diff options
| author | Sumit Bose <sbose@redhat.com> | 2015-03-05 15:10:43 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-03-13 11:59:09 +0100 |
| commit | e9457990c14446fc46b72f7f927e6d5fc776d490 (patch) | |
| tree | 4d27f6363386fdd5cd19ce7162793839819bc692 | |
| parent | c82b150d9599e212a71996d3f987f9b236833fe4 (diff) | |
| download | sssd-e9457990c14446fc46b72f7f927e6d5fc776d490.tar.gz sssd-e9457990c14446fc46b72f7f927e6d5fc776d490.tar.xz sssd-e9457990c14446fc46b72f7f927e6d5fc776d490.zip | |
PAM: use the logon_name as the key for the PAM initgr cache
Currently the name member of the pam_data struct is used as a key but it
can change during a request. Especially for sub-domain users the name is
changed from the short to the fully-qualified version before the cache
entry is created. As a result the cache searches are always done with
the short name while the entry was written with the fully-qualified name.
The logon_name member of the pam_data struct contains the name which was
send by the PAM client and is never changed during the request.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 7bbf9d1d054f0571fa90ff5dd400a6f4a5a7f6c8)
| -rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 16 |
1 files changed, 3 insertions, 13 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 86e763f82..0b5440272 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -1140,7 +1140,8 @@ static int pam_check_user_search(struct pam_auth_req *preq) * the number of updates within a reasonable timeout */ if (preq->check_provider) { - ret = pam_initgr_check_timeout(pctx->id_table, name); + ret = pam_initgr_check_timeout(pctx->id_table, + preq->pd->logon_name); if (ret != EOK && ret != ENOENT) { DEBUG(SSSDBG_OP_FAILURE, @@ -1334,7 +1335,6 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min, int ret; struct pam_ctx *pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); - char *name; if (err_maj) { DEBUG(SSSDBG_OP_FAILURE, @@ -1346,17 +1346,8 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min, ret = pam_check_user_search(preq); if (ret == EOK) { /* Make sure we don't go to the ID provider too often */ - name = preq->domain->case_sensitive ? - talloc_strdup(preq, preq->pd->user) : - sss_tc_utf8_str_tolower(preq, preq->pd->user); - if (!name) { - ret = ENOMEM; - goto done; - } - ret = pam_initgr_cache_set(pctx->rctx->ev, pctx->id_table, - name, pctx->id_timeout); - talloc_free(name); + preq->pd->logon_name, pctx->id_timeout); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Could not save initgr timestamp. " @@ -1371,7 +1362,6 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min, ret = pam_check_user_done(preq, ret); -done: if (ret) { preq->pd->pam_status = PAM_SYSTEM_ERR; pam_reply(preq); |