-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Per the discussion on sssd-devel list, nss_sss should not return a
hardcoded value but this should rather be configurable to allow whatever
the OS or distribution thinks is the best for the particular case.
Fixes: #266
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAksB59kACgkQHsardTLnvCWoUgCg4eHbgip35i4qVg58Aac9MvUz
QQAAnRMbXG2usErz6ljQ5wH4QTPzNHt/
=lQOt
-----END PGP SIGNATURE-----
>From c5c32d606cc1fdcf15945434ecb14f7a9d377e66 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Mon, 9 Nov 2009 18:38:09 +0100
Subject: [PATCH] Make the password field configurable in NSS
Per the discussion on sssd-devel list, nss_sss should not return a
hardcoded value but this should rather be configurable to allow whatever
the OS or distribution thinks is the best for the particular case.
Fixes: #266
---
server/confdb/confdb.h | 1 +
server/config/SSSDConfig.py | 1 +
server/config/etc/sssd.api.conf | 1 +
server/man/sssd.conf.5.xml | 16 ++++++++++++++++
server/responder/nss/nsssrv.c | 7 +++++++
server/responder/nss/nsssrv.h | 2 ++
server/responder/nss/nsssrv_cmd.c | 9 +++++----
7 files changed, 33 insertions(+), 4 deletions(-)
diff --git a/server/confdb/confdb.h b/server/confdb/confdb.h
index a564b17..7f6c63b 100644
--- a/server/confdb/confdb.h
+++ b/server/confdb/confdb.h
@@ -60,6 +60,7 @@
#define CONFDB_NSS_FILTER_USERS_IN_GROUPS "filter_users_in_groups"
#define CONFDB_NSS_FILTER_USERS "filter_users"
#define CONFDB_NSS_FILTER_GROUPS "filter_groups"
+#define CONFDB_NSS_PWFIELD "pwfield"
/* PAM */
#define CONFDB_PAM_CONF_ENTRY "config/pam"
diff --git a/server/config/SSSDConfig.py b/server/config/SSSDConfig.py
index 1fa6d4c..162354b 100644
--- a/server/config/SSSDConfig.py
+++ b/server/config/SSSDConfig.py
@@ -56,6 +56,7 @@ option_strings = {
'filter_users' : _('Users that SSSD should explicitly ignore'),
'filter_groups' : _('Groups that SSSD should explicitly ignore'),
'filter_users_in_groups' : _('Should filtered users appear in groups'),
+ 'pwfield' : _('The value of the password field the NSS provider should return'),
# [pam]
'offline_credentials_expiration' : _('How long to allow cached logins between online logins (days)'),
diff --git a/server/config/etc/sssd.api.conf b/server/config/etc/sssd.api.conf
index e8b266b..77f9adf 100644
--- a/server/config/etc/sssd.api.conf
+++ b/server/config/etc/sssd.api.conf
@@ -26,6 +26,7 @@ entry_negative_timeout = int, None
filter_users = list, str, root
filter_groups = list, str, root
filter_users_in_groups = bool, None, true
+pwfield = str, None, x
[pam]
# Authentication service
diff --git a/server/man/sssd.conf.5.xml b/server/man/sssd.conf.5.xml
index 4facea6..1aabb90 100644
--- a/server/man/sssd.conf.5.xml
+++ b/server/man/sssd.conf.5.xml
@@ -313,6 +313,22 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>pwfield (string)</term>
+ <listitem>
+ <para>
+ Indicates the value of the password field the NSS provider should return.
+ Refer to
+ <citerefentry>
+ <refentrytitle>passwd</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> for more information on different options.
+ </para>
+ <para>
+ Default: x
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
<refsect2 id='PAM'>
diff --git a/server/responder/nss/nsssrv.c b/server/responder/nss/nsssrv.c
index dad1c7c..c50b33e 100644
--- a/server/responder/nss/nsssrv.c
+++ b/server/responder/nss/nsssrv.c
@@ -45,6 +45,8 @@
#define SSS_NSS_PIPE_NAME "nss"
+#define DEFAULT_PWFIELD "x"
+
static int service_reload(DBusMessage *message, struct sbus_connection *conn);
struct sbus_method monitor_nss_methods[] = {
@@ -201,6 +203,11 @@ static int nss_get_config(struct nss_ctx *nctx,
}
}
+ ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
+ CONFDB_NSS_PWFIELD, DEFAULT_PWFIELD,
+ &nctx->pwfield);
+ if (ret != EOK) goto done;
+
ret = 0;
done:
talloc_free(tmpctx);
diff --git a/server/responder/nss/nsssrv.h b/server/responder/nss/nsssrv.h
index 464481d..a6c6618 100644
--- a/server/responder/nss/nsssrv.h
+++ b/server/responder/nss/nsssrv.h
@@ -57,6 +57,8 @@ struct nss_ctx {
struct getent_ctx *gctx;
bool filter_users_in_groups;
+
+ char *pwfield;
};
struct nss_packet;
diff --git a/server/responder/nss/nsssrv_cmd.c b/server/responder/nss/nsssrv_cmd.c
index b2a2035..a304bf1 100644
--- a/server/responder/nss/nsssrv_cmd.c
+++ b/server/responder/nss/nsssrv_cmd.c
@@ -135,7 +135,7 @@ static int fill_pwent(struct sss_packet *packet,
uint32_t uid;
uint32_t gid;
size_t rsize, rp, blen;
- size_t s1, s2, s3, s4;
+ size_t s1, s2, s3, s4, s5;
size_t dom_len = 0;
int delim = 1;
int i, ret, num, t;
@@ -201,9 +201,10 @@ static int fill_pwent(struct sss_packet *packet,
s2 = strlen(gecos) + 1;
s3 = strlen(homedir) + 1;
s4 = strlen(shell) + 1;
+ s5 = strlen(nctx->pwfield) + 1;
if (add_domain) s1 += delim + dom_len;
- rsize = 2*sizeof(uint32_t) +s1 + 2 + s2 + s3 +s4;
+ rsize = 2*sizeof(uint32_t) +s1 + s2 + s3 + s4 + s5;
ret = sss_packet_grow(packet, rsize);
if (ret != EOK) {
@@ -244,8 +245,8 @@ static int fill_pwent(struct sss_packet *packet,
}
rp += s1;
- memcpy(&body[rp], "x", 2);
- rp += 2;
+ memcpy(&body[rp], nctx->pwfield, s5);
+ rp += s5;
memcpy(&body[rp], gecos, s2);
rp += s2;
memcpy(&body[rp], homedir, s3);
--
1.6.2.5
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
