Ticket #655 (closed enhancement: fixed)

Opened 3 years ago

Last modified 2 years ago

Add a 'going online' callback to identity providers

Reported by: sgallagh Owned by: sbose
Priority: major Milestone: SSSD 1.5.0
Component: Data Provider Version: 1.4.0
Keywords: Cc:
Blocked By: Blocking:
Tests Updated: no Coverity Bug:
Patch Submitted: Red Hat Bugzilla: 0
Design link:
Feature Milestone:
Design review: Fedora test page:
Chosen: Candidate to push out:
Release Notes:

Description

Currently, the SSSD resets the offline flag for a backend whenever the routing table changes. This means that the next action that comes in that would require an online lookup will go to the network. At this time, any pending callbacks that are awaiting processing (e.g. the deferred offline kerberos authentication) will fire.

However, the problem is that the order of operations ends up behaving like this in a common scenario:

1) Turn on laptop (off the network) 2) Sign into your kerberos account with offline credentials 3) Connect to the VPN 4) Wait a while until some event happens that ends up connecting to the network for a lookup 5) Kerberos credentials are updated

We should add a method to the data provider interface (goingOnline) that will be triggered whenever the offline flag is reset due to a routing table change. The callback for this method should be provider-specific, but essentially perform a no-op network function to immediately test whether we actually are back online. For example, when this method is invoked for the LDAP provider, it should perform a rootDSE lookup.

Change History

comment:1 Changed 3 years ago by dpal

  • Priority changed from major to minor
  • Milestone changed from NEEDS_TRIAGE to SSSD 1.5.0

comment:2 Changed 3 years ago by dpal

  • Owner changed from somebody to sbose

comment:3 Changed 3 years ago by sgallagh

  • Priority changed from minor to major

comment:4 Changed 3 years ago by sbose

  • Status changed from new to assigned

comment:5 Changed 3 years ago by sgallagh

  • Status changed from assigned to closed
  • Resolution set to fixed

comment:6 Changed 3 years ago by sgallagh

Note to QA:

A good way to automate this test would be to take the following steps:

  1. Set krb5_store_password_if_offline = true
  2. Restart SSSD and perform an online krb5 auth
  3. Shut down sssd
  4. Manually alter /etc/resolv.conf so that the DNS server points to somewhere invalid (e.g. 127.0.0.2)
  5. Start up sssd
  6. Perform a kerberos authentication (this will be offline using cached credentials)
  7. Change /etc/resolv.conf back to a valid DNS server.
  8. Within five seconds, the user should receive a valid TGT in their credential cache.

comment:7 Changed 2 years ago by dpal

  • Red Hat Bugzilla set to 0
Note: See TracTickets for help on using tickets.