summaryrefslogtreecommitdiff
path: root/server
diff options
context:
space:
mode:
Diffstat (limited to 'server')
-rw-r--r--server/man/sssd.conf.5.xml7
-rw-r--r--server/providers/data_provider_be.c79
-rw-r--r--server/providers/dp_backend.h1
3 files changed, 67 insertions, 20 deletions
diff --git a/server/man/sssd.conf.5.xml b/server/man/sssd.conf.5.xml
index 3eab2355..7af22925 100644
--- a/server/man/sssd.conf.5.xml
+++ b/server/man/sssd.conf.5.xml
@@ -499,6 +499,13 @@
<quote>proxy</quote> for relaying password changes
to some other PAM target.
</para>
+ <para>
+ <quote>none</quote> disallows password changes explicitly.
+ </para>
+ <para>
+ Default: <quote>auth_provider</quote> is used if it
+ is set and can handle change password request.
+ </para>
</listitem>
</varlistentry>
</variablelist>
diff --git a/server/providers/data_provider_be.c b/server/providers/data_provider_be.c
index 86218d6d..f7830c99 100644
--- a/server/providers/data_provider_be.c
+++ b/server/providers/data_provider_be.c
@@ -45,6 +45,9 @@
#define MSG_TARGET_NO_CONFIGURED "sssd_be: The requested target is not configured"
+#define ACCESS_PERMIT "permit"
+#define NO_PROVIDER "none"
+
struct sbus_method monitor_be_methods[] = {
{ MON_CLI_METHOD_PING, monitor_common_pong },
{ MON_CLI_METHOD_RES_INIT, monitor_common_res_init },
@@ -798,8 +801,8 @@ static struct bet_ops be_target_access_permit_ops = {
static int load_backend_module(struct be_ctx *ctx,
enum bet_type bet_type,
- struct bet_ops **be_ops,
- void **be_pvt_data)
+ struct bet_info *bet_info,
+ const char *default_mod_name)
{
TALLOC_CTX *tmp_ctx;
int ret = EINVAL;
@@ -811,6 +814,10 @@ static int load_backend_module(struct be_ctx *ctx,
char *mod_init_fn_name = NULL;
bet_init_fn_t mod_init_fn = NULL;
+ (*bet_info).mod_name = NULL;
+ (*bet_info).bet_ops = NULL;
+ (*bet_info).pvt_bet_data = NULL;
+
if (bet_type <= BET_NULL || bet_type >= BET_MAX ||
bet_type != bet_data[bet_type].bet_type) {
DEBUG(2, ("invalid bet_type or bet_data corrupted.\n"));
@@ -831,10 +838,30 @@ static int load_backend_module(struct be_ctx *ctx,
goto done;
}
if (!mod_name) {
+ if (default_mod_name != NULL) {
+ DEBUG(5, ("no module name found in confdb, using [%s].\n",
+ default_mod_name));
+ mod_name = talloc_strdup(ctx, default_mod_name);
+ } else {
+ ret = ENOENT;
+ goto done;
+ }
+ }
+
+ if (strcasecmp(mod_name, NO_PROVIDER) == 0) {
ret = ENOENT;
goto done;
}
+ if (strcmp(mod_name, ACCESS_PERMIT) == 0) {
+ (*bet_info).bet_ops = &be_target_access_permit_ops;
+ (*bet_info).pvt_bet_data = NULL;
+ (*bet_info).mod_name = talloc_strdup(ctx, ACCESS_PERMIT);
+
+ ret = EOK;
+ goto done;
+ }
+
mod_init_fn_name = talloc_asprintf(tmp_ctx,
bet_data[bet_type].mod_init_fn_name_fmt,
mod_name);
@@ -886,17 +913,27 @@ static int load_backend_module(struct be_ctx *ctx,
if (mod_init_fn == NULL) {
DEBUG(0, ("Unable to load init fn %s from module %s, error: %s\n",
mod_init_fn_name, mod_name, dlerror()));
- ret = ELIBBAD;
+ if (default_mod_name != NULL &&
+ strcmp(default_mod_name, mod_name) == 0 ) {
+ /* If the default is used and fails we indicate this to the caller
