[Freeipa-devel] [PATCH 0044] Periodically refresh global ipa-kdb configuration
Alexander Bokovoy
abokovoy at redhat.com
Tue Mar 11 14:05:20 UTC 2014
On Tue, 11 Mar 2014, Jan Pazdziora wrote:
>On Mon, Feb 24, 2014 at 02:26:27PM -0500, Nathaniel McCallum wrote:
>> Before this patch, ipa-kdb would load global configuration on startup
>> and never update it. This means that if global configuration is changed,
>> the KDC never receives the new configuration until it is restarted.
>>
>> This patch enables caching of the global configuration with a timeout of
>> 60 seconds.
>>
>> https://fedorahosted.org/freeipa/ticket/4153
>
>> >From 7daeae56671d7b3049b0341aad66c96877431bbe Mon Sep 17 00:00:00 2001
>> From: Nathaniel McCallum <npmccallum at redhat.com>
>> Date: Mon, 24 Feb 2014 14:19:13 -0500
>> Subject: [PATCH] Periodically refresh global ipa-kdb configuration
>>
>> Before this patch, ipa-kdb would load global configuration on startup and
>> never update it. This means that if global configuration is changed, the
>> KDC never receives the new configuration until it is restarted.
>>
>> This patch enables caching of the global configuration with a timeout of
>> 60 seconds.
>>
>> https://fedorahosted.org/freeipa/ticket/4153
>
>I have only read the code and it looks sane, so depending on how much
>you consider my word about code-reading worth, ack.
>
>However, my gut feeling is that my preferred way of handling the issue
>(without knowing much about the background of the ticket) would
>probably be a HUP signal handler or something similar, rather than
>polling for current values with the value timeout. This patch
>introduces small nondeterminism to the behaviour when the usage of the
>new values cannot really be enfoced by the admin (without the daemon
>restart).
Thing is, we need the update to happen when other, non-root process
makes the changes -- in our case when IPA server running under httpd
privileges performs series of MS-RPC calls towards smbd which lead to
creating certain LDAP objects. httpd couldn't send SIGHUP to a process
not owned by httpd's effective user (non-root).
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list