4
LDAP Identity Cleanup Functions
7
Simo Sorce <ssorce@redhat.com>
9
Copyright (C) 2009 Red Hat
11
This program is free software; you can redistribute it and/or modify
12
it under the terms of the GNU General Public License as published by
13
the Free Software Foundation; either version 3 of the License, or
14
(at your option) any later version.
16
This program is distributed in the hope that it will be useful,
17
but WITHOUT ANY WARRANTY; without even the implied warranty of
18
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19
GNU General Public License for more details.
21
You should have received a copy of the GNU General Public License
22
along with this program. If not, see <http://www.gnu.org/licenses/>.
29
#include "util/util.h"
30
#include "util/find_uid.h"
32
#include "providers/ldap/ldap_common.h"
33
#include "providers/ldap/sdap_async.h"
35
/* ==Cleanup-Task========================================================= */
37
struct tevent_req *ldap_id_cleanup_send(TALLOC_CTX *memctx,
38
struct tevent_context *ev,
39
struct sdap_id_ctx *ctx);
40
static void ldap_id_cleanup_reschedule(struct tevent_req *req);
42
static void ldap_id_cleanup_timeout(struct tevent_context *ev,
43
struct tevent_timer *te,
44
struct timeval tv, void *pvt);
46
static void ldap_id_cleanup_timer(struct tevent_context *ev,
47
struct tevent_timer *tt,
48
struct timeval tv, void *pvt)
50
struct sdap_id_ctx *ctx = talloc_get_type(pvt, struct sdap_id_ctx);
51
struct tevent_timer *timeout;
52
struct tevent_req *req;
56
if (be_is_offline(ctx->be)) {
57
DEBUG(4, ("Backend is marked offline, retry later!\n"));
58
/* schedule starting from now, not the last run */
59
delay = dp_opt_get_int(ctx->opts->basic, SDAP_CACHE_PURGE_TIMEOUT);
60
tv = tevent_timeval_current_ofs(delay, 0);
61
ldap_id_cleanup_set_timer(ctx, tv);
65
req = ldap_id_cleanup_send(ctx, ev, ctx);
67
DEBUG(1, ("Failed to schedule cleanup, retrying later!\n"));
68
/* schedule starting from now, not the last run */
69
delay = dp_opt_get_int(ctx->opts->basic, SDAP_CACHE_PURGE_TIMEOUT);
70
tv = tevent_timeval_current_ofs(delay, 0);
71
ret = ldap_id_cleanup_set_timer(ctx, tv);
73
DEBUG(1, ("Error setting up cleanup timer\n"));
77
tevent_req_set_callback(req, ldap_id_cleanup_reschedule, ctx);
79
/* if cleanup takes so long, either we try to cleanup too
80
* frequently, or something went seriously wrong */
81
delay = dp_opt_get_int(ctx->opts->basic, SDAP_CACHE_PURGE_TIMEOUT);
82
tv = tevent_timeval_current_ofs(delay, 0);
83
timeout = tevent_add_timer(ctx->be->ev, req, tv,
84
ldap_id_cleanup_timeout, req);
85
if (timeout == NULL) {
86
/* If we can't guarantee a timeout, we
87
* need to cancel the request, to avoid
88
* the possibility of starting another
93
DEBUG(1, ("Failed to schedule cleanup, retrying later!\n"));
94
/* schedule starting from now, not the last run */
95
delay = dp_opt_get_int(ctx->opts->basic, SDAP_CACHE_PURGE_TIMEOUT);
96
tv = tevent_timeval_current_ofs(delay, 0);
97
ret = ldap_id_cleanup_set_timer(ctx, tv);
99
DEBUG(1, ("Error setting up cleanup timer\n"));
106
static void ldap_id_cleanup_timeout(struct tevent_context *ev,
107
struct tevent_timer *te,
108
