summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2012-07-19 15:50:52 -0400
committerJakub Hrozek <jhrozek@redhat.com>2012-07-20 20:21:19 +0200
commit695bca9d2f73096254308e0883fcc74b2631850e (patch)
treec3f6e7dae7c8e96bc2ae5b380e1946f9bad3b2ef /src
parent5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3 (diff)
downloadsssd-695bca9d2f73096254308e0883fcc74b2631850e.tar.gz
sssd-695bca9d2f73096254308e0883fcc74b2631850e.tar.bz2
sssd-695bca9d2f73096254308e0883fcc74b2631850e.zip
NSS: Add override_shell option
If override_shell is specified in the [nss] section, all users managed by SSSD will have their shell set to this value. If it is specified in the [domain/DOMAINNAME] section, it will apply to only that domain (and override the [nss] value, if any). https://fedorahosted.org/sssd/ticket/1087
Diffstat (limited to 'src')
-rw-r--r--src/confdb/confdb.c10
-rw-r--r--src/confdb/confdb.h2
-rw-r--r--src/config/SSSDConfig/__init__.py.in1
-rwxr-xr-xsrc/config/SSSDConfigTest.py2
-rw-r--r--src/config/etc/sssd.api.conf2
-rw-r--r--src/man/sssd.conf.5.xml14
-rw-r--r--src/responder/nss/nsssrv.c5
-rw-r--r--src/responder/nss/nsssrv.h1
-rw-r--r--src/responder/nss/nsssrv_cmd.c14
9 files changed, 49 insertions, 2 deletions
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index ab0d0048..37a5758c 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1064,6 +1064,16 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
}
}
+ tmp = ldb_msg_find_attr_as_string(res->msgs[0],
+ CONFDB_NSS_OVERRIDE_SHELL, NULL);
+ if (tmp != NULL) {
+ domain->override_shell = talloc_strdup(domain, tmp);
+ if (!domain->override_shell) {
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+
ret = get_entry_as_bool(res->msgs[0], &domain->case_sensitive,
CONFDB_DOMAIN_CASE_SENSITIVE, true);
if(ret != EOK) {
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 6f6b730a..d06ec7a3 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -87,6 +87,7 @@
#define CONFDB_NSS_PWFIELD "pwfield"
#define CONFDB_NSS_OVERRIDE_HOMEDIR "override_homedir"
#define CONFDB_NSS_FALLBACK_HOMEDIR "fallback_homedir"
+#define CONFDB_NSS_OVERRIDE_SHELL "override_shell"
#define CONFDB_NSS_VETOED_SHELL "vetoed_shells"
#define CONFDB_NSS_ALLOWED_SHELL "allowed_shells"
#define CONFDB_NSS_SHELL_FALLBACK "shell_fallback"
@@ -207,6 +208,7 @@ struct sss_domain_info {
const char *override_homedir;
const char *fallback_homedir;
const char *subdomain_homedir;
+ const char *override_shell;
uint32_t user_timeout;
uint32_t group_timeout;
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 18586ad6..1daa3907 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -65,6 +65,7 @@ option_strings = {
'pwfield' : _('The value of the password field the NSS provider should return'),
'override_homedir' : _('Override homedir value from the identity provider with this value'),
'fallback_homedir' : _('Substitute empty homedir value from the identity provider with this value'),
+ 'override_shell': _('Override shell value from the identity provider with this value'),
'allowed_shells' : _('The list of shells users are allowed to log in with'),
'vetoed_shells' : _('The list of shells that will be vetoed, and replaced with the fallback shell'),
'shell_fallback' : _('If a shell stored in central directory is allowed but not available, use this fallback'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index dc4bcc96..9f77188b 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -505,6 +505,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'case_sensitive',
'override_homedir',
'fallback_homedir',
+ 'override_shell',
'pwd_expiration_warning',
'id_provider',
'auth_provider',
@@ -837,6 +838,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'case_sensitive',
'override_homedir',
'fallback_homedir',
+ 'override_shell',
'pwd_expiration_warning',
'id_provider',
'auth_provider',
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 35ebb2e4..fe5a0962 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -34,6 +34,7 @@ filter_users_in_groups = bool, None, false
pwfield = str, None, false
override_homedir = str, None, false
fallback_homedir = str, None, false
+override_shell = str, None, false
allowed_shells = list, str, false
vetoed_shells = list, str, false
shell_fallback = str, None, false
@@ -105,6 +106,7 @@ override_gid = int, None, false
case_sensitive = bool, None, false
override_homedir = str, None, false
fallback_homedir = str, None, false
+override_shell = str, None, false
#Entry cache timeouts
entry_cache_user_timeout = int, None, false
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 26f05eae..a6e5e82b 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -486,6 +486,20 @@ override_homedir = /home/%u
</listitem>
</varlistentry>
<varlistentry>
+ <term>override_shell (string)</term>
+ <listitem>
+ <para>
+ Override the login shell for all users. This
+ option can be specified globally in the [nss]
+ section or per-domain.
+ </para>
+ <para>
+ Default: not set (SSSD will use the value
+ retrieved from LDAP)
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term>allowed_shells (string)</term>
<listitem>
<para>
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
index cd2060e4..64267e86 100644
--- a/src/responder/nss/nsssrv.c
+++ b/src/responder/nss/nsssrv.c
@@ -182,6 +182,11 @@ static int nss_get_config(struct nss_ctx *nctx,
&nctx->fallback_homedir);
if (ret != EOK) goto done;
+ ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
+ CONFDB_NSS_OVERRIDE_SHELL, NULL,
+ &nctx->override_shell);
+ if (ret != EOK && ret != ENOENT) goto done;
+
ret = confdb_get_string_as_list(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
CONFDB_NSS_ALLOWED_SHELL,
&nctx->allowed_shells);
diff --git a/src/responder/nss/nsssrv.h b/src/responder/nss/nsssrv.h
index 58cd3da0..a8b2c3c9 100644
--- a/src/responder/nss/nsssrv.h
+++ b/src/responder/nss/nsssrv.h
@@ -63,6 +63,7 @@ struct nss_ctx {
char *override_homedir;
char *fallback_homedir;
char **allowed_shells;
+ char *override_shell;
char **vetoed_shells;
char **etc_shells;
char *shell_fallback;
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 5c5f8060..64fd7a58 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -155,11 +155,21 @@ static const char *get_homedir_override(TALLOC_CTX *mem_ctx,
static const char *get_shell_override(TALLOC_CTX *mem_ctx,
struct ldb_message *msg,
- struct nss_ctx *nctx)
+ struct nss_ctx *nctx,
+ struct sss_domain_info *dom)
{
const char *user_shell;
int i;
+ /* Check whether we are unconditionally overriding the server
+ * for the login shell.
+ */
+ if (dom->override_shell) {
+ return dom->override_shell;
+ } else if (nctx->override_shell) {
+ return nctx->override_shell;
+ }
+
user_shell = ldb_msg_find_attr_as_string(msg, SYSDB_SHELL, NULL);
if (!user_shell) {
/* Check whether there is a default shell specified */
@@ -303,7 +313,7 @@ static int fill_pwent(struct sss_packet *packet,
} else {
to_sized_string(&homedir, tmpstr);
}
- tmpstr = get_shell_override(tmp_ctx, msg, nctx);
+ tmpstr = get_shell_override(tmp_ctx, msg, nctx, dom);
if (!tmpstr) {
to_sized_string(&shell, "");
} else {