New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ldap: update shadow last change in sysdb as well #6478
Conversation
Otherwise pam can use the changed information whe id chaching is enabled, so next authentication that fits into the id timeout (5 seconds by default) will still sees the password as expired. Resolves: SSSD#6477
Hi, I was thinking if it would be better to force a refresh in But I guess the intention of the PAM initgroups cache and bye, |
Hmm, that is a good idea.
It depends. Unless someone sets entry_cache_timeout to really low value, which probably does not happen in production, it makes sense to refresh an expired entry. But I don't precisely remember why we needed to implement pam_initgroups_schema. Since you are the author, you can make a better call.
|
However, man page change will not fit the release unless it is postponed to next week. |
Hi,
I can't remember the details but I guess while implementing it I didn't thought much about expired entry and just assumed that cache_req will refresh expired entries. Maybe it would make sense to open a new ticket to make more time to evaluate this and make a note in the new ticket that depending on the outcome this patch here might be reversed since it wouldn't be needed anymore. I 'll ACK this patch. bye,
|
cache_req is first called with bypass_dp = true so backend is not contacted at all. We could add boolean to |
This did not fit into the release as it lacks the second ack. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Codewise it looks good. The commit message has a typo
whe id chaching
could you please fix the message?
Thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are a bit on hurry with this PR, so let's proceed with typo in commit message.
Otherwise pam can use the changed information whe id chaching is
enabled, so next authentication that fits into the id timeout
(5 seconds by default) will still sees the password as expired.
Resolves: #6477