diff options
author | Sumit Bose <sbose@redhat.com> | 2009-10-15 12:03:31 +0200 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2009-10-15 18:10:17 -0400 |
commit | dc71edea5cda411cdce039777a2ba3b00e19ca27 (patch) | |
tree | d51721ebc7ef464a85f265e1a777c3ee0ff66b47 | |
parent | 740a9255a5c6a05f58dd63ce7adbd103d9d52164 (diff) | |
download | sssd-dc71edea5cda411cdce039777a2ba3b00e19ca27.tar.gz sssd-dc71edea5cda411cdce039777a2ba3b00e19ca27.tar.bz2 sssd-dc71edea5cda411cdce039777a2ba3b00e19ca27.zip |
more implicit provider target settings
If auth_provider or access_provider is ont set explicitly id_provider is
used if it can handle auth or access control requests respectively. If
not auth defaults to 'none' and the access_provider is set to 'permit'.
The option 'deny' is added for the access_provider to explicitly deny
access.
-rw-r--r-- | server/man/sssd.conf.5.xml | 29 | ||||
-rw-r--r-- | server/providers/data_provider_be.c | 61 |
2 files changed, 76 insertions, 14 deletions
diff --git a/server/man/sssd.conf.5.xml b/server/man/sssd.conf.5.xml index 7af22925..4b8a92f8 100644 --- a/server/man/sssd.conf.5.xml +++ b/server/man/sssd.conf.5.xml @@ -469,6 +469,33 @@ <para> <quote>proxy</quote> for relaying authentication to some other PAM target. </para> + <para> + <quote>none</quote> disables authentication explicitly. + </para> + <para> + Default: <quote>id_provider</quote> is used if it + is set and can handle authentication requests. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>access_provider (string)</term> + <listitem> + <para> + The access control provider used for the domain. + Supported access providers are: + </para> + <para> + <quote>permit</quote> always allow access. + </para> + <para> + <quote>deny</quote> always deny access. + </para> + <para> + Default: <quote>id_provider</quote> is used if it + is set and can handle access control requests or + <quote>permit</quote> otherwise. + </para> </listitem> </varlistentry> <varlistentry> @@ -504,7 +531,7 @@ </para> <para> Default: <quote>auth_provider</quote> is used if it - is set and can handle change password request. + is set and can handle change password requests. </para> </listitem> </varlistentry> diff --git a/server/providers/data_provider_be.c b/server/providers/data_provider_be.c index f7830c99..a5f1b645 100644 --- a/server/providers/data_provider_be.c +++ b/server/providers/data_provider_be.c @@ -46,6 +46,7 @@ #define MSG_TARGET_NO_CONFIGURED "sssd_be: The requested target is not configured" #define ACCESS_PERMIT "permit" +#define ACCESS_DENY "deny" #define NO_PROVIDER "none" struct sbus_method monitor_be_methods[] = { @@ -799,6 +800,21 @@ static struct bet_ops be_target_access_permit_ops = { .finalize = NULL }; +static void be_target_access_deny(struct be_req *be_req) +{ + struct pam_data *pd = talloc_get_type(be_req->req_data, struct pam_data); + DEBUG(9, ("be_target_access_deny called, returning PAM_PERM_DENIED.\n")); + + pd->pam_status = PAM_PERM_DENIED; + be_req->fn(be_req, DP_ERR_OK, PAM_PERM_DENIED, NULL); +} + +static struct bet_ops be_target_access_deny_ops = { + .check_online = NULL, + .handler = be_target_access_deny, + .finalize = NULL +}; + static int load_backend_module(struct be_ctx *ctx, enum bet_type bet_type, struct bet_info *bet_info, @@ -853,13 +869,23 @@ static int load_backend_module(struct be_ctx *ctx, goto done; } - if (strcmp(mod_name, ACCESS_PERMIT) == 0) { - (*bet_info).bet_ops = &be_target_access_permit_ops; - (*bet_info).pvt_bet_data = NULL; - (*bet_info).mod_name = talloc_strdup(ctx, ACCESS_PERMIT); + if (bet_type == BET_ACCESS) { + if (strcmp(mod_name, ACCESS_PERMIT) == 0) { + (*bet_info).bet_ops = &be_target_access_permit_ops; + (*bet_info).pvt_bet_data = NULL; + (*bet_info).mod_name = talloc_strdup(ctx, ACCESS_PERMIT); - ret = EOK; - goto done; + ret = EOK; + goto done; + } + if (strcmp(mod_name, ACCESS_DENY) == 0) { + (*bet_info).bet_ops = &be_target_access_deny_ops; + (*bet_info).pvt_bet_data = NULL; + (*bet_info).mod_name = talloc_strdup(ctx, ACCESS_DENY); + + ret = EOK; + goto done; + } } mod_init_fn_name = talloc_asprintf(tmp_ctx, @@ -997,7 +1023,8 @@ int be_process_init(TALLOC_CTX *mem_ctx, ctx->bet_info[BET_ID].mod_name)); ret = load_backend_module(ctx, BET_AUTH, - &ctx->bet_info[BET_AUTH], NULL); + &ctx->bet_info[BET_AUTH], + ctx->bet_info[BET_ID].mod_name); if (ret != EOK) { if (ret != ENOENT) { DEBUG(0, ("fatal error initializing data providers\n")); @@ -1011,14 +1038,22 @@ int be_process_init(TALLOC_CTX *mem_ctx, } ret = load_backend_module(ctx, BET_ACCESS, - &ctx->bet_info[BET_ACCESS], ACCESS_PERMIT); + &ctx->bet_info[BET_ACCESS], + ctx->bet_info[BET_ID].mod_name); if (ret != EOK) { - DEBUG(0, ("No ACCESS backend target available.\n")); - return ret; - } else { - DEBUG(9, ("ACCESS backend target successfully loaded " - "from provider [%s].\n", ctx->bet_info[BET_ACCESS].mod_name)); + if (ret != ENOENT) { + DEBUG(0, ("No ACCESS backend target available.\n")); + return ret; + } + ret = load_backend_module(ctx, BET_ACCESS, + &ctx->bet_info[BET_ACCESS], ACCESS_PERMIT); + if (ret != EOK) { + DEBUG(0, ("Failed to set ACCESS backend to default (permit).\n")); + return ret; + } } + DEBUG(9, ("ACCESS backend target successfully loaded " + "from provider [%s].\n", ctx->bet_info[BET_ACCESS].mod_name)); ret = load_backend_module(ctx, BET_CHPASS, &ctx->bet_info[BET_CHPASS], |