diff options
| author | Lukas Slebodnik <lslebodn@redhat.com> | 2014-05-26 18:31:06 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-06-03 13:43:59 +0200 |
| commit | 368f03b2c3c63e82f8f9073f851143ff270d62a6 (patch) | |
| tree | d7de64bc3c81efdcdd11103479c581e5e56307a1 | |
| parent | b6d7e01b4b76cdc72cde36e8cc7c7216fd3cdb6b (diff) | |
| download | sssd-368f03b2c3c63e82f8f9073f851143ff270d62a6.tar.gz sssd-368f03b2c3c63e82f8f9073f851143ff270d62a6.tar.xz sssd-368f03b2c3c63e82f8f9073f851143ff270d62a6.zip | |
PAM: add ignore_authinfo_unavail option
Resolves:
https://fedorahosted.org/sssd/ticket/2232
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit ffa42f689dded74b0c0b0451bff3516bc4003179)
| -rw-r--r-- | src/man/pam_sss.8.xml | 14 | ||||
| -rw-r--r-- | src/sss_client/pam_sss.c | 11 |
2 files changed, 25 insertions, 0 deletions
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml index e42cb2d62..859d42eea 100644 --- a/src/man/pam_sss.8.xml +++ b/src/man/pam_sss.8.xml @@ -40,6 +40,9 @@ <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </arg> + <arg choice='opt'> + <replaceable>ignore_authinfo_unavail</replaceable> + </arg> </cmdsynopsis> </refsynopsisdiv> @@ -116,6 +119,17 @@ the PAM framework to ignore this module.</para> </listitem> </varlistentry> + <varlistentry> + <term> + <option>ignore_authinfo_unavail</option> + </term> + <listitem> + <para> + Specifies that the PAM module should return PAM_IGNORE + if it cannot contact the SSSD daemon. This causes + the PAM framework to ignore this module.</para> + </listitem> + </varlistentry> </variablelist> </refsect1> diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 5ee91b945..e219e8bb5 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -53,6 +53,7 @@ #define FLAGS_FORWARD_PASS (1 << 1) #define FLAGS_USE_AUTHTOK (1 << 2) #define FLAGS_IGNORE_UNKNOWN_USER (1 << 3) +#define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4) #define PWEXP_FLAG "pam_sss:password_expired_flag" #define FD_DESTRUCTOR "pam_sss:fd_destructor" @@ -1316,6 +1317,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv, *quiet_mode = true; } else if (strcmp(*argv, "ignore_unknown_user") == 0) { *flags |= FLAGS_IGNORE_UNKNOWN_USER; + } else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) { + *flags |= FLAGS_IGNORE_AUTHINFO_UNAVAIL; } else { logger(pamh, LOG_WARNING, "unknown option: %s", *argv); } @@ -1456,6 +1459,10 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) { ret = PAM_IGNORE; } + if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL + && ret == PAM_AUTHINFO_UNAVAIL) { + ret = PAM_IGNORE; + } return ret; } @@ -1498,6 +1505,10 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, && pam_status == PAM_USER_UNKNOWN) { pam_status = PAM_IGNORE; } + if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL + && pam_status == PAM_AUTHINFO_UNAVAIL) { + pam_status = PAM_IGNORE; + } switch (task) { case SSS_PAM_AUTHENTICATE: |