diff options
| author | Stephen Gallagher <sgallagh@redhat.com> | 2011-07-01 16:12:58 -0400 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-07-08 15:12:24 -0400 |
| commit | 98fc4cbc838615a88b9725a13ab7491e89cbac32 (patch) | |
| tree | 9bbaafbb6cd19405549979a682c1fb6331e491e1 /src/providers/ipa/ipa_access.c | |
| parent | 1360b4f4d6e948023daeda8787f575e7f8117444 (diff) | |
| download | sssd-98fc4cbc838615a88b9725a13ab7491e89cbac32.tar.gz sssd-98fc4cbc838615a88b9725a13ab7491e89cbac32.tar.xz sssd-98fc4cbc838615a88b9725a13ab7491e89cbac32.zip | |
Add ipa_hbac_treat_deny_as option
By default, we will treat the presence of any DENY rule as denying
all users. This option will allow the admin to explicitly ignore
DENY rules during a transitional period.
Diffstat (limited to 'src/providers/ipa/ipa_access.c')
| -rw-r--r-- | src/providers/ipa/ipa_access.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c index 2a6588ebf..d88673f1e 100644 --- a/src/providers/ipa/ipa_access.c +++ b/src/providers/ipa/ipa_access.c @@ -97,6 +97,7 @@ void ipa_access_handler(struct be_req *be_req) { struct pam_data *pd; struct hbac_ctx *hbac_ctx; + const char *deny_method; int pam_status = PAM_SYSTEM_ERR; struct ipa_access_ctx *ipa_access_ctx; int ret; @@ -108,7 +109,7 @@ void ipa_access_handler(struct be_req *be_req) DEBUG(1, ("talloc failed.\n")); goto fail; } - hbac_ctx->get_deny_rules = true; /* make this a config option */ + hbac_ctx->be_req = be_req; hbac_ctx->pd = pd; ipa_access_ctx = talloc_get_type( @@ -125,6 +126,14 @@ void ipa_access_handler(struct be_req *be_req) goto fail; } + deny_method = dp_opt_get_string(hbac_ctx->ipa_options, + IPA_HBAC_DENY_METHOD); + if (strcasecmp(deny_method, "IGNORE") == 0) { + hbac_ctx->get_deny_rules = false; + } else { + hbac_ctx->get_deny_rules = true; + } + ret = hbac_retry(hbac_ctx); if (ret != EOK) { goto fail; |