-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Per the discussion on sssd-devel list, nss_sss should not return a hardcoded value but this should rather be configurable to allow whatever the OS or distribution thinks is the best for the particular case.
Fixes: #266 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAksB59kACgkQHsardTLnvCWoUgCg4eHbgip35i4qVg58Aac9MvUz QQAAnRMbXG2usErz6ljQ5wH4QTPzNHt/ =lQOt -----END PGP SIGNATURE-----
>From c5c32d606cc1fdcf15945434ecb14f7a9d377e66 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Mon, 9 Nov 2009 18:38:09 +0100 Subject: [PATCH] Make the password field configurable in NSS Per the discussion on sssd-devel list, nss_sss should not return a hardcoded value but this should rather be configurable to allow whatever the OS or distribution thinks is the best for the particular case. Fixes: #266 --- server/confdb/confdb.h | 1 + server/config/SSSDConfig.py | 1 + server/config/etc/sssd.api.conf | 1 + server/man/sssd.conf.5.xml | 16 ++++++++++++++++ server/responder/nss/nsssrv.c | 7 +++++++ server/responder/nss/nsssrv.h | 2 ++ server/responder/nss/nsssrv_cmd.c | 9 +++++---- 7 files changed, 33 insertions(+), 4 deletions(-) diff --git a/server/confdb/confdb.h b/server/confdb/confdb.h index a564b17..7f6c63b 100644 --- a/server/confdb/confdb.h +++ b/server/confdb/confdb.h @@ -60,6 +60,7 @@ #define CONFDB_NSS_FILTER_USERS_IN_GROUPS "filter_users_in_groups" #define CONFDB_NSS_FILTER_USERS "filter_users" #define CONFDB_NSS_FILTER_GROUPS "filter_groups" +#define CONFDB_NSS_PWFIELD "pwfield" /* PAM */ #define CONFDB_PAM_CONF_ENTRY "config/pam" diff --git a/server/config/SSSDConfig.py b/server/config/SSSDConfig.py index 1fa6d4c..162354b 100644 --- a/server/config/SSSDConfig.py +++ b/server/config/SSSDConfig.py @@ -56,6 +56,7 @@ option_strings = { 'filter_users' : _('Users that SSSD should explicitly ignore'), 'filter_groups' : _('Groups that SSSD should explicitly ignore'), 'filter_users_in_groups' : _('Should filtered users appear in groups'), + 'pwfield' : _('The value of the password field the NSS provider should return'), # [pam] 'offline_credentials_expiration' : _('How long to allow cached logins between online logins (days)'), diff --git a/server/config/etc/sssd.api.conf b/server/config/etc/sssd.api.conf index e8b266b..77f9adf 100644 --- a/server/config/etc/sssd.api.conf +++ b/server/config/etc/sssd.api.conf @@ -26,6 +26,7 @@ entry_negative_timeout = int, None filter_users = list, str, root filter_groups = list, str, root filter_users_in_groups = bool, None, true +pwfield = str, None, x [pam] # Authentication service diff --git a/server/man/sssd.conf.5.xml b/server/man/sssd.conf.5.xml index 4facea6..1aabb90 100644 --- a/server/man/sssd.conf.5.xml +++ b/server/man/sssd.conf.5.xml @@ -313,6 +313,22 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term>pwfield (string)</term> + <listitem> + <para> + Indicates the value of the password field the NSS provider should return. + Refer to + <citerefentry> + <refentrytitle>passwd</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> for more information on different options. + </para> + <para> + Default: x + </para> + </listitem> + </varlistentry> </variablelist> </refsect2> <refsect2 id='PAM'> diff --git a/server/responder/nss/nsssrv.c b/server/responder/nss/nsssrv.c index dad1c7c..c50b33e 100644 --- a/server/responder/nss/nsssrv.c +++ b/server/responder/nss/nsssrv.c @@ -45,6 +45,8 @@ #define SSS_NSS_PIPE_NAME "nss" +#define DEFAULT_PWFIELD "x" + static int service_reload(DBusMessage *message, struct sbus_connection *conn); struct sbus_method monitor_nss_methods[] = { @@ -201,6 +203,11 @@ static int nss_get_config(struct nss_ctx *nctx, } } + ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_PWFIELD, DEFAULT_PWFIELD, + &nctx->pwfield); + if (ret != EOK) goto done; + ret = 0; done: talloc_free(tmpctx); diff --git a/server/responder/nss/nsssrv.h b/server/responder/nss/nsssrv.h index 464481d..a6c6618 100644 --- a/server/responder/nss/nsssrv.h +++ b/server/responder/nss/nsssrv.h @@ -57,6 +57,8 @@ struct nss_ctx { struct getent_ctx *gctx; bool filter_users_in_groups; + + char *pwfield; }; struct nss_packet; diff --git a/server/responder/nss/nsssrv_cmd.c b/server/responder/nss/nsssrv_cmd.c index b2a2035..a304bf1 100644 --- a/server/responder/nss/nsssrv_cmd.c +++ b/server/responder/nss/nsssrv_cmd.c @@ -135,7 +135,7 @@ static int fill_pwent(struct sss_packet *packet, uint32_t uid; uint32_t gid; size_t rsize, rp, blen; - size_t s1, s2, s3, s4; + size_t s1, s2, s3, s4, s5; size_t dom_len = 0; int delim = 1; int i, ret, num, t; @@ -201,9 +201,10 @@ static int fill_pwent(struct sss_packet *packet, s2 = strlen(gecos) + 1; s3 = strlen(homedir) + 1; s4 = strlen(shell) + 1; + s5 = strlen(nctx->pwfield) + 1; if (add_domain) s1 += delim + dom_len; - rsize = 2*sizeof(uint32_t) +s1 + 2 + s2 + s3 +s4; + rsize = 2*sizeof(uint32_t) +s1 + s2 + s3 + s4 + s5; ret = sss_packet_grow(packet, rsize); if (ret != EOK) { @@ -244,8 +245,8 @@ static int fill_pwent(struct sss_packet *packet, } rp += s1; - memcpy(&body[rp], "x", 2); - rp += 2; + memcpy(&body[rp], nctx->pwfield, s5); + rp += s5; memcpy(&body[rp], gecos, s2); rp += s2; memcpy(&body[rp], homedir, s3); -- 1.6.2.5
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel