Better cleanup task handling

Implements a different mechanism for cleanup task. Instead of just deleting expired entries, this patch adds a new option account_cache_expiration for domains. If an entry is expired and the last login was more days in the past that account_cache_expiration, the entry is deleted. Groups are deleted if they are expired and and no user references them (no user has memberof: attribute pointing at that group). The parameter account_cache_expiration is not LDAP-specific, so that other future backends might use the same timeout setting. Fixes: #391
SSSD · Feb 23, 2010 · af81aaa · af81aaa
1 parent f8c6a44
commit af81aaa
Show file tree

Hide file tree

Showing 11 changed files with 263 additions and 39 deletions.
diff --git a/src/Makefile.am b/src/Makefile.am
@@ -664,6 +664,7 @@ dist_noinst_DATA += \
 # Plugin Libraries #
 ####################
 libsss_ldap_la_SOURCES = \
+    util/find_uid.c \
     providers/child_common.c \
     providers/ldap/ldap_id.c \
     providers/ldap/ldap_id_enum.c \

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
@@ -101,6 +101,7 @@
 #define CONFDB_DOMAIN_FQ "use_fully_qualified_names"
 #define CONFDB_DOMAIN_ENTRY_CACHE_TIMEOUT "entry_cache_timeout"
 #define CONFDB_DOMAIN_FAMILY_ORDER "lookup_family_order"
+#define CONFDB_DOMAIN_ACCOUNT_CACHE_EXPIRATION "account_cache_expiration"
 
 /* Local Provider */
 #define CONFDB_LOCAL_DEFAULT_SHELL   "default_shell"

diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
@@ -80,6 +80,7 @@ class ProviderSubtypeInUse(SSSDConfigException): pass
     'use_fully_qualified_names' : _('Display users/groups in fully-qualified form'),
     'entry_cache_timeout' : _('Entry cache timeout length (seconds)'),
     'lookup_family_order' : _('Restrict or prefer a specific address family when performing DNS lookups'),
+    'account_cache_expiration' : _('How long to keep cached entries after last successful login (days)'),
 
     # [provider/ipa]
     'ipa_domain' : _('IPA domain'),

diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
@@ -415,6 +415,7 @@ def testListOptions(self):
             'use_fully_qualified_names',
             'entry_cache_timeout',
             'lookup_family_order',
+            'account_cache_expiration',
             'id_provider',
             'auth_provider',
             'access_provider',
@@ -725,6 +726,7 @@ def testRemoveProvider(self):
             'store_legacy_passwords',
             'use_fully_qualified_names',
             'entry_cache_timeout',
+            'account_cache_expiration',
             'lookup_family_order',
             'id_provider',
             'auth_provider',

diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
@@ -55,6 +55,7 @@ store_legacy_passwords = bool, None, false
 use_fully_qualified_names = bool, None, false
 entry_cache_timeout = int, None, false
 lookup_family_order = str, None, false
+account_cache_expiration = int, None, false
 
 # Special providers
 [provider/permit]

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
@@ -460,6 +460,21 @@
                         </para>
                     </listitem>
                 </varlistentry>
+                <varlistentry>
+                    <term>account_cache_expiration (integer)</term>
+                    <listitem>
+                        <para>
+                            Number of days entries are left in cache after
+                            last successful login before being removed during
+                            a cleanup of the cache. 0 means keep forever.
+                            The value of this parameter must be bigger than
+                            offline_credentials_expiration.
+                        </para>
+                        <para>
+                            Default: 0 (unlimited)
+                        </para>
+                    </listitem>
+                </varlistentry>
 
                 <varlistentry>
                     <term>id_provider (string)</term>

diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
@@ -64,7 +64,8 @@ struct dp_option ipa_def_ldap_opts[] = {
     /* use the same parm name as the krb5 module so we set it only once */
     { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_pwd_policy", DP_OPT_STRING, { "none" } , NULL_STRING },
-    { "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }
+    { "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
+    { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }
 };
 
 struct sdap_attr_map ipa_attr_map[] = {

diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
@@ -35,7 +35,7 @@ struct ipa_service {
 /* the following define is used to keep track of the options in the ldap
  * module, so that if they change and ipa is not updated correspondingly
  * this will trigger a runtime abort error */
-#define IPA_OPTS_BASIC_TEST 31
+#define IPA_OPTS_BASIC_TEST 32
 
 enum ipa_basic_opt {
     IPA_DOMAIN = 0,

diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
@@ -62,7 +62,8 @@ struct dp_option default_basic_opts[] = {
     /* use the same parm name as the krb5 module so we set it only once */
     { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_pwd_policy", DP_OPT_STRING, { "none" } , NULL_STRING },
-    { "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }
+    { "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
+    { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }
 };
 
 struct sdap_attr_map generic_attr_map[] = {
@@ -166,6 +167,8 @@ int ldap_get_options(TALLOC_CTX *memctx,
     char *schema;
     const char *pwd_policy;
     int ret;
+    int account_cache_expiration;
+    int offline_credentials_expiration;
 
     opts = talloc_zero(memctx, struct sdap_options);
     if (!opts) return ENOMEM;
@@ -217,6 +220,48 @@ int ldap_get_options(TALLOC_CTX *memctx,
         goto done;
     }
 
+    /* account_cache_expiration must be >= than offline_credentials_expiration */
+    ret = confdb_get_int(cdb, memctx, CONFDB_PAM_CONF_ENTRY,
+                         CONFDB_PAM_CRED_TIMEOUT, 0,
+                         &offline_credentials_expiration);
+    if (ret != EOK) {
+        DEBUG(1, ("Cannot get value of %s from confdb \n",
+                  CONFDB_PAM_CRED_TIMEOUT));
+        goto done;
+    }
+
+    account_cache_expiration = dp_opt_get_int(opts->basic,
+                                              SDAP_ACCOUNT_CACHE_EXPIRATION);
+
+    /* account cache_expiration must not be smaller than
+     * offline_credentials_expiration to prevent deleting entries that
+     * still contain credentials valid for offline login.
+     *
+     * offline_credentials_expiration == 0 is a special case that says
+     * that the cached credentials are valid forever. Therefore, the cached
+     * entries must not be purged from cache.
+     */
+    if (!offline_credentials_expiration && account_cache_expiration) {
+        DEBUG(1, ("Conflicting values for options %s (unlimited) "
+                  "and %s (%d)\n",
+                  opts->basic[SDAP_ACCOUNT_CACHE_EXPIRATION].opt_name,
+                  CONFDB_PAM_CRED_TIMEOUT,
+                  offline_credentials_expiration));
+        ret = EINVAL;
+        goto done;
+    }
+    if (offline_credentials_expiration && account_cache_expiration &&
+        offline_credentials_expiration >= account_cache_expiration) {
+        DEBUG(1, ("Value of %s (now %d) must be larger "
+                  "than value of %s (now %d)\n",
+                  opts->basic[SDAP_ACCOUNT_CACHE_EXPIRATION].opt_name,
+                  account_cache_expiration,
+                  CONFDB_PAM_CRED_TIMEOUT,
+                  offline_credentials_expiration));
+        ret = EINVAL;
+        goto done;
+    }
+
 
 #ifndef HAVE_LDAP_CONNCB
     bool ldap_referrals;