Make the password field configurable in NSS

Per the discussion on sssd-devel list, nss_sss should not return a
hardcoded value but this should rather be configurable to allow whatever
the OS or distribution thinks is the best for the particular case.

Fixes: #266

6 files changed, 17 insertions, 4 deletions

diff --git a/server/confdb/confdb.h b/server/confdb/confdb.h
index a564b176a..7f6c63b04 100644
--- a/server/confdb/confdb.h
+++ b/server/confdb/confdb.h
@@ -60,6 +60,7 @@
 #define CONFDB_NSS_FILTER_USERS_IN_GROUPS "filter_users_in_groups"
 #define CONFDB_NSS_FILTER_USERS "filter_users"
 #define CONFDB_NSS_FILTER_GROUPS "filter_groups"
+#define CONFDB_NSS_PWFIELD  "pwfield"
 
 /* PAM */
 #define CONFDB_PAM_CONF_ENTRY "config/pam"
diff --git a/server/config/SSSDConfig.py b/server/config/SSSDConfig.py
index 1fa6d4c50..162354b1a 100644
--- a/server/config/SSSDConfig.py
+++ b/server/config/SSSDConfig.py
@@ -56,6 +56,7 @@ option_strings = {
     'filter_users' : _('Users that SSSD should explicitly ignore'),
     'filter_groups' : _('Groups that SSSD should explicitly ignore'),
     'filter_users_in_groups' : _('Should filtered users appear in groups'),
+    'pwfield' : _('The value of the password field the NSS provider should return'),
 
     # [pam]
     'offline_credentials_expiration' : _('How long to allow cached logins between online logins (days)'),
diff --git a/server/config/etc/sssd.api.conf b/server/config/etc/sssd.api.conf
index e8b266bda..91b38b638 100644
--- a/server/config/etc/sssd.api.conf
+++ b/server/config/etc/sssd.api.conf
@@ -26,6 +26,7 @@ entry_negative_timeout = int, None
 filter_users = list, str, root
 filter_groups = list, str, root
 filter_users_in_groups = bool, None, true
+pwfield = str, None, *
 
 [pam]
 # Authentication service
diff --git a/server/responder/nss/nsssrv.c b/server/responder/nss/nsssrv.c
index dad1c7c18..7de346f0c 100644
--- a/server/responder/nss/nsssrv.c
+++ b/server/responder/nss/nsssrv.c
@@ -45,6 +45,8 @@
 
 #define SSS_NSS_PIPE_NAME "nss"
 
+#define DEFAULT_PWFIELD "*"
+
 static int service_reload(DBusMessage *message, struct sbus_connection *conn);
 
 struct sbus_method monitor_nss_methods[] = {
@@ -201,6 +203,11 @@ static int nss_get_config(struct nss_ctx *nctx,
         }
     }
 
+    ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
+                            CONFDB_NSS_PWFIELD, DEFAULT_PWFIELD,
+                            &nctx->pwfield);
+    if (ret != EOK) goto done;
+
     ret = 0;
 done:
     talloc_free(tmpctx);
diff --git a/server/responder/nss/nsssrv.h b/server/responder/nss/nsssrv.h
index 464481d7b..a6c661835 100644
--- a/server/responder/nss/nsssrv.h
+++ b/server/responder/nss/nsssrv.h
@@ -57,6 +57,8 @@ struct nss_ctx {
     struct getent_ctx *gctx;
 
     bool filter_users_in_groups;
+
+    char *pwfield;
 };
 
 struct nss_packet;
diff --git a/server/responder/nss/nsssrv_cmd.c b/server/responder/nss/nsssrv_cmd.c
index a029baf46..e4b08cb30 100644
--- a/server/responder/nss/nsssrv_cmd.c
+++ b/server/responder/nss/nsssrv_cmd.c
@@ -135,7 +135,7 @@ static int fill_pwent(struct sss_packet *packet,
     uint32_t uid;
     uint32_t gid;
     size_t rsize, rp, blen;
-    size_t s1, s2, s3, s4;
+    size_t s1, s2, s3, s4, s5;
     size_t dom_len = 0;
     int delim = 1;
     int i, ret, num, t;
@@ -201,9 +201,10 @@ static int fill_pwent(struct sss_packet *packet,
         s2 = strlen(gecos) + 1;
         s3 = strlen(homedir) + 1;
         s4 = strlen(shell) + 1;
+        s5 = strlen(nctx->pwfield) + 1;
         if (add_domain) s1 += delim + dom_len;
 
-        rsize = 2*sizeof(uint32_t) +s1 + 2 + s2 + s3 +s4;
+        rsize = 2*sizeof(uint32_t) +s1 + s2 + s3 + s4 + s5;
 
         ret = sss_packet_grow(packet, rsize);
         if (ret != EOK) {
@@ -244,8 +245,8 @@ static int fill_pwent(struct sss_packet *packet,
         }
         rp += s1;
 
-        memcpy(&body[rp], "x", 2);
-        rp += 2;
+        memcpy(&body[rp], nctx->pwfield, s5);
+        rp += s5;
         memcpy(&body[rp], gecos, s2);
         rp += s2;
         memcpy(&body[rp], homedir, s3);