struct timeval tv, void *pvt)
110
struct tevent_req *req = talloc_get_type(pvt, struct tevent_req);
111
struct sdap_id_ctx *ctx = tevent_req_callback_data(req,
115
delay = dp_opt_get_int(ctx->opts->basic, SDAP_CACHE_PURGE_TIMEOUT);
116
DEBUG(1, ("Cleanup timed out! Timeout too small? (%ds)!\n", delay));
118
tv = tevent_timeval_current_ofs(delay, 0);
119
ldap_id_cleanup_set_timer(ctx, tv);
124
static void ldap_id_cleanup_reschedule(struct tevent_req *req)
126
struct sdap_id_ctx *ctx = tevent_req_callback_data(req,
128
enum tevent_req_state tstate;
133
if (tevent_req_is_error(req, &tstate, &err)) {
134
/* On error schedule starting from now, not the last run */
135
tv = tevent_timeval_current();
137
tv = ctx->last_purge;
141
delay = dp_opt_get_int(ctx->opts->basic, SDAP_CACHE_PURGE_TIMEOUT);
142
tv = tevent_timeval_add(&tv, delay, 0);
143
ldap_id_cleanup_set_timer(ctx, tv);
148
int ldap_id_cleanup_set_timer(struct sdap_id_ctx *ctx, struct timeval tv)
150
struct tevent_timer *cleanup_task;
152
DEBUG(6, ("Scheduling next cleanup at %ld.%ld\n",
153
(long)tv.tv_sec, (long)tv.tv_usec));
155
cleanup_task = tevent_add_timer(ctx->be->ev, ctx,
156
tv, ldap_id_cleanup_timer, ctx);
158
DEBUG(0, ("FATAL: failed to setup cleanup task!\n"));
167
struct global_cleanup_state {
168
struct tevent_context *ev;
169
struct sdap_id_ctx *ctx;
172
static int cleanup_users(TALLOC_CTX *memctx, struct sdap_id_ctx *ctx);
173
static int cleanup_groups(TALLOC_CTX *memctx,
174
struct sysdb_ctx *sysdb,
175
struct sss_domain_info *domain);
177
struct tevent_req *ldap_id_cleanup_send(TALLOC_CTX *memctx,
178
struct tevent_context *ev,
179
struct sdap_id_ctx *ctx)
181
struct global_cleanup_state *state;
182
struct tevent_req *req;
185
req = tevent_req_create(memctx, &state, struct global_cleanup_state);
186
if (!req) return NULL;
191
ctx->last_purge = tevent_timeval_current();
193
ret = cleanup_users(state, state->ctx);
194
if (ret && ret != ENOENT) {
198
ret = cleanup_groups(state,
199
state->ctx->be->sysdb,
200
state->ctx->be->domain);
205
tevent_req_done(req);
206
tevent_req_post(req, ev);
210
DEBUG(1, ("Failed to cleanup caches (%d [%s]), retrying later!\n",
211
(int)ret, strerror(ret)));
212
tevent_req_done(req);
213
tevent_req_post(req, ev);
218
/* ==User-Cleanup-Process================================================= */
220
static int cleanup_users_logged_in(hash_table_t *table,
221
const struct ldb_message *msg);
223
static int cleanup_users(TALLOC_CTX *memctx, struct sdap_id_ctx *ctx)
226
struct sysdb_ctx *sysdb = ctx->be->sysdb;
227
struct sss_domain_info *domain = ctx->be->domain;
228
const char *attrs[] = { SYSDB_NAME, SYSDB_UIDNUM, NULL };
229
time_t now = time(NULL);
230
char *subfilter = NULL;
231
int account_cache_expiration;
232
hash_table_t *uid_table;
233
struct ldb_message **msgs;
239
tmpctx = talloc_new(memctx);
244
account_cache_expiration = dp_opt_get_int(ctx->opts->basic,
245
SDAP_ACCOUNT_CACHE_EXPIRATION);
246
DEBUG(9, ("Cache expiration is set to %d days\n",
247
account_cache_expiration));
249
if (account_cache_expiration > 0) {
250
subfilter = talloc_asprintf(tmpctx,
251
"(&(!(%s=0))(%s<=%ld)(|(!(%s=*))(%s<=%ld)))",
257
