File 141030-2-NSS-disable-midpoint-refresh-for-netgroups.patch of Package sssd.openSUSE_Leap_42.1_Update

From f933190722886ff23eab8148b473915908bc8c23 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <preichl@redhat.com>
Date: Thu, 30 Oct 2014 17:02:45 +0000
Subject: [PATCH] NSS: disable midpoint refresh for netgroups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Disable midpoint refresh for netgroups if periodical refresh of expired
netgroups is enabled (refresh_expired_interval)

Resolves:
https://fedorahosted.org/sssd/ticket/2102

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

diff -rupN sssd-1.11.5.1-original/src/responder/nss/nsssrv_cmd.c sssd-1.11.5.1-patched/src/responder/nss/nsssrv_cmd.c
--- sssd-1.11.5.1-original/src/responder/nss/nsssrv_cmd.c	2017-01-31 16:57:41.492342926 +0100
+++ sssd-1.11.5.1-patched/src/responder/nss/nsssrv_cmd.c	2017-01-31 16:59:45.089663171 +0100
@@ -502,6 +502,25 @@ static int nss_cmd_getpw_send_reply(stru
     return EOK;
 }
 
+/* Currently only refreshing expired netgroups is supported. */
+static bool
+is_refreshed_on_bg(int req_type,
+                   enum sss_dp_acct_type refresh_expired_interval)
+{
+    if (refresh_expired_interval == 0) {
+        return false;
+    }
+
+    switch (req_type) {
+    case SSS_DP_NETGR:
+        return true;
+    default:
+        return false;
+    }
+
+    return false;
+}
+
 static void nsssrv_dp_send_acct_req_done(struct tevent_req *req);
 
 /* FIXME: do not check res->count, but get in a msgs and check in parent */
@@ -531,20 +550,32 @@ errno_t check_cache(struct nss_dom_ctx *
         return ENOENT;
     }
 
-    /* if we have any reply let's check cache validity */
+    /* if we have any reply let's check cache validity, but ignore netgroups
+     * if refresh_expired_interval is set (which implies that another method
+     * is used to refresh netgroups)
+     */
     if (res->count > 0) {
-        if (req_type == SSS_DP_INITGROUPS) {
-            cacheExpire = ldb_msg_find_attr_as_uint64(res->msgs[0],
-                                                      SYSDB_INITGR_EXPIRE, 1);
-        }
-        if (cacheExpire == 0) {
-            cacheExpire = ldb_msg_find_attr_as_uint64(res->msgs[0],
-                                                      SYSDB_CACHE_EXPIRE, 0);
+        if (is_refreshed_on_bg(req_type,
+                               dctx->domain->refresh_expired_interval)) {
+            ret = EOK;
+        } else {
+            if (req_type == SSS_DP_INITGROUPS) {
+                cacheExpire = ldb_msg_find_attr_as_uint64(res->msgs[0],
+                                                          SYSDB_INITGR_EXPIRE,
+                                                          1);
+            }
+            if (cacheExpire == 0) {
+                cacheExpire = ldb_msg_find_attr_as_uint64(res->msgs[0],
+                                                          SYSDB_CACHE_EXPIRE,
+                                                          0);
+            }
+
+            /* if we have any reply let's check cache validity */
+            ret = sss_cmd_check_cache(res->msgs[0],
+                                      nctx->cache_refresh_percent,
+                                      cacheExpire);
         }
 
-        /* if we have any reply let's check cache validity */
-        ret = sss_cmd_check_cache(res->msgs[0], nctx->cache_refresh_percent,
-                                  cacheExpire);
         if (ret == EOK) {
             DEBUG(SSSDBG_TRACE_FUNC, ("Cached entry is valid, returning..\n"));
             return EOK;