Generate a unique cache for each connection

Rather than having a shared ccache per user, configure mod_auth_gssapi to create a unique one. This requires cleanup to remove expired caches. A new script is added, ipa-ccache-sweeper to do this. It will be invoked by a new service, ipa-ccache-sweep, which will be executed every 12 hours by an equally-named timer. https://pagure.io/freeipa/issue/8589 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Francois Cami <fcami@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-11-19 16:29:05 -05:00
parent 83813cf8f7
commit c6644b8566
7 changed files with 99 additions and 1 deletions
--- a/init/systemd/Makefile.am
+++ b/init/systemd/Makefile.am
@@ -7,11 +7,15 @@ NULL =
 dist_noinst_DATA = 			\
 	ipa-custodia.service.in		\
 	ipa.service.in			\
+	ipa-ccache-sweep.service.in	\
+	ipa-ccache-sweep.timer.in	\
 	$(NULL)

 systemdsystemunit_DATA = 	\
 	ipa-custodia.service	\
 	ipa.service				\
+	ipa-ccache-sweep.service	\
+	ipa-ccache-sweep.timer	\
 	$(NULL)

 CLEANFILES = $(systemdsystemunit_DATA)
--- a/init/systemd/ipa-ccache-sweep.service.in
+++ b/init/systemd/ipa-ccache-sweep.service.in
@@ -0,0 +1,12 @@
+[Unit]
+Description=IPA Kerberos Ccache Sweeper Service
+Wants=gssproxy.service
+
+[Service]
+Type=simple
+ExecStart=@libexecdir@/ipa/ipa-ccache-sweeper
+PrivateTmp=yes
+User=ipaapi
+
+[Install]
+WantedBy=multi-user.target
--- a/init/systemd/ipa-ccache-sweep.timer.in
+++ b/init/systemd/ipa-ccache-sweep.timer.in
@@ -0,0 +1,8 @@
+[Unit]
+Description=Remove Expired Kerberos Credential Caches
+
+[Timer]
+OnUnitActiveSec=12h
+
+[Install]
+WantedBy=timers.target