|
|
71e593 |
From f92bac7b528d5caf797162ecb4d21f1f7652a49a Mon Sep 17 00:00:00 2001
|
|
|
71e593 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
71e593 |
Date: Mon, 9 Jul 2018 18:37:46 +0200
|
|
|
71e593 |
Subject: [PATCH 10/19] files: add support for Smartcard authentication
|
|
|
71e593 |
|
|
|
71e593 |
To support certificate based authentication the files provider must be
|
|
|
71e593 |
able to map a certificate to a user during a BE_REQ_BY_CERT request.
|
|
|
71e593 |
|
|
|
71e593 |
Additionally the authentication request should be handled by the PAM
|
|
|
71e593 |
responder code which is responsible for the local Smartcard
|
|
|
71e593 |
authentication. To be consistent with the other backend an authentication
|
|
|
71e593 |
handler is added to the files provider which unconditionally returns the
|
|
|
71e593 |
offline error code telling the PAM responder to handle the
|
|
|
71e593 |
authentication if it has access to the needed credentials.
|
|
|
71e593 |
|
|
|
71e593 |
Related to https://pagure.io/SSSD/sssd/issue/3500
|
|
|
71e593 |
|
|
|
71e593 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
71e593 |
(cherry picked from commit 275eeed24adc31f3df51cf278f509a4be76a3a3c)
|
|
|
71e593 |
---
|
|
|
71e593 |
Makefile.am | 2 +
|
|
|
71e593 |
src/providers/files/files_auth.c | 69 +++++++++++++
|
|
|
71e593 |
src/providers/files/files_certmap.c | 186 ++++++++++++++++++++++++++++++++++++
|
|
|
71e593 |
src/providers/files/files_id.c | 20 ++++
|
|
|
71e593 |
src/providers/files/files_init.c | 21 +++-
|
|
|
71e593 |
src/providers/files/files_private.h | 17 ++++
|
|
|
71e593 |
6 files changed, 314 insertions(+), 1 deletion(-)
|
|
|
71e593 |
create mode 100644 src/providers/files/files_auth.c
|
|
|
71e593 |
create mode 100644 src/providers/files/files_certmap.c
|
|
|
71e593 |
|
|
|
71e593 |
diff --git a/Makefile.am b/Makefile.am
|
|
|
71e593 |
index d313957722a1d6be90ee2f91bf2613a39657a6a1..85952818c9a8efd957ce99f4595b251265cc5417 100644
|
|
|
71e593 |
--- a/Makefile.am
|
|
|
71e593 |
+++ b/Makefile.am
|
|
|
71e593 |
@@ -4270,6 +4270,8 @@ libsss_proxy_la_LDFLAGS = \
|
|
|
71e593 |
libsss_files_la_SOURCES = \
|
|
|
71e593 |
src/providers/files/files_init.c \
|
|
|
71e593 |
src/providers/files/files_id.c \
|
|
|
71e593 |
+ src/providers/files/files_auth.c \
|
|
|
71e593 |
+ src/providers/files/files_certmap.c \
|
|
|
71e593 |
src/providers/files/files_ops.c \
|
|
|
71e593 |
src/util/inotify.c \
|
|
|
71e593 |
$(NULL)
|
|
|
71e593 |
diff --git a/src/providers/files/files_auth.c b/src/providers/files/files_auth.c
|
|
|
71e593 |
new file mode 100644
|
|
|
71e593 |
index 0000000000000000000000000000000000000000..b71de6971f89a94af0a457f77206c5a7fb3af4ea
|
|
|
71e593 |
--- /dev/null
|
|
|
71e593 |
+++ b/src/providers/files/files_auth.c
|
|
|
71e593 |
@@ -0,0 +1,69 @@
|
|
|
71e593 |
+/*
|
|
|
71e593 |
+ SSSD
|
|
|
71e593 |
+
|
|
|
71e593 |
+ files_auth.c - PAM operations on the files provider
|
|
|
71e593 |
+
|
|
|
71e593 |
+ Copyright (C) 2018 Red Hat
|
|
|
71e593 |
+
|
|
|
71e593 |
+ This program is free software; you can redistribute it and/or modify
|
|
|
71e593 |
+ it under the terms of the GNU General Public License as published by
|
|
|
71e593 |
+ the Free Software Foundation; either version 3 of the License, or
|
|
|
71e593 |
+ (at your option) any later version.
