summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--server/man/sssd.conf.5.xml29
-rw-r--r--server/providers/data_provider_be.c61
2 files changed, 76 insertions, 14 deletions
diff --git a/server/man/sssd.conf.5.xml b/server/man/sssd.conf.5.xml
index 7af22925..4b8a92f8 100644
--- a/server/man/sssd.conf.5.xml
+++ b/server/man/sssd.conf.5.xml
@@ -469,6 +469,33 @@
<para>
<quote>proxy</quote> for relaying authentication to some other PAM target.
</para>
+ <para>
+ <quote>none</quote> disables authentication explicitly.
+ </para>
+ <para>
+ Default: <quote>id_provider</quote> is used if it
+ is set and can handle authentication requests.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>access_provider (string)</term>
+ <listitem>
+ <para>
+ The access control provider used for the domain.
+ Supported access providers are:
+ </para>
+ <para>
+ <quote>permit</quote> always allow access.
+ </para>
+ <para>
+ <quote>deny</quote> always deny access.
+ </para>
+ <para>
+ Default: <quote>id_provider</quote> is used if it
+ is set and can handle access control requests or
+ <quote>permit</quote> otherwise.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
@@ -504,7 +531,7 @@
</para>
<para>
Default: <quote>auth_provider</quote> is used if it
- is set and can handle change password request.
+ is set and can handle change password requests.
</para>
</listitem>
</varlistentry>
diff --git a/server/providers/data_provider_be.c b/server/providers/data_provider_be.c
index f7830c99..a5f1b645 100644
--- a/server/providers/data_provider_be.c
+++ b/server/providers/data_provider_be.c
@@ -46,6 +46,7 @@
#define MSG_TARGET_NO_CONFIGURED "sssd_be: The requested target is not configured"
#define ACCESS_PERMIT "permit"
+#define ACCESS_DENY "deny"
#define NO_PROVIDER "none"
struct sbus_method monitor_be_methods[] = {
@@ -799,6 +800,21 @@ static struct bet_ops be_target_access_permit_ops = {
.finalize = NULL
};
+static void be_target_access_deny(struct be_req *be_req)
+{
+ struct pam_data *pd = talloc_get_type(be_req->req_data, struct pam_data);
+ DEBUG(9, ("be_target_access_deny called, returning PAM_PERM_DENIED.\n"));
+
+ pd->pam_status = PAM_PERM_DENIED;
+ be_req->fn(be_req, DP_ERR_OK, PAM_PERM_DENIED, NULL);
+}
+
+static struct bet_ops be_target_access_deny_ops = {
+ .check_online = NULL,
+ .handler = be_target_access_deny,
+ .finalize = NULL
+};
+
static int load_backend_module(struct be_ctx *ctx,
enum bet_type bet_type,
struct bet_info *bet_info,
@@ -853,13 +869,23 @@ static int load_backend_module(struct be_ctx *ctx,
goto done;
}
- if (strcmp(mod_name, ACCESS_PERMIT) == 0) {
- (*bet_info).bet_ops = &be_target_access_permit_ops;
- (*bet_info).pvt_bet_data = NULL;
- (*bet_info).mod_name = talloc_strdup(ctx, ACCESS_PERMIT);
+ if (bet_type == BET_ACCESS) {
+ if (strcmp(mod_name, ACCESS_PERMIT) == 0) {
+ (*bet_info).bet_ops = &be_target_access_permit_ops;
+ (*bet_info).pvt_bet_data = NULL;
+ (*bet_info).mod_name = talloc_strdup(ctx, ACCESS_PERMIT);
- ret = EOK;
- goto done;
+ ret = EOK;
+ goto done;
+ }
+ if (strcmp(mod_name, ACCESS_DENY) == 0) {
+ (*bet_info).bet_ops = &be_target_access_deny_ops;
+ (*bet_info).pvt_bet_data = NULL;
+ (*bet_info).mod_name = talloc_strdup(ctx, ACCESS_DENY);
+
+ ret = EOK;
+ goto done;
+ }
}
mod_init_fn_name = talloc_asprintf(tmp_ctx,
@@ -997,7 +1023,8 @@ int be_process_init(TALLOC_CTX *mem_ctx,
ctx->bet_info[BET_ID].mod_name));
ret = load_backend_module(ctx, BET_AUTH,
- &ctx->bet_info[BET_AUTH], NULL);
+ &ctx->bet_info[BET_AUTH],
+ ctx->bet_info[BET_ID].mod_name);
if (ret != EOK) {
if (ret != ENOENT) {
DEBUG(0, ("fatal error initializing data providers\n"));
@@ -1011,14 +1038,22 @@ int be_process_init(TALLOC_CTX *mem_ctx,
}
ret = load_backend_module(ctx, BET_ACCESS,
- &ctx->bet_info[BET_ACCESS], ACCESS_PERMIT);
+ &ctx->bet_info[BET_ACCESS],
+ ctx->bet_info[BET_ID].mod_name);
if (ret != EOK) {
- DEBUG(0, ("No ACCESS backend target available.\n"));
- return ret;
- } else {
- DEBUG(9, ("ACCESS backend target successfully loaded "
- "from provider [%s].\n", ctx->bet_info[BET_ACCESS].mod_name));
+ if (ret != ENOENT) {
+ DEBUG(0, ("No ACCESS backend target available.\n"));
+ return ret;
+ }
+ ret = load_backend_module(ctx, BET_ACCESS,
+ &ctx->bet_info[BET_ACCESS], ACCESS_PERMIT);
+ if (ret != EOK) {
+ DEBUG(0, ("Failed to set ACCESS backend to default (permit).\n"));
+ return ret;
+ }
}
+ DEBUG(9, ("ACCESS backend target successfully loaded "
+ "from provider [%s].\n", ctx->bet_info[BET_ACCESS].mod_name));
ret = load_backend_module(ctx, BET_CHPASS,
&ctx->bet_info[BET_CHPASS],