URL: https://github.com/SSSD/sssd/pull/106 Title: #106: Add a new "files" provider
jhrozek commented: """ On Mon, Jan 09, 2017 at 03:17:24AM -0800, Pavel Březina wrote: > So far it looks good and I have only very few comments. I didn't read the > code thoroughly yet. > > *NSS: Skip disabled domains during requests* > Rename to cache_req: please, because the change is there and not in nss > responder. Done. > > *RESPONDER: A sbus interface to reset negatively cached users* > *DP: Add internal DP interface to enable and disable domains* > I will look how much work would it be to implement signals. I believe most of > the work has been done already so if we can finish it rather quickly, we > should do it right. Thank you > > *CONFDB: Make pwfield configurable per-domain* > Can you move 'nss_get_pwfield' into nss_util.c? It doesn't really have > anything common with protocol. That's what I tried to do initially, but nss_util.c doesn't have access to struct nss_ctx. I wasn't sure if it makes sense to include nss_private.h into nss_util.c. I'm fine both ways, but the current version of the patch tried to not include more headers than we already do. > > *CONFDB: The files domain defaults to "x" as pwfield* > Are we also able to authenticate with pam_sss without pam_unix? There is no auth_provider=files, but it should be possible to use auth_provider=proxy configured with pam_unix. > > *FILES: Add the files provider* > You say that a domain is disabled during enumeration and we fall back to nss > files. Do you expect the update to take a really long time? Wouldn't it be > better to jus wait until the enumeration is done? I was thinking about this for some time and it seemed safer to me to fall back. But just when I was thinking about this again today, I realized that at least the InfoPipe interface has nowhere to fall back to, so the behaviour must either differ on the cache_req level between the nss responder and the ifp responder or we should wait until the domain updates in both cases. Maybe we could even do something in-between, but I really wonder if it is an optimization or over-engineering: - when a domain is disabled, attach a request and wait - when a timeout passes, return a 'not found' error - the responder would be able to configure the timeout (not the user, this is really too low level) - the nss responder would select something quite small (half a second?) just to make sure we don't delay lookups too much and the ifp responder would select several second """ See the full comment at https://github.com/SSSD/sssd/pull/106#issuecomment-271395720
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org