|
|
|
71e593 |
+
|
|
|
71e593 |
+ This program is distributed in the hope that it will be useful,
|
|
|
71e593 |
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
71e593 |
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
71e593 |
+ GNU General Public License for more details.
|
|
|
71e593 |
+
|
|
|
71e593 |
+ You should have received a copy of the GNU General Public License
|
|
|
71e593 |
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
71e593 |
+*/
|
|
|
71e593 |
+
|
|
|
71e593 |
+#include <security/pam_modules.h>
|
|
|
71e593 |
+
|
|
|
71e593 |
+#include "providers/data_provider/dp.h"
|
|
|
71e593 |
+#include "providers/data_provider.h"
|
|
|
71e593 |
+#include "providers/files/files_private.h"
|
|
|
71e593 |
+#include "util/cert.h"
|
|
|
71e593 |
+
|
|
|
71e593 |
+struct files_auth_ctx {
|
|
|
71e593 |
+ struct pam_data *pd;
|
|
|
71e593 |
+};
|
|
|
71e593 |
+
|
|
|
71e593 |
+struct tevent_req *
|
|
|
71e593 |
+files_auth_handler_send(TALLOC_CTX *mem_ctx,
|
|
|
71e593 |
+ void *unused,
|
|
|
71e593 |
+ struct pam_data *pd,
|
|
|
71e593 |
+ struct dp_req_params *params)
|
|
|
71e593 |
+{
|
|
|
71e593 |
+ struct files_auth_ctx *state;
|
|
|
71e593 |
+ struct tevent_req *req;
|
|
|
71e593 |
+
|
|
|
71e593 |
+ req = tevent_req_create(mem_ctx, &state, struct files_auth_ctx);
|
|
|
71e593 |
+ if (req == NULL) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
|
|
|
71e593 |
+ return NULL;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ state->pd = pd;
|
|
|
71e593 |
+ state->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
|
|
|
71e593 |
+
|
|
|
71e593 |
+ tevent_req_done(req);
|
|
|
71e593 |
+ tevent_req_post(req, params->ev);
|
|
|
71e593 |
+ return req;
|
|
|
71e593 |
+}
|
|
|
71e593 |
+
|
|
|
71e593 |
+errno_t files_auth_handler_recv(TALLOC_CTX *mem_ctx,
|
|
|
71e593 |
+ struct tevent_req *req,
|
|
|
71e593 |
+ struct pam_data **_data)
|
|
|
71e593 |
+{
|
|
|
71e593 |
+ struct files_auth_ctx *state = NULL;
|
|
|
71e593 |
+
|
|
|
71e593 |
+ state = tevent_req_data(req, struct files_auth_ctx);
|
|
|
71e593 |
+
|
|
|
71e593 |
+ TEVENT_REQ_RETURN_ON_ERROR(req);
|
|
|
71e593 |
+
|
|
|
71e593 |
+ *_data = talloc_steal(mem_ctx, state->pd);
|
|
|
71e593 |
+
|
|
|
71e593 |
+ return EOK;
|
|
|
71e593 |
+}
|
|
|
71e593 |
diff --git a/src/providers/files/files_certmap.c b/src/providers/files/files_certmap.c
|
|
|
71e593 |
new file mode 100644
|
|
|
71e593 |
index 0000000000000000000000000000000000000000..7d90a1fecf5c3eedbd9c8570ad6195bde49159d9
|
|
|
71e593 |
--- /dev/null
|
|
|
71e593 |
+++ b/src/providers/files/files_certmap.c
|
|
|
71e593 |
@@ -0,0 +1,186 @@
|
|
|
71e593 |
+/*
|
|
|
71e593 |
+ SSSD
|
|
|
71e593 |
+
|
|
|
71e593 |
+ files_init.c - Initialization of the files provider
|
|
|
71e593 |
+
|
|
|
71e593 |
+ Copyright (C) 2018 Red Hat
|
|
|
71e593 |
+
|
|
|
71e593 |
+ This program is free software; you can redistribute it and/or modify
|
|
|
71e593 |
+ it under the terms of the GNU General Public License as published by
|
|
|
71e593 |
+ the Free Software Foundation; either version 3 of the License, or
|
|
|
71e593 |
+ (at your option) any later version.
