URL: https://github.com/SSSD/sssd/pull/106
Title: #106: Add a new "files" provider
jhrozek commented:
"""
On Mon, Jan 09, 2017 at 03:17:24AM -0800, Pavel Březina wrote:
> So far it looks good and I have only very few comments. I didn't read the
> code thoroughly yet.
>
> *NSS: Skip disabled domains during requests*
> Rename to cache_req: please, because the change is there and not in nss
> responder.
Done.
>
> *RESPONDER: A sbus interface to reset negatively cached users*
> *DP: Add internal DP interface to enable and disable domains*
> I will look how much work would it be to implement signals. I believe most of
> the work has been done already so if we can finish it rather quickly, we
> should do it right.
Thank you
>
> *CONFDB: Make pwfield configurable per-domain*
> Can you move 'nss_get_pwfield' into nss_util.c? It doesn't really have
> anything common with protocol.
That's what I tried to do initially, but nss_util.c doesn't have access
to struct nss_ctx. I wasn't sure if it makes sense to include
nss_private.h into nss_util.c. I'm fine both ways, but the current
version of the patch tried to not include more headers than we already
do.
>
> *CONFDB: The files domain defaults to "x" as pwfield*
> Are we also able to authenticate with pam_sss without pam_unix?
There is no auth_provider=files, but it should be possible to use
auth_provider=proxy configured with pam_unix.
>
> *FILES: Add the files provider*
> You say that a domain is disabled during enumeration and we fall back to nss
> files. Do you expect the update to take a really long time? Wouldn't it be
> better to jus wait until the enumeration is done?
I was thinking about this for some time and it seemed safer to me to
fall back. But just when I was thinking about this again today, I
realized that at least the InfoPipe interface has nowhere to fall back
to, so the behaviour must either differ on the cache_req level between
the nss responder and the ifp responder or we should wait until the
domain updates in both cases.
Maybe we could even do something in-between, but I really wonder if it
is an optimization or over-engineering:
- when a domain is disabled, attach a request and wait
- when a timeout passes, return a 'not found' error
- the responder would be able to configure the timeout (not the
user, this is really too low level)
- the nss responder would select something quite small (half a
second?) just to make sure we don't delay lookups too much and the
ifp responder would select several second
"""
See the full comment at
https://github.com/SSSD/sssd/pull/106#issuecomment-271395720
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
