CONFDB: Make pwfield configurable per-domain

Previously, the pwfield option was only configurable at the NSS level.
Because it's important for the files provider to report "x" as the
pwfield instead of "*" which is the SSSD default, this commit makes the
pwfield configurable at the domain level.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

6 files changed, 33 insertions, 6 deletions

diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index e52b96c8a..5112c6d56 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1325,6 +1325,16 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
     }
 
     tmp = ldb_msg_find_attr_as_string(res->msgs[0],
+                                      CONFDB_NSS_PWFIELD, NULL);
+    if (tmp != NULL) {
+        domain->pwfield = talloc_strdup(domain, tmp);
+        if (!domain->pwfield) {
+            ret = ENOMEM;
+            goto done;
+        }
+    }
+
+    tmp = ldb_msg_find_attr_as_string(res->msgs[0],
                                       CONFDB_SUBDOMAIN_ENUMERATE,
                                       CONFDB_DEFAULT_SUBDOMAIN_ENUMERATE);
     if (tmp != NULL) {
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 7c9446981..353dfd0a9 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -270,6 +270,7 @@ struct sss_domain_info {
     bool ignore_group_members;
     uint32_t id_min;
     uint32_t id_max;
+    const char *pwfield;
 
     bool cache_credentials;
     uint32_t cache_credentials_min_ff_length;
diff --git a/src/responder/nss/nss_private.h b/src/responder/nss/nss_private.h
index e63fbabc8..acb3c4aa5 100644
--- a/src/responder/nss/nss_private.h
+++ b/src/responder/nss/nss_private.h
@@ -151,4 +151,8 @@ int sized_member_name(TALLOC_CTX *mem_ctx,
                       const char *member_name,
                       struct sized_string **_name);
 
+const char *
+nss_get_pwfield(struct nss_ctx *nctx,
+                struct sss_domain_info *dom);
+
 #endif /* _NSS_PRIVATE_H_ */
diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c
index 7409e0458..283ab9f67 100644
--- a/src/responder/nss/nss_protocol_grent.c
+++ b/src/responder/nss/nss_protocol_grent.c
@@ -219,9 +219,6 @@ nss_protocol_fill_grent(struct nss_ctx *nss_ctx,
         return ENOMEM;
     }
 
-    /* Password field content. */
-    to_sized_string(&pwfield, nss_ctx->pwfield);
-
     /* First two fields (length and reserved), filled up later. */
     ret = sss_packet_grow(packet, 2 * sizeof(uint32_t));
     if (ret != EOK) {
@@ -235,6 +232,9 @@ nss_protocol_fill_grent(struct nss_ctx *nss_ctx,
         talloc_free_children(tmp_ctx);
         msg = result->msgs[i];
 
+        /* Password field content. */
+        to_sized_string(&pwfield, nss_get_pwfield(nss_ctx, result->domain));
+
         ret = nss_get_grent(tmp_ctx, nss_ctx, result->domain, msg,
                             &gid, &name);
         if (ret != EOK) {
diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c
index 783b06a32..edda9d3c8 100644
--- a/src/responder/nss/nss_protocol_pwent.c
+++ b/src/responder/nss/nss_protocol_pwent.c
@@ -287,9 +287,6 @@ nss_protocol_fill_pwent(struct nss_ctx *nss_ctx,
         return ENOMEM;
     }
 
-    /* Password field content. */
-    to_sized_string(&pwfield, nss_ctx->pwfield);
-
     /* First two fields (length and reserved), filled up later. */
     ret = sss_packet_grow(packet, 2 * sizeof(uint32_t));
     if (ret != EOK) {
@@ -303,6 +300,9 @@ nss_protocol_fill_pwent(struct nss_ctx *nss_ctx,
         talloc_free_children(tmp_ctx);
         msg = result->msgs[i];
 
+        /* Password field content. */
+        to_sized_string(&pwfield, nss_get_pwfield(nss_ctx, result->domain));
+
         ret = nss_get_pwent(tmp_ctx, nss_ctx, result->domain, msg, &uid, &gid,
                             &name, &gecos, &homedir, &shell);
         if (ret != EOK) {
diff --git a/src/responder/nss/nss_utils.c b/src/responder/nss/nss_utils.c
index 41081c914..f839930a2 100644
--- a/src/responder/nss/nss_utils.c
+++ b/src/responder/nss/nss_utils.c
@@ -24,6 +24,7 @@
 #include "util/util.h"
 #include "confdb/confdb.h"
 #include "responder/common/responder.h"
+#include "responder/nss/nss_private.h"
 
 const char *
 nss_get_name_from_msg(struct sss_domain_info *domain,
@@ -138,3 +139,14 @@ done:
     talloc_free(tmp_ctx);
     return ret;
 }
+
+const char *
+nss_get_pwfield(struct nss_ctx *nctx,
+               struct sss_domain_info *dom)
+{
+    if (dom->pwfield != NULL) {
+        return dom->pwfield;
+    }
+
+    return nctx->pwfield;
+}