diff options
author | Sumit Bose <sbose@redhat.com> | 2015-03-05 15:10:43 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-03-13 11:54:08 +0100 |
commit | 7bbf9d1d054f0571fa90ff5dd400a6f4a5a7f6c8 (patch) | |
tree | 9f2025d706565d31fcb183f9b999dbeb47a2d5dc /src/responder/pam | |
parent | 997864d4953a655f6ee4fe27b70fdaa30bd7790e (diff) | |
download | sssd-7bbf9d1d054f0571fa90ff5dd400a6f4a5a7f6c8.tar.gz sssd-7bbf9d1d054f0571fa90ff5dd400a6f4a5a7f6c8.tar.xz sssd-7bbf9d1d054f0571fa90ff5dd400a6f4a5a7f6c8.zip |
PAM: use the logon_name as the key for the PAM initgr cache
Currently the name member of the pam_data struct is used as a key but it
can change during a request. Especially for sub-domain users the name is
changed from the short to the fully-qualified version before the cache
entry is created. As a result the cache searches are always done with
the short name while the entry was written with the fully-qualified name.
The logon_name member of the pam_data struct contains the name which was
send by the PAM client and is never changed during the request.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/responder/pam')
-rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 16 |
1 files changed, 3 insertions, 13 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index d0e7327d8..0eb78c723 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -1141,7 +1141,8 @@ static int pam_check_user_search(struct pam_auth_req *preq) * the number of updates within a reasonable timeout */ if (preq->check_provider) { - ret = pam_initgr_check_timeout(pctx->id_table, name); + ret = pam_initgr_check_timeout(pctx->id_table, + preq->pd->logon_name); if (ret != EOK && ret != ENOENT) { DEBUG(SSSDBG_OP_FAILURE, @@ -1335,7 +1336,6 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min, int ret; struct pam_ctx *pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); - char *name; if (err_maj) { DEBUG(SSSDBG_OP_FAILURE, @@ -1347,17 +1347,8 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min, ret = pam_check_user_search(preq); if (ret == EOK) { /* Make sure we don't go to the ID provider too often */ - name = preq->domain->case_sensitive ? - talloc_strdup(preq, preq->pd->user) : - sss_tc_utf8_str_tolower(preq, preq->pd->user); - if (!name) { - ret = ENOMEM; - goto done; - } - ret = pam_initgr_cache_set(pctx->rctx->ev, pctx->id_table, - name, pctx->id_timeout); - talloc_free(name); + preq->pd->logon_name, pctx->id_timeout); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Could not save initgr timestamp. " @@ -1372,7 +1363,6 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min, ret = pam_check_user_done(preq, ret); -done: if (ret) { preq->pd->pam_status = PAM_SYSTEM_ERR; pam_reply(preq); |