+ * by returning ENOENT. Ths way the caller can decide how to
+ * handle the different types of error conditions. */
+ ret = ENOENT;
+ } else {
+ ret = ELIBBAD;
+ }
goto done;
}
- ret = mod_init_fn(ctx, be_ops, be_pvt_data);
+ ret = mod_init_fn(ctx, &(*bet_info).bet_ops, &(*bet_info).pvt_bet_data);
if (ret != EOK) {
DEBUG(0, ("Error (%d) in module (%s) initialization (%s)!\n",
ret, mod_name, mod_init_fn_name));
goto done;
}
+ (*bet_info).mod_name = talloc_strdup(ctx, mod_name);
+
ret = EOK;
done:
@@ -951,16 +988,16 @@ int be_process_init(TALLOC_CTX *mem_ctx,
}
ret = load_backend_module(ctx, BET_ID,
- &ctx->bet_info[BET_ID].bet_ops,
- &ctx->bet_info[BET_ID].pvt_bet_data);
+ &ctx->bet_info[BET_ID], NULL);
if (ret != EOK) {
DEBUG(0, ("fatal error initializing data providers\n"));
return ret;
}
+ DEBUG(9, ("ID backend target successfully loaded from provider [%s].\n",
+ ctx->bet_info[BET_ID].mod_name));
ret = load_backend_module(ctx, BET_AUTH,
- &ctx->bet_info[BET_AUTH].bet_ops,
- &ctx->bet_info[BET_AUTH].pvt_bet_data);
+ &ctx->bet_info[BET_AUTH], NULL);
if (ret != EOK) {
if (ret != ENOENT) {
DEBUG(0, ("fatal error initializing data providers\n"));
@@ -968,25 +1005,24 @@ int be_process_init(TALLOC_CTX *mem_ctx,
}
DEBUG(1, ("No authentication module provided for [%s] !!\n",
be_domain));
+ } else {
+ DEBUG(9, ("AUTH backend target successfully loaded "
+ "from provider [%s].\n", ctx->bet_info[BET_AUTH].mod_name));
}
ret = load_backend_module(ctx, BET_ACCESS,
- &ctx->bet_info[BET_ACCESS].bet_ops,
- &ctx->bet_info[BET_ACCESS].pvt_bet_data);
+ &ctx->bet_info[BET_ACCESS], ACCESS_PERMIT);
if (ret != EOK) {
- if (ret != ENOENT) {
- DEBUG(0, ("fatal error initializing data providers\n"));
- return ret;
- }
- DEBUG(1, ("No access control module provided for [%s] "
- "using be_target_access_permit!!\n", be_domain));
- ctx->bet_info[BET_ACCESS].bet_ops = &be_target_access_permit_ops;
- ctx->bet_info[BET_ACCESS].pvt_bet_data = NULL;
+ DEBUG(0, ("No ACCESS backend target available.\n"));
+ return ret;
+ } else {
+ DEBUG(9, ("ACCESS backend target successfully loaded "
+ "from provider [%s].\n", ctx->bet_info[BET_ACCESS].mod_name));
}
ret = load_backend_module(ctx, BET_CHPASS,
- &ctx->bet_info[BET_CHPASS].bet_ops,
- &ctx->bet_info[BET_CHPASS].pvt_bet_data);
+ &ctx->bet_info[BET_CHPASS],
+ ctx->bet_info[BET_AUTH].mod_name);
if (ret != EOK) {
if (ret != ENOENT) {
DEBUG(0, ("fatal error initializing data providers\n"));
@@ -994,6 +1030,9 @@ int be_process_init(TALLOC_CTX *mem_ctx,
}
DEBUG(1, ("No change password module provided for [%s] !!\n",
be_domain));
+ } else {
+ DEBUG(9, ("CHPASS backend target successfully loaded "
+ "from provider [%s].\n", ctx->bet_info[BET_CHPASS].mod_name));
}
return EOK;
diff --git a/server/providers/dp_backend.h b/server/providers/dp_backend.h
index bee1a85b..1a8c6c46 100644
--- a/server/providers/dp_backend.h
+++ b/server/providers/dp_backend.h
@@ -58,6 +58,7 @@ struct bet_info {
enum bet_type bet_type;
struct bet_ops *bet_ops;
void *pvt_bet_data;
+ char *mod_name;
};
struct be_offline_status {