Re: [SSSD] [PATCH] pam_sss: add ignore_unknown_user option

Fri, 14 Mar 2014 06:14:30 -0700 

On (13/03/14 15:24), Pete Fritchman wrote:
>On Thu, Mar 13, 2014 at 1:28 PM, Jakub Hrozek <jhro...@redhat.com> wrote:
>> would you like any help amending the patch ? Are you still planning on
>> re-sending it?
>
>Hi Jakub,
>
>Sorry - I forgot to follow up to this thread.  I attached a new patch
>to the ticket that includes the case where send_and_receive returns
>PAM_IGNORE and also updates the pam_sss man page.
>
>https://fedorahosted.org/sssd/ticket/2232
>https://fedorahosted.org/sssd/attachment/ticket/2232/0001-PAM-add-ignore_unknown_user-option.patch
>
>thanks,
ndex 
d45b2e88f16b030b81b180cef233bc024347f5d8..32558fac9b18e5f62b8968f6fbfbada6c9b3f504
 100644

>Index: src/sss_client/pam_sss.c
>===================================================================
>--- a/src/sss_client/pam_sss.c
>+++ b/src/sss_client/pam_sss.c
>@@ -47,6 +47,7 @@
> #define FLAGS_USE_FIRST_PASS (1 << 0)
> #define FLAGS_FORWARD_PASS   (1 << 1)
> #define FLAGS_USE_AUTHTOK    (1 << 2)
>+#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
> 
> #define PWEXP_FLAG "pam_sss:password_expired_flag"
> #define FD_DESTRUCTOR "pam_sss:fd_destructor"
>@@ -1284,6 +1285,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, 
>const char **argv,
>             }
>         } else if (strcmp(*argv, "quiet") == 0) {
>             *quiet_mode = true;
>+        } else if (strcmp(*argv, "ignore_unknown_user") == 0) {
>+            *flags |= FLAGS_IGNORE_UNKNOWN_USER;
>         } else {
>             logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
>         }
>@@ -1425,6 +1428,9 @@ static int pam_sss(enum sss_cli_command task, 
>pam_handle_t *pamh,
>     ret = get_pam_items(pamh, &pi);
>     if (ret != PAM_SUCCESS) {
>         D(("get items returned error: %s", pam_strerror(pamh,ret)));
>+        if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
>+            ret = PAM_IGNORE;
>+        }
>         return ret;
>     }
> 
>@@ -1463,6 +1469,11 @@ static int pam_sss(enum sss_cli_command task, 
>pam_handle_t *pamh,
> 
>         pam_status = send_and_receive(pamh, &pi, task, quiet_mode);
> 
>+        if (flags & FLAGS_IGNORE_UNKNOWN_USER
>+                && pam_status == PAM_USER_UNKNOWN) {
>+            pam_status = PAM_IGNORE;
I think you can immediatelly return PAM_IGNORE
>
>+        }
>+
>         switch (task) {
>             case SSS_PAM_AUTHENTICATE:
>                 /* We allow sssd to send the return code PAM_NEW_AUTHTOK_REQD 
> during
>

But you did not implement the same behavoiour like pam-ldap with
argument ignore_authinfo_unavaile.

If sssd is stopped sss_pam will return PAM_AUTHINFO_UNAVAIL an local user
cannot authenticate.

LS
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to