diff options
author | Pete Fritchman <pfritchman@fxcm.com> | 2014-03-11 10:51:20 -0400 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-03-14 14:11:10 +0100 |
commit | d987dba42894aceff106d557b13812092028cc29 (patch) | |
tree | 239511cf5bcae2467483e36e56f86a2246806bf5 /src/sss_client | |
parent | 06b7bc8ca2e005ed510210d3b8dee16afbabbcc9 (diff) | |
download | sssd-d987dba42894aceff106d557b13812092028cc29.tar.gz sssd-d987dba42894aceff106d557b13812092028cc29.tar.xz sssd-d987dba42894aceff106d557b13812092028cc29.zip |
PAM: add ignore_unknown_user option
https://fedorahosted.org/sssd/ticket/2232
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/sss_client')
-rw-r--r-- | src/sss_client/pam_sss.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index d45b2e88f..32558fac9 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -47,6 +47,7 @@ #define FLAGS_USE_FIRST_PASS (1 << 0) #define FLAGS_FORWARD_PASS (1 << 1) #define FLAGS_USE_AUTHTOK (1 << 2) +#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3) #define PWEXP_FLAG "pam_sss:password_expired_flag" #define FD_DESTRUCTOR "pam_sss:fd_destructor" @@ -1284,6 +1285,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv, } } else if (strcmp(*argv, "quiet") == 0) { *quiet_mode = true; + } else if (strcmp(*argv, "ignore_unknown_user") == 0) { + *flags |= FLAGS_IGNORE_UNKNOWN_USER; } else { logger(pamh, LOG_WARNING, "unknown option: %s", *argv); } @@ -1425,6 +1428,9 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, ret = get_pam_items(pamh, &pi); if (ret != PAM_SUCCESS) { D(("get items returned error: %s", pam_strerror(pamh,ret))); + if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) { + ret = PAM_IGNORE; + } return ret; } @@ -1463,6 +1469,11 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, pam_status = send_and_receive(pamh, &pi, task, quiet_mode); + if (flags & FLAGS_IGNORE_UNKNOWN_USER + && pam_status == PAM_USER_UNKNOWN) { + pam_status = PAM_IGNORE; + } + switch (task) { case SSS_PAM_AUTHENTICATE: /* We allow sssd to send the return code PAM_NEW_AUTHTOK_REQD during |