this patch is mostly intended to make automated testing easier. Since
SSSD uses a timeout before the list of known trusted domains is read
again users and groups from a new trust might not be available

With this patch a signal to rest the timeout is send to SSSD running on
the host where the ipa command to add the trust is called if the caller
is root. Currently SSSD does not provider a better interface for this
task, the alternative would be a restart which might be a bit

Fixes https://fedorahosted.org/freeipa/ticket/4006 , related to
https://fedorahosted.org/sssd/ticket/2030 .

From 5686769945db285d06b9fec8deee1bc1bdf0cebc Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 29 Oct 2013 11:34:56 +0100
Subject: [PATCH] trust-add/del: send a signal to SSSD to reset timeouts

SSSD uses some timeouts when looking up new domains. If the timeout is
not expired a newly added trusted domain will not be resolved
immediately. This might be irritating for an admin and might lead to
unexpected failures during testing.

With this patch a SIGUSR2 signal which will reset the timeouts is send
to SSSD when a trusted domain is added or deleted. Since SSSD  is
running as root this currently only works if the ipa command is called
as root as well. Future version of SSSD will provide better interfaces
for this kind of tasks.

Fixes https://fedorahosted.org/freeipa/ticket/4006
 ipalib/plugins/trust.py | 33 ++++++++++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -20,12 +20,13 @@
 from ipalib.plugins.baseldap import *
 from ipalib.plugins.dns import dns_container_exists
-from ipapython.ipautil import realm_to_suffix
+from ipapython.ipautil import realm_to_suffix, run
 from ipalib import api, Str, StrEnum, Password, _, ngettext
 from ipalib import Command
 from ipalib import errors
 from ldap import SCOPE_SUBTREE
 from time import sleep
+from os import geteuid
     import pysss_murmur #pylint: disable=F0401
@@ -188,6 +189,15 @@ def make_trust_dn(env, trust_type, dn):
         return DN(dn, container_dn)
     return dn
+def send_usr2_to_sssd():
+    """
+    If running as root send SIGUSR2 to SSSD to reset the domain lookup related
+    timeouts. This will allow the local SSSD instance e.g. to get the users
+    from a newly created trust immediately.
+    """
+    if geteuid()==0:
+        run(["/bin/pkill", "-USR2", "sssd"])
 class trust(LDAPObject):
     Trust object.
@@ -728,11 +738,19 @@ sides.
         raise errors.ValidationError(name=_('AD Trust setup'),
                                      error=_('Not enough arguments specified 
to perform trust setup'))
+    def forward(self, *args, **kw):
+        send_usr2_to_sssd()
+        return self.api.Backend.xmlclient.forward(self.name, *args, **kw)
 class trust_del(LDAPDelete):
     __doc__ = _('Delete a trust.')
     msg_summary = _('Deleted trust "%(value)s"')
+    def forward(self, *args, **kw):
+        send_usr2_to_sssd()
+        return self.api.Backend.xmlclient.forward(self.name, *args, **kw)
 class trust_mod(LDAPUpdate):
     __doc__ = _("""
     Modify a trust (for future use).
@@ -1196,6 +1214,11 @@ class trustdomain_add(LDAPCreate):
         if 'ipanttrustpartner' in options:
             entry_attrs['ipanttrustpartner'] = [options['ipanttrustpartner']]
         return dn
+    def forward(self, *args, **kw):
+        send_usr2_to_sssd()
+        return self.api.Backend.xmlclient.forward(self.name, *args, **kw)
 class trustdomain_del(LDAPDelete):
@@ -1219,6 +1242,10 @@ class trustdomain_del(LDAPDelete):
         result['value'] = u','.join(keys[1])
         return result
+    def forward(self, *args, **kw):
+        send_usr2_to_sssd()
+        return self.api.Backend.xmlclient.forward(self.name, *args, **kw)
@@ -1290,6 +1317,10 @@ class trust_fetch_domains(LDAPRetrieve):
         result['truncated'] = False
         return result
+    def forward(self, *args, **kw):
+        send_usr2_to_sssd()
+        return self.api.Backend.xmlclient.forward(self.name, *args, **kw)
 class trustdomain_enable(LDAPQuery):

Freeipa-devel mailing list

Reply via email to