Honor filter_users in PAM

author: Stephen Gallagher <sgallagh@redhat.com> 2010-06-17 09:50:01 -0400
committer: Stephen Gallagher <sgallagh@redhat.com> 2010-06-17 15:40:51 -0400
commit: c7a825ba91b8285b87e19688e5f5f3241f1a67bf (patch)
tree: d7d6ea7265164abc1e3cac32e6a190f0b56eb5f8
parent: fb5c63ebd1d4ce8d560c0e964b1f1b3dc56913e5 (diff)
download: sssd_unused-c7a825ba91b8285b87e19688e5f5f3241f1a67bf.tar.gz
sssd_unused-c7a825ba91b8285b87e19688e5f5f3241f1a67bf.tar.xz
sssd_unused-c7a825ba91b8285b87e19688e5f5f3241f1a67bf.zip
3 files changed, 47 insertions, 10 deletions
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index 7903e34c..131037c2 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -42,6 +42,7 @@
 #include "monitor/monitor_interfaces.h"
 #include "sbus/sbus_client.h"
 #include "responder/pam/pamsrv.h"
+#include "responder/common/negcache.h"
 
 #define SSS_PAM_SBUS_SERVICE_VERSION 0x0001
 #define SSS_PAM_SBUS_SERVICE_NAME "pam"
@@ -136,7 +137,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
                            "PAM", &pam_dp_interface,
                            &pctx->rctx);
     if (ret != EOK) {
-        return ret;
+        goto done;
     }
 
     pctx->rctx->pvt_ctx = pctx;
@@ -150,7 +151,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
                          CONFDB_SERVICE_RECON_RETRIES, 3, &max_retries);
     if (ret != EOK) {
         DEBUG(0, ("Failed to set up automatic reconnection\n"));
-        return ret;
+        goto done;
     }
 
     for (iter = pctx->rctx->be_conns; iter; iter = iter->next) {
@@ -158,7 +159,31 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
                             pam_dp_reconnect_init, iter);
     }
 
-    return EOK;
+    /* Set up the negative cache */
+    ret = confdb_get_int(cdb, pctx, CONFDB_NSS_CONF_ENTRY,
+                         CONFDB_NSS_ENTRY_NEG_TIMEOUT, 15,
+                         &pctx->neg_timeout);
+    if (ret != EOK) goto done;
+
+    ret = sss_ncache_init(pctx, &pctx->ncache);
+    if (ret != EOK) {
+        DEBUG(0, ("fatal error initializing negative cache\n"));
+        goto done;
+    }
+
+    ret = sss_ncache_prepopulate(pctx->ncache, cdb, pctx->rctx->names,
+                                 pctx->rctx->domains);
+    if (ret != EOK) {
+        goto done;
+    }
+
+    ret = EOK;
+
+done:
+    if (ret != EOK) {
+        talloc_free(pctx);
+    }
+    return ret;
 }
 
 int main(int argc, const char *argv[])
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 60f9c66a..bc206874 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -34,6 +34,8 @@ typedef void (pam_dp_callback_t)(struct pam_auth_req *preq);
 struct pam_ctx {
     int cred_expiration;
     struct resp_ctx *rctx;
+    struct sss_nc_ctx *ncache;
+    int neg_timeout;
 };
 
 struct pam_auth_req {
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 2078b9d9..fca6cd00 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -26,6 +26,7 @@
 #include "confdb/confdb.h"
 #include "responder/common/responder_packet.h"
 #include "responder/common/responder.h"
+#include "responder/common/negcache.h"
 #include "providers/data_provider.h"
 #include "responder/pam/pamsrv.h"
 #include "db/sysdb.h"
@@ -732,6 +733,9 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
     size_t blen;
     int timeout;
     int ret;
+    errno_t ncret;
+    struct pam_ctx *pctx =
+            talloc_get_type(cctx->rctx->pvt_ctx, struct pam_ctx);
     uint32_t terminator = SSS_END_OF_PAM_REQUEST;
     preq = talloc_zero(cctx, struct pam_auth_req);
     if (!preq) {
@@ -792,13 +796,19 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
         for (dom = preq->cctx->rctx->domains; dom; dom = dom->next) {
             if (dom->fqnames) continue;
 
-/* FIXME: need to support negative cache */
-#if HAVE_NEG_CACHE
-            ncret = sss_ncache_check_user(nctx->ncache, nctx->neg_timeout,
-                                          dom->name, cmdctx->name);
-            if (ncret == ENOENT) break;
-#endif
-            break;
+            ncret = sss_ncache_check_user(pctx->ncache, pctx->neg_timeout,
+                                          dom->name, pd->user);
+            if (ncret == ENOENT) {
+                /* User not found in the negative cache
+                 * Proceed with PAM actions
+                 */
+                break;
+            }
+
+            /* Try the next domain */
+            DEBUG(4, ("User [%s@%s] filtered out (negative cache). "
+                      "Trying next domain.\n",
+                      pd->user, dom->name));
         }
         if (!dom) {
             ret = ENOENT;
author	Stephen Gallagher <sgallagh@redhat.com>	2010-06-17 09:50:01 -0400
committer	Stephen Gallagher <sgallagh@redhat.com>	2010-06-17 15:40:51 -0400
commit	c7a825ba91b8285b87e19688e5f5f3241f1a67bf (patch)
tree	d7d6ea7265164abc1e3cac32e6a190f0b56eb5f8
parent	fb5c63ebd1d4ce8d560c0e964b1f1b3dc56913e5 (diff)
download	sssd_unused-c7a825ba91b8285b87e19688e5f5f3241f1a67bf.tar.gz sssd_unused-c7a825ba91b8285b87e19688e5f5f3241f1a67bf.tar.xz sssd_unused-c7a825ba91b8285b87e19688e5f5f3241f1a67bf.zip