diff options
author | Pete Fritchman <pfritchman@fxcm.com> | 2014-03-11 10:51:20 -0400 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-03-14 14:11:10 +0100 |
commit | d987dba42894aceff106d557b13812092028cc29 (patch) | |
tree | 239511cf5bcae2467483e36e56f86a2246806bf5 | |
parent | 06b7bc8ca2e005ed510210d3b8dee16afbabbcc9 (diff) | |
download | sssd-d987dba42894aceff106d557b13812092028cc29.tar.gz sssd-d987dba42894aceff106d557b13812092028cc29.tar.xz sssd-d987dba42894aceff106d557b13812092028cc29.zip |
PAM: add ignore_unknown_user option
https://fedorahosted.org/sssd/ticket/2232
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-rw-r--r-- | src/man/pam_sss.8.xml | 13 | ||||
-rw-r--r-- | src/sss_client/pam_sss.c | 11 |
2 files changed, 24 insertions, 0 deletions
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml index 954f69614..e42cb2d62 100644 --- a/src/man/pam_sss.8.xml +++ b/src/man/pam_sss.8.xml @@ -37,6 +37,9 @@ <arg choice='opt'> <replaceable>retry=N</replaceable> </arg> + <arg choice='opt'> + <replaceable>ignore_unknown_user</replaceable> + </arg> </cmdsynopsis> </refsynopsisdiv> @@ -103,6 +106,16 @@ <option>PasswordAuthentication</option>.</para> </listitem> </varlistentry> + <varlistentry> + <term> + <option>ignore_unknown_user</option> + </term> + <listitem> + <para>If this option is specified and the user does not + exist, the PAM module will return PAM_IGNORE. This causes + the PAM framework to ignore this module.</para> + </listitem> + </varlistentry> </variablelist> </refsect1> diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index d45b2e88f..32558fac9 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -47,6 +47,7 @@ #define FLAGS_USE_FIRST_PASS (1 << 0) #define FLAGS_FORWARD_PASS (1 << 1) #define FLAGS_USE_AUTHTOK (1 << 2) +#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3) #define PWEXP_FLAG "pam_sss:password_expired_flag" #define FD_DESTRUCTOR "pam_sss:fd_destructor" @@ -1284,6 +1285,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv, } } else if (strcmp(*argv, "quiet") == 0) { *quiet_mode = true; + } else if (strcmp(*argv, "ignore_unknown_user") == 0) { + *flags |= FLAGS_IGNORE_UNKNOWN_USER; } else { logger(pamh, LOG_WARNING, "unknown option: %s", *argv); } @@ -1425,6 +1428,9 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, ret = get_pam_items(pamh, &pi); if (ret != PAM_SUCCESS) { D(("get items returned error: %s", pam_strerror(pamh,ret))); + if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) { + ret = PAM_IGNORE; + } return ret; } @@ -1463,6 +1469,11 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, pam_status = send_and_receive(pamh, &pi, task, quiet_mode); + if (flags & FLAGS_IGNORE_UNKNOWN_USER + && pam_status == PAM_USER_UNKNOWN) { + pam_status = PAM_IGNORE; + } + switch (task) { case SSS_PAM_AUTHENTICATE: /* We allow sssd to send the return code PAM_NEW_AUTHTOK_REQD during |