From ed01048c14cceae14a73e894c3202a55cd402b93 Mon Sep 17 00:00:00 2001 From: Mike khiretskiy Date: Tue, 19 Nov 2013 15:30:47 +0400 Subject: [PATCH] =?UTF-8?q?=D0=9E=D1=82=D0=BA=D0=BB=D1=8E=D1=87=D0=B5?= =?UTF-8?q?=D0=BD=D0=BE=20=D0=BE=D0=B6=D0=B8=D0=B4=D0=B0=D0=BD=D0=B8=D0=B5?= =?UTF-8?q?=20LDAP=20=D0=BF=D1=80=D0=B8=20=D0=B0=D1=83=D1=82=D0=B5=D0=BD?= =?UTF-8?q?=D1=82=D0=B8=D1=84=D0=B8=D0=BA=D0=B0=D1=86=D0=B8=D0=B8=20=D0=BB?= =?UTF-8?q?=D0=BE=D0=BA=D0=B0=D0=BB=D1=8C=D0=BD=D0=BE=D0=B3=D0=BE=20=D0=BF?= =?UTF-8?q?=D0=BE=D0=BB=D1=8C=D0=B7=D0=BE=D0=B2=D0=B0=D1=82=D0=B5=D0=BB?= =?UTF-8?q?=D1=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Локальным пользователем считается пользователь, присутствующий в /etc/passwd и отсутствующий в кэше calculate-client. --- README | 3 ++- pam_client.c | 40 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 40 insertions(+), 3 deletions(-) diff --git a/README b/README index 3128bf8..9e6b285 100644 --- a/README +++ b/README @@ -1,6 +1,7 @@ This is the README file for the library pam_client. Library pam_client designed to wait for client daemon before -LDAP authorization and to wait for LDAP service. +LDAP authorization and to wait for the LDAP service. +The module should not wait the LDAP service if a user is local. Installation ---------- diff --git a/pam_client.c b/pam_client.c index eb1ead4..802f2cb 100644 --- a/pam_client.c +++ b/pam_client.c @@ -28,6 +28,8 @@ #include #define PAM_LDAP_PATH_CONF "/etc/ldap.conf" +#define PASSWD "/etc/passwd" +#define CACHE_PASSWD "/var/lib/calculate/calculate-client/cache/passwd" #define PAM_SM_AUTH #define MAX_V 30 #define WAITTIME 30 @@ -205,7 +207,7 @@ _release_config (pam_config_t ** pconfig) static int _check_ldap (int retry_count) { - int result; + int result = PAM_SERVICE_ERR; int timelimit = 3; struct berval userpw; struct berval *servcred; @@ -239,7 +241,7 @@ _check_ldap (int retry_count) } } if(ld != NULL) - ldap_unbind(ld); + ldap_unbind_ext(ld,NULL,NULL); _release_config(&config); return result; } @@ -248,16 +250,50 @@ int file_exists(const char *fname) { return access(fname, 0) != -1; } +// serach user in passwd type file +int search_user(const char *username, char *filename) { + char buf[BUFSIZ]; + FILE *fd = fopen(filename,"r"); + if(fd != NULL) { + while( fgets(buf,BUFSIZ,fd) ) { + char *tail = buf; + char *token = strsep(&tail,":"); + if(token != NULL && strcmp(token,username) == 0) { + fclose(fd); + return 1; + } + } + fclose(fd); + } + return 0; +} + +// check: is local user? +int local_user(const char *username) { + int pUser = search_user(username,PASSWD); + int cUser = search_user(username,CACHE_PASSWD); + // local user is user which found in /etc/passwd only + return (pUser && !cUser)?1:0; +} + // Authentication function PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags ,int argc, const char **argv) { int i; + int retval; char *boot_client="/etc/runlevels/boot/client"; char *default_client="/etc/runlevels/default/client"; char *started_client="/run/openrc/started/client"; char *started_local="/run/openrc/started/local"; char *ldap_conf="/etc/ldap.conf"; + const char *login; + + // get username + retval = pam_get_user(pamh, &login, "login: "); + // don't wait ldap for authentificate local user + if(retval == PAM_SUCCESS && login && local_user(login)) + return PAM_SUCCESS; // wait for client daemon if (file_exists(boot_client) || file_exists(default_client)) {