
+        grp.getgrgid(2001)
0ff280
+
0ff280
+    with pytest.raises(KeyError):
0ff280
+        (res, errno, gids) = sssd_id.get_user_gids('user1')
0ff280
+
0ff280
+
0ff280
+def test_disabled_passwd_mc(ldap_conn, disable_pwd_mc_rfc2307):
0ff280
+    ent.assert_passwd_by_name(
0ff280
+        'user1',
0ff280
+        dict(name='user1', passwd='*', uid=1001, gid=2001,
0ff280
+             gecos='1001', shell='/bin/bash'))
0ff280
+    ent.assert_passwd_by_uid(
0ff280
+        1001,
0ff280
+        dict(name='user1', passwd='*', uid=1001, gid=2001,
0ff280
+             gecos='1001', shell='/bin/bash'))
0ff280
+
0ff280
+    assert_user_gids_equal('user1', [2000, 2001])
0ff280
+
0ff280
+    stop_sssd()
0ff280
+
0ff280
+    # passwd cache is disabled
0ff280
+    with pytest.raises(KeyError):
0ff280
+        pwd.getpwnam('user1')
0ff280
+    with pytest.raises(KeyError):
0ff280
+        pwd.getpwuid(1001)
0ff280
+
0ff280
+    # Initgroups looks up the user first, hence KeyError from the
0ff280
+    # passwd database even if the initgroups cache is active.
0ff280
+    with pytest.raises(KeyError):
0ff280
+        (res, errno, gids) = sssd_id.get_user_gids('user1')
0ff280
+
0ff280
+
0ff280
+def test_disabled_group_mc(ldap_conn, disable_grp_mc_rfc2307):
0ff280
+    ent.assert_passwd_by_name(
0ff280
+        'user1',
0ff280
+        dict(name='user1', passwd='*', uid=1001, gid=2001,
0ff280
+             gecos='1001', shell='/bin/bash'))
0ff280
+    ent.assert_passwd_by_uid(
0ff280
+        1001,
0ff280
+        dict(name='user1', passwd='*', uid=1001, gid=2001,
0ff280
+             gecos='1001', shell='/bin/bash'))
0ff280
+
0ff280
+    ent.assert_group_by_name("group1", dict(name="group1", gid=2001))
0ff280
+    ent.assert_group_by_gid(2001, dict(name="group1", gid=2001))
0ff280
+
0ff280
+    assert_user_gids_equal('user1', [2000, 2001])
0ff280
+
0ff280
+    stop_sssd()
0ff280
+
0ff280
+    # group cache is disabled, other caches should work
0ff280
+    ent.assert_passwd_by_name(
0ff280
+        'user1',
0ff280
+        dict(name='user1', passwd='*', uid=1001, gid=2001,
0ff280
+             gecos='1001', shell='/bin/bash'))
0ff280
+    ent.assert_passwd_by_uid(
0ff280
+        1001,
0ff280
+        dict(name='user1', passwd='*', uid=1001, gid=2001,
0ff280
+             gecos='1001', shell='/bin/bash'))
0ff280
+
0ff280
+    with pytest.raises(KeyError):
0ff280
+        grp.getgrnam('group1')
0ff280
+    with pytest.raises(KeyError):
0ff280
+        grp.getgrgid(2001)
0ff280
+
0ff280
+    assert_user_gids_equal('user1', [2000, 2001])
0ff280
+
0ff280
+
0ff280
+def test_disabled_initgr_mc(ldap_conn, disable_initgr_mc_rfc2307):
0ff280
+    # Even if initgroups is disabled, passwd should work
0ff280
+    ent.assert_passwd_by_name(
0ff280
+        'user1',
0ff280
+        dict(name='user1', passwd='*', uid=1001, gid=2001,
0ff280
+             gecos='1001', shell='/bin/bash'))
0ff280
+    ent.assert_passwd_by_uid(
0ff280
+        1001,
0ff280
+        dict(name='user1', passwd='*', uid=1001, gid=2001,
0ff280
+             gecos='1001', shell='/bin/bash'))
0ff280
+
0ff280
+    stop_sssd()
0ff280
+
0ff280
+    ent.assert_passwd_by_name(
0ff280
+        'user1',
0ff280
+        dict(name='user1', passwd='*', uid=1001, gid=2001,
0ff280
+             gecos='1001', shell='/bin/bash'))
0ff280
+    ent.assert_passwd_by_uid(
0ff280
+        1001,
0ff280
+        dict(name='user1', passwd='*', uid=1001, gid=2001,
0ff280
+             gecos='1001', shell='/bin/bash'))
0ff280
-- 
0ff280
2.21.3
0ff280