IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipadb: reload trust information if domain is not known

Browse Source 
Currently the data about trusted domains is read once at startup. If a
new trust is added the KDC must be restarted to know about the new
trust. This patch reloads the trust data if there is a request from an
unknown domain. To make DOS attacks a bit harder the data can be updated
only once in a minute.

Fixes https://fedorahosted.org/freeipa/ticket/3156
This commit is contained in:
Sumit Bose 2012-10-09 10:25:53 +02:00 committed by Martin Kosek
parent 12f4584f57
commit 70d7ec587a
1 changed files with 39 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
daemons/ipa-kdb/ipa_kdb_mspac.c
View File

@ -40,6 +40,7 @@ struct ipadb_mspac {
int num_trusts; int num_trusts;
struct ipadb_adtrusts *trusts; struct ipadb_adtrusts *trusts;
time_t last_update;
}; };
@ -1006,6 +1007,31 @@ static struct ipadb_adtrusts *get_domain_from_realm(krb5_context context,
return NULL; return NULL;
} }
static struct ipadb_adtrusts *get_domain_from_realm_update(krb5_context context,
krb5_data realm)
{
struct ipadb_context *ipactx;
struct ipadb_adtrusts *domain;
krb5_error_code kerr;
domain = get_domain_from_realm(context, realm);
if (domain == NULL) {
ipactx = ipadb_get_context(context);
if (!ipactx) {
return NULL;
}
kerr = ipadb_reinit_mspac(ipactx);
if (kerr != 0) {
return NULL;
}
domain = get_domain_from_realm(context, realm);
}
return domain;
}
static krb5_error_code filter_logon_info(krb5_context context, static krb5_error_code filter_logon_info(krb5_context context,
TALLOC_CTX *memctx, TALLOC_CTX *memctx,
krb5_data realm, krb5_data realm,
@ -1020,7 +1046,7 @@ static krb5_error_code filter_logon_info(krb5_context context,
struct ipadb_adtrusts *domain; struct ipadb_adtrusts *domain;
char *domsid; char *domsid;
domain = get_domain_from_realm(context, realm); domain = get_domain_from_realm_update(context, realm);
if (!domain) { if (!domain) {
return EINVAL; return EINVAL;
} }
@ -1550,6 +1576,16 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx)
struct dom_sid gsid; struct dom_sid gsid;
char *resstr; char *resstr;
int ret; int ret;
time_t now;
/* Do not update the mspac struct more than once a minute. This would
* avoid heavy load on the directory server if there are lots of requests
* from domains which we do not trust. */
now = time(NULL);
if (ipactx->mspac != NULL && now > ipactx->mspac->last_update &&
(now - ipactx->mspac->last_update) < 60) {
return 0;
}
/* clean up in case we had old values around */ /* clean up in case we had old values around */
ipadb_mspac_struct_free(&ipactx->mspac); ipadb_mspac_struct_free(&ipactx->mspac);
@ -1560,6 +1596,8 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx)
goto done; goto done;
} }
ipactx->mspac->last_update = now;
kerr = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE, kerr = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE,
"(objectclass=ipaNTDomainAttrs)", dom_attrs, "(objectclass=ipaNTDomainAttrs)", dom_attrs,
&result); &result);