Hi,

although it might be good practice to check cache_credentials before
calling sysdb_cache_auth_send() I think it make sense to add it here,
too. E.g. if someone forgets to check before calling
sysdb_cache_auth_send() and for some reason the configuration is changed
from cache_credentials=true to false. Then we might access some old chached
passwords although it is expected that offline authentication does not
work anymore.

bye,
Sumit
From c9200f7b9009681f209d13b9a8c96f7dcb706fe2 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Thu, 21 Jan 2010 10:46:14 +0100
Subject: [PATCH] Check cache_credentials in sysdb_cache_auth_send()

---
 server/db/sysdb_ops.c      |    5 +++++
 server/tests/sysdb-tests.c |    9 +++++++++
 2 files changed, 14 insertions(+), 0 deletions(-)

diff --git a/server/db/sysdb_ops.c b/server/db/sysdb_ops.c
index 36b5867..469ed8d 100644
--- a/server/db/sysdb_ops.c
+++ b/server/db/sysdb_ops.c
@@ -4674,6 +4674,11 @@ struct tevent_req *sysdb_cache_auth_send(TALLOC_CTX 
*mem_ctx,
         return NULL;
     }
 
+    if (!domain->cache_credentials) {
+        DEBUG(3, ("Cached credentials not available.\n"));
+        return NULL;
+    }
+
     static const char *attrs[] = {SYSDB_NAME,
                                   SYSDB_CACHEDPWD,
                                   SYSDB_DISABLED,
diff --git a/server/tests/sysdb-tests.c b/server/tests/sysdb-tests.c
index 11fde6f..3cd5e7d 100644
--- a/server/tests/sysdb-tests.c
+++ b/server/tests/sysdb-tests.c
@@ -130,6 +130,15 @@ static int setup_sysdb_tests(struct sysdb_test_ctx **ctx)
         return ret;
     }
 
+    val[0] = "TRUE";
+    ret = confdb_add_param(test_ctx->confdb, true,
+                           "config/domain/LOCAL", "cache_credentials", val);
+    if (ret != EOK) {
+        fail("Could not initialize LOCAL domain");
+        talloc_free(test_ctx);
+        return ret;
+    }
+
     ret = confdb_get_domain(test_ctx->confdb, "local", &test_ctx->domain);
     if (ret != EOK) {
         fail("Could not retrieve LOCAL domain");
-- 
1.6.6

_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to