Hi, although it might be good practice to check cache_credentials before calling sysdb_cache_auth_send() I think it make sense to add it here, too. E.g. if someone forgets to check before calling sysdb_cache_auth_send() and for some reason the configuration is changed from cache_credentials=true to false. Then we might access some old chached passwords although it is expected that offline authentication does not work anymore.
bye, Sumit
From c9200f7b9009681f209d13b9a8c96f7dcb706fe2 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Thu, 21 Jan 2010 10:46:14 +0100 Subject: [PATCH] Check cache_credentials in sysdb_cache_auth_send() --- server/db/sysdb_ops.c | 5 +++++ server/tests/sysdb-tests.c | 9 +++++++++ 2 files changed, 14 insertions(+), 0 deletions(-) diff --git a/server/db/sysdb_ops.c b/server/db/sysdb_ops.c index 36b5867..469ed8d 100644 --- a/server/db/sysdb_ops.c +++ b/server/db/sysdb_ops.c @@ -4674,6 +4674,11 @@ struct tevent_req *sysdb_cache_auth_send(TALLOC_CTX *mem_ctx, return NULL; } + if (!domain->cache_credentials) { + DEBUG(3, ("Cached credentials not available.\n")); + return NULL; + } + static const char *attrs[] = {SYSDB_NAME, SYSDB_CACHEDPWD, SYSDB_DISABLED, diff --git a/server/tests/sysdb-tests.c b/server/tests/sysdb-tests.c index 11fde6f..3cd5e7d 100644 --- a/server/tests/sysdb-tests.c +++ b/server/tests/sysdb-tests.c @@ -130,6 +130,15 @@ static int setup_sysdb_tests(struct sysdb_test_ctx **ctx) return ret; } + val[0] = "TRUE"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "cache_credentials", val); + if (ret != EOK) { + fail("Could not initialize LOCAL domain"); + talloc_free(test_ctx); + return ret; + } + ret = confdb_get_domain(test_ctx->confdb, "local", &test_ctx->domain); if (ret != EOK) { fail("Could not retrieve LOCAL domain"); -- 1.6.6
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel