Blame SOURCES/0045-IPA-AD-LDAP-Increase-the-initgrExpireTimestamp-after.patch

d6181b
From 073f79ecb75ded427d93c5f8925076646b736b1c Mon Sep 17 00:00:00 2001
d6181b
From: Jakub Hrozek <jhrozek@redhat.com>
d6181b
Date: Mon, 1 Jul 2019 14:26:38 +0200
d6181b
Subject: [PATCH 45/48] IPA/AD/LDAP: Increase the initgrExpireTimestamp after
d6181b
 finishing refresh request
d6181b
d6181b
Related: https://pagure.io/SSSD/sssd/issue/4012
d6181b
d6181b
Calls sysdb_set_initgr_expire_timestamp() after each successfull refresh
d6181b
of initgroups data to make sure the initgrExpireTimestamp attribute is
d6181b
increased.
d6181b
d6181b
If you're wondering why the timestamp is not set by the initgroups operation
d6181b
itself, see tickets #3744 or #2634 for examples of bugs caused by setting
d6181b
the initgrExpireTimestamp too soon.
d6181b
d6181b
Reviewed-by: Sumit Bose <sbose@redhat.com>
d6181b
---
d6181b
 src/providers/ad/ad_refresh.c     | 12 ++++++++++++
d6181b
 src/providers/ipa/ipa_refresh.c   | 12 ++++++++++++
d6181b
 src/providers/ldap/sdap_refresh.c | 12 ++++++++++++
d6181b
 3 files changed, 36 insertions(+)
d6181b
d6181b
diff --git a/src/providers/ad/ad_refresh.c b/src/providers/ad/ad_refresh.c
d6181b
index 0c2ebce5e..7aa56f33e 100644
d6181b
--- a/src/providers/ad/ad_refresh.c
d6181b
+++ b/src/providers/ad/ad_refresh.c
d6181b
@@ -26,6 +26,7 @@ struct ad_refresh_state {
d6181b
     struct be_ctx *be_ctx;
d6181b
     struct dp_id_data *account_req;
d6181b
     struct ad_id_ctx *id_ctx;
d6181b
+    struct sss_domain_info *domain;
d6181b
     char **names;
d6181b
     size_t index;
d6181b
 };
d6181b
@@ -60,6 +61,7 @@ static struct tevent_req *ad_refresh_send(TALLOC_CTX *mem_ctx,
d6181b
 
d6181b
     state->ev = ev;
d6181b
     state->be_ctx = be_ctx;
d6181b
+    state->domain = domain;
d6181b
     state->id_ctx = talloc_get_type(pvt, struct ad_id_ctx);
d6181b
     state->names = names;
d6181b
     state->index = 0;
d6181b
@@ -167,6 +169,16 @@ static void ad_refresh_done(struct tevent_req *subreq)
d6181b
         goto done;
d6181b
     }
d6181b
 
d6181b
+    if (state->account_req->entry_type == BE_REQ_INITGROUPS) {
d6181b
+        ret = sysdb_set_initgr_expire_timestamp(state->domain,
d6181b
+                                                state->account_req->filter_value);
d6181b
+        if (ret != EOK) {
d6181b
+            DEBUG(SSSDBG_MINOR_FAILURE,
d6181b
+                  "Failed to set initgroups expiration for [%s]\n",
d6181b
+                  state->account_req->filter_value);
d6181b
+        }
d6181b
+    }
d6181b
+
d6181b
     ret = ad_refresh_step(req);
d6181b
     if (ret == EAGAIN) {
d6181b
         return;
d6181b
diff --git a/src/providers/ipa/ipa_refresh.c b/src/providers/ipa/ipa_refresh.c
d6181b
index 13c38dff9..64f8db812 100644
d6181b
--- a/src/providers/ipa/ipa_refresh.c
d6181b
+++ b/src/providers/ipa/ipa_refresh.c
d6181b
@@ -26,6 +26,7 @@ struct ipa_refresh_state {
d6181b
     struct be_ctx *be_ctx;
d6181b
     struct dp_id_data *account_req;
d6181b
     struct ipa_id_ctx *id_ctx;
d6181b
+    struct sss_domain_info *domain;
d6181b
     char **names;
d6181b
     size_t index;
d6181b
 };
d6181b
@@ -59,6 +60,7 @@ static struct tevent_req *ipa_refresh_send(TALLOC_CTX *mem_ctx,
d6181b
 
d6181b
     state->ev = ev;
d6181b
     state->be_ctx = be_ctx;
d6181b
+    state->domain = domain;
d6181b
     state->id_ctx = talloc_get_type(pvt, struct ipa_id_ctx);
d6181b
     state->names = names;
d6181b
     state->index = 0;
d6181b
@@ -147,6 +149,16 @@ static void ipa_refresh_done(struct tevent_req *subreq)
d6181b
         goto done;
d6181b
     }
d6181b
 
d6181b
+    if (state->account_req->entry_type == BE_REQ_INITGROUPS) {
d6181b
+        ret = sysdb_set_initgr_expire_timestamp(state->domain,
d6181b
+                                                state->account_req->filter_value);
d6181b
+        if (ret != EOK) {
d6181b
+            DEBUG(SSSDBG_MINOR_FAILURE,
d6181b
+                  "Failed to set initgroups expiration for [%s]\n",
d6181b
+                  state->account_req->filter_value);
d6181b
+        }
d6181b
+    }
d6181b
+
d6181b
     ret = ipa_refresh_step(req);
d6181b
     if (ret == EAGAIN) {
d6181b
         return;
d6181b
diff --git a/src/providers/ldap/sdap_refresh.c b/src/providers/ldap/sdap_refresh.c
d6181b
index 4e464b2f6..402db53a9 100644
d6181b
--- a/src/providers/ldap/sdap_refresh.c
d6181b
+++ b/src/providers/ldap/sdap_refresh.c
d6181b
@@ -29,6 +29,7 @@ struct sdap_refresh_state {
d6181b
     struct be_ctx *be_ctx;
d6181b
     struct dp_id_data *account_req;
d6181b
     struct sdap_id_ctx *id_ctx;
d6181b
+    struct sss_domain_info *domain;
d6181b
     struct sdap_domain *sdom;
d6181b
     char **names;
d6181b
     size_t index;
d6181b
@@ -63,6 +64,7 @@ static struct tevent_req *sdap_refresh_send(TALLOC_CTX *mem_ctx,
d6181b
 
d6181b
     state->ev = ev;
d6181b
     state->be_ctx = be_ctx;
d6181b
+    state->domain = domain;
d6181b
     state->id_ctx = talloc_get_type(pvt, struct sdap_id_ctx);
d6181b
     state->names = names;
d6181b
     state->index = 0;
d6181b
@@ -165,6 +167,16 @@ static void sdap_refresh_done(struct tevent_req *subreq)
d6181b
         goto done;
d6181b
     }
d6181b
 
d6181b
+    if (state->account_req->entry_type == BE_REQ_INITGROUPS) {
d6181b
+        ret = sysdb_set_initgr_expire_timestamp(state->domain,
d6181b
+                                                state->account_req->filter_value);
d6181b
+        if (ret != EOK) {
d6181b
+            DEBUG(SSSDBG_MINOR_FAILURE,
d6181b
+                  "Failed to set initgroups expiration for [%s]\n",
d6181b
+                  state->account_req->filter_value);
d6181b
+        }
d6181b
+    }
d6181b
+
d6181b
     ret = sdap_refresh_step(req);
d6181b
     if (ret == EAGAIN) {
d6181b
         return;
d6181b
-- 
d6181b
2.20.1
d6181b