ITS#9581 Implement lastbind precision

2025-03-31 14:50:34 +08:00 · 2021-06-07 15:50:46 +01:00 · 2021-06-07 15:50:46 +01:00 · 9e1a961792
commit 9e1a961792
parent 681799da65
5 changed files with 37 additions and 3 deletions
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@ -1482,6 +1482,12 @@ Controls whether
 will automatically maintain the pwdLastSuccess attribute for
 entries. By default, olcLastBind is FALSE.
 .TP
+.B olcLastBindPrecision: <number>
+If olcLastBind is enabled, a new value is written only if the
+current one is more than
+.B number
+seconds in the past.
+.TP
 .B olcLimits: <selector> <limit> [<limit> [...]]
 Specify time and size limits based on the operation's initiator or
 base DN.
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@ -1386,6 +1386,12 @@ Controls whether
 will automatically maintain the pwdLastSuccess attribute for
 entries. By default, lastbind is off.
 .TP
+.B lastbind-precision <number>
+If lastbind is enabled, a new value is written only if the
+current one is more than
+.B number
+seconds in the past.
+.TP
 .B limits <selector> <limit> [<limit> [...]]
 Specify time and size limits based on the operation's initiator or
 base DN.
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@ -177,6 +177,7 @@ enum {
 	CFG_MODPATH,
 	CFG_LASTMOD,
 	CFG_LASTBIND,
+	CFG_LASTBIND_PRECISION,
 	CFG_AZPOLICY,
 	CFG_AZREGEXP,
 	CFG_AZDUC,
@ -450,6 +451,13 @@ static ConfigTable config_back_cf_table[] = {
 		&config_generic, "( OLcfgDbAt:0.22 NAME 'olcLastBind' "
 			"EQUALITY booleanMatch "
 			"SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
+	{ "lastbind-precision", "seconds difference", 2, 2, 0,
+		ARG_DB|ARG_MAGIC|ARG_UINT|CFG_LASTBIND_PRECISION,
+		&config_generic, "( OLcfgDbAt:0.23 NAME 'olcLastBindPrecision' "
+			"EQUALITY integerMatch "
+			"SYNTAX OMsInteger SINGLE-VALUE )", NULL,
+			{ .v_uint = 0 }
+	},
 	{ "ldapsyntax",	"syntax", 2, 0, 0,
 		ARG_PAREN|ARG_MAGIC|CFG_SYNTAX,
 		&config_generic, "( OLcfgGlAt:85 NAME 'olcLdapSyntaxes' "
@ -1009,8 +1017,8 @@ static ConfigOCs cf_ocs[] = {
 		"SUP olcConfig STRUCTURAL "
 		"MUST olcDatabase "
 		"MAY ( olcDisabled $ olcHidden $ olcSuffix $ olcSubordinate $ olcAccess $ "
-		 "olcAddContentAcl $ olcLastMod $ olcLastBind $ olcLimits $ "
-		 "olcMaxDerefDepth $ olcPlugin $ olcReadOnly $ olcReplica $ "
+		 "olcAddContentAcl $ olcLastMod $ olcLastBind $ olcLastBindPrecision $ "
+		 "olcLimits $ olcMaxDerefDepth $ olcPlugin $ olcReadOnly $ olcReplica $ "
 		 "olcReplicaArgsFile $ olcReplicaPidFile $ olcReplicationInterval $ "
 		 "olcReplogFile $ olcRequires $ olcRestrict $ olcRootDN $ olcRootPW $ "
 		 "olcSchemaDN $ olcSecurity $ olcSizeLimit $ olcSyncUseSubentry $ olcSyncrepl $ "
@ -1379,6 +1387,9 @@ config_generic(ConfigArgs *c) {
 		case CFG_LASTBIND:
 			c->value_int = (SLAP_NOLASTMOD(c->be) == 0);
 			break;
+		case CFG_LASTBIND_PRECISION:
+			c->value_uint = c->be->be_lastbind_precision;
+			break;
 		case CFG_SYNC_SUBENTRY:
 			c->value_int = (SLAP_SYNC_SUBENTRY(c->be) != 0);
 			break;
@ -1532,6 +1543,10 @@ config_generic(ConfigArgs *c) {
 			SLAP_DBFLAGS(c->be) &= ~SLAP_DBFLAG_SYNC_SUBENTRY;
 			break;

+		case CFG_LASTBIND_PRECISION:
+			c->be->be_lastbind_precision = 0;
+			break;
+
 		case CFG_RO:
 			c->be->be_restrictops &= ~SLAP_RESTRICT_READONLY;
 			break;
@ -2406,6 +2421,10 @@ sortval_reject:
 				SLAP_DBFLAGS(c->be) &= ~SLAP_DBFLAG_LASTBIND;
 			break;

+		case CFG_LASTBIND_PRECISION:
+			c->be->be_lastbind_precision = c->value_uint;
+			break;
+
 		case CFG_MULTIPROVIDER:
 			if(c->value_int && !SLAP_SHADOW(c->be)) {
 				snprintf( c->cr_msg, sizeof( c->cr_msg ), "<%s> database is not a shadow",
--- a/servers/slapd/bind.c
+++ b/servers/slapd/bind.c
@ -437,7 +437,8 @@ fe_op_lastbind( Operation *op )
 		 * TODO: If the recorded bind time is within configurable precision,
 		 * it doesn't need to be updated (save a write for nothing)
 		 */
-		if ( bindtime != (time_t)-1 && op->o_time <= bindtime ) {
+		if ( bindtime != (time_t)-1 &&
+				op->o_time <= bindtime + op->o_bd->be_lastbind_precision ) {
 			be_entry_release_r( op, e );
 			return LDAP_SUCCESS;
 		}
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@ -1987,6 +1987,8 @@ struct BackendDB {
 	slap_access_t	be_dfltaccess;	/* access given if no acl matches	   */
 	AttributeName	*be_extra_anlist;	/* attributes that need to be added to search requests (ITS#6513) */

+	unsigned int be_lastbind_precision;
+
 	/* Consumer Information */
 	struct berval be_update_ndn;	/* allowed to make changes (in replicas) */
 	BerVarray	be_update_refs;	/* where to refer modifying clients to */