Re: [SSSD] [PATCH] LDAP: disable the cleanup task by default

Mon, 11 May 2015 03:51:52 -0700 

On Mon, May 11, 2015 at 11:15:29AM +0200, Lukas Slebodnik wrote:
> Please document in man pages that it is not possible to turn off clean-up task
> with enabled enumeration and that default value is 10800 in that case.

OK, see the attached patch.

>From 049fe229e1e6ae1550cf26fe1ccd289340f10118 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Tue, 28 Apr 2015 13:16:51 +0200
Subject: [PATCH] LDAP: disable the cleanup task by default

Resolves:
    https://fedorahosted.org/sssd/ticket/2627

The cleanup task was designed to keep the cache size within certain
limits. This is how it roughly works now:
    - find users who have never logged in by default. If
      account_cache_expiration is set, find users who loggged in later
      than account_cache_expiration
    - delete the matching set of users
    - find groups that have no members
    - delete the matching set of groups

So unless account_cache_expiration is set to something sensible, only empty
groups and expired users who never logged in are removed and that's quite
a corner case. The above effectivelly walks the whole database, especially
the groups step is quite slow with a huge database. The whole cleanup task
also runs in a single sysdb transaction, which means all other transactions
are blocked while the cleanup task crunches the database.
---
 src/man/sssd-ldap.5.xml           |  9 +++++++--
 src/providers/ad/ad_opts.h        |  2 +-
 src/providers/ipa/ipa_opts.h      |  2 +-
 src/providers/ldap/ldap_id_enum.c | 19 +++++++++++++++++++
 src/providers/ldap/ldap_opts.h    |  2 +-
 5 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 
83ec9b668fc129859646c01a0b690cabece0df32..9756a554701462a094c538bd00cf74b1b622c280
 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -719,10 +719,15 @@
                         </para>
                         <para>
                             Setting this option to zero will disable the
-                            cache cleanup operation.
+                            cache cleanup operation. Please note that if
+                            enumeration is enabled, the cleanup task is
+                            required in order to detect entries removed from
+                            the server and can't be disabled. By default,
+                            the cleanup task will run every 3 hours with
+                            enumeration enabled.
                         </para>
                         <para>
-                            Default: 10800 (3 hours)
+                            Default: 0 (disabled)
                         </para>
                     </listitem>
                 </varlistentry>
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index 
0b7255a828e95785d31437968a37bc20fbf62aef..15b140434fec815aeee989e24cc1b7930f040add
 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -86,7 +86,7 @@ struct dp_option ad_def_ldap_opts[] = {
     { "ldap_offline_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
     { "ldap_force_upper_case_realm", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
     { "ldap_enumeration_refresh_timeout", DP_OPT_NUMBER, { .number = 300 }, 
NULL_NUMBER },
-    { "ldap_purge_cache_timeout", DP_OPT_NUMBER, { .number = 10800 }, 
NULL_NUMBER },
+    { "ldap_purge_cache_timeout", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER 
},
     { "ldap_tls_cacert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_tls_cacertdir", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_tls_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index 
f2f164bc3cc6b6e13c30dbc6f5b37a03b4c5e289..8a0764265521e86ca86249e4b62f0f967bc44189
 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -98,7 +98,7 @@ struct dp_option ipa_def_ldap_opts[] = {
     { "ldap_offline_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
     { "ldap_force_upper_case_realm", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
     { "ldap_enumeration_refresh_timeout", DP_OPT_NUMBER, { .number = 300 }, 
NULL_NUMBER },
-    { "ldap_purge_cache_timeout", DP_OPT_NUMBER, { .number = 3600 }, 
NULL_NUMBER },
+    { "ldap_purge_cache_timeout", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER 
},
     { "ldap_tls_cacert", DP_OPT_STRING, { "/etc/ipa/ca.crt" }, NULL_STRING },
     { "ldap_tls_cacertdir", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_tls_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
diff --git a/src/providers/ldap/ldap_id_enum.c 
b/src/providers/ldap/ldap_id_enum.c
index 
1aec91a99a322911fcc5d2a3e8a89cd98bbc7a96..89c305c0d73fdbe07fc222773c9fff34c4dbc3a1
 100644
--- a/src/providers/ldap/ldap_id_enum.c
+++ b/src/providers/ldap/ldap_id_enum.c
@@ -27,6 +27,8 @@
 #include "providers/ldap/ldap_common.h"
 #include "providers/ldap/sdap_async_enum.h"
 
+#define LDAP_ENUM_PURGE_TIMEOUT 10800
+
 errno_t ldap_setup_enumeration(struct be_ctx *be_ctx,
                                struct sdap_options *opts,
                                struct sdap_domain *sdom,
@@ -37,6 +39,7 @@ errno_t ldap_setup_enumeration(struct be_ctx *be_ctx,
     errno_t ret;
     time_t first_delay;
     time_t period;
+    time_t cleanup;
     bool has_enumerated;
     struct ldap_enum_ctx *ectx;
 
@@ -65,6 +68,22 @@ errno_t ldap_setup_enumeration(struct be_ctx *be_ctx,
         first_delay = 0;
     }
 
+    cleanup = dp_opt_get_int(opts->basic, SDAP_CACHE_PURGE_TIMEOUT);
+    if (cleanup == 0) {
+        /* We need to cleanup the cache once in a while when enumerating, 
otherwise
+         * enumeration would only download deltas since the previous lastUSN 
and would
+         * not detect removed entries
+         */
+        ret = dp_opt_set_int(opts->basic, SDAP_CACHE_PURGE_TIMEOUT,
+                             LDAP_ENUM_PURGE_TIMEOUT);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Cannot set cleanup timeout, enumeration wouldn't "
+                  "detect removed entries!\n");
+            return ret;
+        }
+    }
+
     period = dp_opt_get_int(opts->basic, SDAP_ENUM_REFRESH_TIMEOUT);
 
     ectx = talloc(sdom, struct ldap_enum_ctx);
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
index 
7c9ed3e01f726f2ba6ecb2a7268867abd3baa37d..f449ec7c309a5f664941cdefbb3c45a2fab10c99
 100644
--- a/src/providers/ldap/ldap_opts.h
+++ b/src/providers/ldap/ldap_opts.h
@@ -63,7 +63,7 @@ struct dp_option default_basic_opts[] = {
     { "ldap_offline_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
     { "ldap_force_upper_case_realm", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_enumeration_refresh_timeout", DP_OPT_NUMBER, { .number = 300 }, 
NULL_NUMBER },
-    { "ldap_purge_cache_timeout", DP_OPT_NUMBER, { .number = 10800 }, 
NULL_NUMBER },
+    { "ldap_purge_cache_timeout", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER 
},
     { "ldap_tls_cacert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_tls_cacertdir", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_tls_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING },
-- 
2.1.0


_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to