(long) (now - (account_cache_expiration * 86400)));
259
subfilter = talloc_asprintf(tmpctx,
260
"(&(!(%s=0))(%s<=%ld)(!(%s=*)))",
267
DEBUG(2, ("Failed to build filter\n"));
272
ret = sysdb_search_users(tmpctx, sysdb,
273
domain, subfilter, attrs, &count, &msgs);
281
DEBUG(4, ("Found %d expired user entries!\n", count));
288
ret = get_uid_table(tmpctx, &uid_table);
289
/* get_uid_table returns ENOSYS on non-Linux platforms. We proceed with
290
* the cleanup in that case
292
if (ret != EOK && ret != ENOSYS) {
296
for (i = 0; i < count; i++) {
297
name = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL);
299
DEBUG(2, ("Entry %s has no Name Attribute ?!?\n",
300
ldb_dn_get_linearized(msgs[i]->dn)));
306
ret = cleanup_users_logged_in(uid_table, msgs[i]);
308
/* If the user is logged in, proceed to the next one */
309
DEBUG(5, ("User %s is still logged in or a dummy entry, "
310
"keeping data\n", name));
312
} else if (ret != ENOENT) {
317
/* If not logged in or cannot check the table, delete him */
318
DEBUG(9, ("About to delete user %s\n", name));
319
ret = sysdb_delete_user(tmpctx, sysdb, domain, name, 0);
326
talloc_zfree(tmpctx);
330
static int cleanup_users_logged_in(hash_table_t *table,
331
const struct ldb_message *msg)
338
uid = ldb_msg_find_attr_as_uint64(msg,
341
DEBUG(2, ("Entry %s has no UID Attribute, fake user perhaps?\n",
342
ldb_dn_get_linearized(msg->dn)));
346
key.type = HASH_KEY_ULONG;
347
key.ul = (unsigned long) uid;
349
ret = hash_lookup(table, &key, &value);
350
if (ret == HASH_SUCCESS) {
352
} else if (ret == HASH_ERROR_KEY_NOT_FOUND) {
359
/* ==Group-Cleanup-Process================================================ */
361
static int cleanup_groups(TALLOC_CTX *memctx,
362
struct sysdb_ctx *sysdb,
363
struct sss_domain_info *domain)
366
const char *attrs[] = { SYSDB_NAME, SYSDB_GIDNUM, NULL };
367
time_t now = time(NULL);
371
struct ldb_message **msgs;
373
struct ldb_message **u_msgs;
378
tmpctx = talloc_new(memctx);
383
subfilter = talloc_asprintf(tmpctx, "(&(!(%s=0))(%s<=%ld))",
385
SYSDB_CACHE_EXPIRE, (long)now);
387
DEBUG(2, ("Failed to build filter\n"));
392
ret = sysdb_search_groups(tmpctx, sysdb,
393
domain, subfilter, attrs, &count, &msgs);
401
DEBUG(4, ("Found %d expired group entries!\n", count));
408
for (i = 0; i < count; i++) {
409
dn = ldb_dn_get_linearized(msgs[i]->dn);
415
gid = (gid_t) ldb_msg_find_attr_as_uint(msgs[i], SYSDB_GIDNUM, 0);
417
DEBUG(2, ("Entry has no GID\n"));
422
/* Search for users that are members of this group, or
423
* that have this group as their primary GID
425
subfilter = talloc_asprintf(tmpctx, "(|(%s=%s)(%s=%lu))",
427
SYSDB_GIDNUM, (long unsigned) gid);
429
DEBUG(2, ("Failed to build filter\n"));
434
ret = sysdb_search_users(tmpctx, sysdb,
435
domain, subfilter, NULL, &u_count, &u_msgs);
439
name = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL);
441
DEBUG(2, ("Entry %s has no Name Attribute ?!?\n",
442
ldb_dn_get_linearized(msgs[i]->dn)));
447
DEBUG(8, ("About to delete group %s\n", name));
448
ret = sysdb_delete_group(tmpctx, sysdb, domain, name, 0);
450
DEBUG(2, ("Group delete returned %d (%s)\n",
451
ret, strerror(ret)));
458
talloc_zfree(u_msgs);
462
talloc_zfree(tmpctx);