diff options
author | Sumit Bose <sbose@redhat.com> | 2017-05-03 16:30:12 +0200 |
---|---|---|
committer | Lukas Slebodnik <lslebodn@redhat.com> | 2017-06-01 16:46:26 +0200 |
commit | 32474fa2f0a6dc09386bab405fc3461cb3dd12ac (patch) | |
tree | 5b8c1383612226a70b5fbe9550e7c9cc7a94bb75 /src/responder | |
parent | 6073cfc40747cd6d3142f0f98b880fc390dd7aad (diff) | |
download | sssd-32474fa2f0a6dc09386bab405fc3461cb3dd12ac.tar.gz sssd-32474fa2f0a6dc09386bab405fc3461cb3dd12ac.tar.xz sssd-32474fa2f0a6dc09386bab405fc3461cb3dd12ac.zip |
PAM: send user name hint response when needed
If the PAM client didn't send a user name and promtusername is enable
the PAM responder will tell pam_sss to ask for an optional user name as
well.
Resolves:
https://pagure.io/SSSD/sssd/issue/3395
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
Diffstat (limited to 'src/responder')
-rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 70 |
1 files changed, 45 insertions, 25 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 080cfafa7..49a05657e 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -1414,7 +1414,7 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req) struct cache_req_result **results; struct pam_auth_req *preq = tevent_req_callback_data(req, struct pam_auth_req); - const char *cert_user; + const char *cert_user = NULL; ret = cache_req_recv(preq, req, &results); talloc_zfree(req); @@ -1439,35 +1439,55 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req) goto done; } - if (preq->cert_user_objs->count != 1) { - DEBUG(SSSDBG_CRIT_FAILURE, - "More than one user mapped to certificate.\n"); - /* TODO: send pam response to ask for a user name */ - ret = ERR_NO_CREDS; - goto done; - } - cert_user = ldb_msg_find_attr_as_string( + if (preq->cert_user_objs->count == 1) { + cert_user = ldb_msg_find_attr_as_string( preq->cert_user_objs->msgs[0], SYSDB_NAME, NULL); - if (cert_user == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Certificate user object has not name.\n"); - ret = ENOENT; - goto done; + if (cert_user == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Certificate user object has not name.\n"); + ret = ENOENT; + goto done; + } + + DEBUG(SSSDBG_FUNC_DATA, + "Found certificate user [%s].\n", cert_user); + + ret = sss_parse_name_for_domains(preq->pd, + preq->cctx->rctx->domains, + preq->cctx->rctx->default_domain, + cert_user, + &preq->pd->domain, + &preq->pd->user); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_parse_name_for_domains failed.\n"); + goto done; + } } - DEBUG(SSSDBG_FUNC_DATA, "Found certificate user [%s].\n", - cert_user); + if (preq->cctx->rctx->domains->user_name_hint) { + ret = add_pam_cert_response(preq->pd, cert_user, + preq->token_name, + preq->module_name, + preq->key_id, + SSS_PAM_CERT_INFO_WITH_HINT); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "add_pam_cert_response failed.\n"); + preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL; + } + ret = EOK; + preq->pd->pam_status = PAM_SUCCESS; + pam_reply(preq); + goto done; + } - ret = sss_parse_name_for_domains(preq->pd, - preq->cctx->rctx->domains, - preq->cctx->rctx->default_domain, - cert_user, - &preq->pd->domain, - &preq->pd->user); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "sss_parse_name_for_domains failed.\n"); + /* Without user name hints the certificate must map to single user + * if no login name was given */ + if (cert_user == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "More than one user mapped to certificate.\n"); + ret = ERR_NO_CREDS; goto done; } |