Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ldap: update shadow last change in sysdb as well #6478

Closed
wants to merge 1 commit into from
Closed

ldap: update shadow last change in sysdb as well #6478

wants to merge 1 commit into from

Conversation

pbrezina
Copy link
Member

@pbrezina pbrezina commented Dec 8, 2022

Otherwise pam can use the changed information whe id chaching is
enabled, so next authentication that fits into the id timeout
(5 seconds by default) will still sees the password as expired.

Resolves: #6477

@pbrezina
ldap: update shadow last change in sysdb as well
45e9ad4 
Otherwise pam can use the changed information whe id chaching is
enabled, so next authentication that fits into the id timeout
(5 seconds by default) will still sees the password as expired.

Resolves: SSSD#6477
@pbrezina pbrezina added Waiting for review backport-to-stable Targets also latest stable branch labels Dec 8, 2022
@sumit-bose
Copy link
Contributor

Hi,

I was thinking if it would be better to force a refresh in pam_check_user_search_next() if the entry is expired. Especially since the sssd.conf man page currently says for pam_initgroups_scheme never "Never force an online lookup, use the data from the cache as long as they are not expired".

But I guess the intention of the PAM initgroups cache and pam_initgroups_scheme is to really use cached data and skip the online lookup even if the entry is expired (the man page entry should be fixed in this case). What do you think?

bye,
Sumit

@pbrezina
Copy link
Member Author

pbrezina commented Dec 8, 2022

Hi,

I was thinking if it would be better to force a refresh in pam_check_user_search_next() if the entry is expired. Especially since the sssd.conf man page currently says for pam_initgroups_scheme never "Never force an online lookup, use the data from the cache as long as they are not expired".

Hmm, that is a good idea.

But I guess the intention of the PAM initgroups cache and pam_initgroups_scheme is to really use cached data and skip the online lookup even if the entry is expired (the man page entry should be fixed in this case). What do you think?

It depends. Unless someone sets entry_cache_timeout to really low value, which probably does not happen in production, it makes sense to refresh an expired entry. But I don't precisely remember why we needed to implement pam_initgroups_schema. Since you are the author, you can make a better call.

bye, Sumit

@pbrezina
Copy link
Member Author

pbrezina commented Dec 8, 2022

However, man page change will not fit the release unless it is postponed to next week.

@sumit-bose
Copy link
Contributor

Hi,
I was thinking if it would be better to force a refresh in pam_check_user_search_next() if the entry is expired. Especially since the sssd.conf man page currently says for pam_initgroups_scheme never "Never force an online lookup, use the data from the cache as long as they are not expired".

Hmm, that is a good idea.

But I guess the intention of the PAM initgroups cache and pam_initgroups_scheme is to really use cached data and skip the online lookup even if the entry is expired (the man page entry should be fixed in this case). What do you think?

It depends. Unless someone sets entry_cache_timeout to really low value, which probably does not happen in production, it makes sense to refresh an expired entry. But I don't precisely remember why we needed to implement pam_initgroups_schema. Since you are the author, you can make a better call.

Hi,

pam_initgroups_schema was implemented to switch the default to the no_session behavior so that e.g. sudo does not require a refresh but can work from cache. My concern was that users might miss the old/original always so the option was added. While implementing it I added never as a third option. So the original behavior was a mix, the initgroups cache didn't care about expired entries and if the entry was not in the cache if was refreshed unconditionally.

I can't remember the details but I guess while implementing it I didn't thought much about expired entry and just assumed that cache_req will refresh expired entries.

Maybe it would make sense to open a new ticket to make more time to evaluate this and make a note in the new ticket that depending on the outcome this patch here might be reversed since it wouldn't be needed anymore. I 'll ACK this patch.

bye,
Sumit

bye, Sumit

@pbrezina
Copy link
Member Author

pbrezina commented Dec 8, 2022

cache_req is first called with bypass_dp = true so backend is not contacted at all. We could add boolean to struct cache_req_result to indicate if the object returned from cache_req was expired or not. Although adding new things to cache_reqs is no longer fun :-)

@pbrezina
Copy link
Member Author

pbrezina commented Dec 9, 2022

This did not fit into the release as it lacks the second ack.

thalman
thalman requested changes Dec 16, 2022
View reviewed changes
Copy link
Contributor

@thalman thalman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codewise it looks good. The commit message has a typo

whe id chaching

could you please fix the message?

Thanks

thalman
thalman approved these changes Dec 16, 2022
View reviewed changes
Copy link
Contributor

@thalman thalman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are a bit on hurry with this PR, so let's proceed with typo in commit message.

@alexey-tikhonov alexey-tikhonov added the Ready to push Ready to push label Dec 16, 2022
@alexey-tikhonov
Copy link
Member

Pushed PR: #6478

  • master
    • 7e8b97c - ldap: update shadow last change in sysdb as well
  • sssd-2-8
    • d7da296 - ldap: update shadow last change in sysdb as well

@alexey-tikhonov alexey-tikhonov mentioned this pull request Dec 16, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thalman thalman thalman approved these changes

@sumit-bose sumit-bose sumit-bose approved these changes

Assignees

@thalman thalman

@sumit-bose sumit-bose

Labels
backport-to-stable Targets also latest stable branch Bugzilla Pushed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

changing password with ldap_password_policy = shadow does not take effect immediately
4 participants
@pbrezina @sumit-bose @alexey-tikhonov @thalman