|
|
|
71e593 |
+
|
|
|
71e593 |
+ This program is distributed in the hope that it will be useful,
|
|
|
71e593 |
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
71e593 |
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
71e593 |
+ GNU General Public License for more details.
|
|
|
71e593 |
+
|
|
|
71e593 |
+ You should have received a copy of the GNU General Public License
|
|
|
71e593 |
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
71e593 |
+*/
|
|
|
71e593 |
+
|
|
|
71e593 |
+#include "providers/files/files_private.h"
|
|
|
71e593 |
+#include "util/util.h"
|
|
|
71e593 |
+#include "util/cert.h"
|
|
|
71e593 |
+#include "lib/certmap/sss_certmap.h"
|
|
|
71e593 |
+
|
|
|
71e593 |
+struct priv_sss_debug {
|
|
|
71e593 |
+ int level;
|
|
|
71e593 |
+};
|
|
|
71e593 |
+
|
|
|
71e593 |
+static void ext_debug(void *private, const char *file, long line,
|
|
|
71e593 |
+ const char *function, const char *format, ...)
|
|
|
71e593 |
+{
|
|
|
71e593 |
+ va_list ap;
|
|
|
71e593 |
+ struct priv_sss_debug *data = private;
|
|
|
71e593 |
+ int level = SSSDBG_OP_FAILURE;
|
|
|
71e593 |
+
|
|
|
71e593 |
+ if (data != NULL) {
|
|
|
71e593 |
+ level = data->level;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ if (DEBUG_IS_SET(level)) {
|
|
|
71e593 |
+ va_start(ap, format);
|
|
|
71e593 |
+ sss_vdebug_fn(file, line, function, level, APPEND_LINE_FEED,
|
|
|
71e593 |
+ format, ap);
|
|
|
71e593 |
+ va_end(ap);
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+}
|
|
|
71e593 |
+
|
|
|
71e593 |
+errno_t files_init_certmap(TALLOC_CTX *mem_ctx, struct files_id_ctx *id_ctx)
|
|
|
71e593 |
+{
|
|
|
71e593 |
+ int ret;
|
|
|
71e593 |
+ bool hint;
|
|
|
71e593 |
+ struct certmap_info **certmap_list = NULL;
|
|
|
71e593 |
+ size_t c;
|
|
|
71e593 |
+
|
|
|
71e593 |
+ ret = sysdb_get_certmap(mem_ctx, id_ctx->be->domain->sysdb,
|
|
|
71e593 |
+ &certmap_list, &hint);
|
|
|
71e593 |
+ if (ret != EOK) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ if (certmap_list == NULL || *certmap_list == NULL) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_TRACE_ALL, "No certmap data, nothing to do.\n");
|
|
|
71e593 |
+ ret = EOK;
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ ret = sss_certmap_init(mem_ctx, ext_debug, NULL, &id_ctx->sss_certmap_ctx);
|
|
|
71e593 |
+ if (ret != EOK) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "sss_certmap_init failed.\n");
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ for (c = 0; certmap_list[c] != NULL; c++) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_TRACE_ALL, "Trying to add rule [%s][%d][%s][%s].\n",
|
|
|
71e593 |
+ certmap_list[c]->name,
|
|
|
71e593 |
+ certmap_list[c]->priority,
|
|
|
71e593 |
+ certmap_list[c]->match_rule,
|
|
|
71e593 |
+ certmap_list[c]->map_rule);
|
|
|
71e593 |
+
|
|
|
71e593 |
+ ret = sss_certmap_add_rule(id_ctx->sss_certmap_ctx,
|
|
|
71e593 |
+ certmap_list[c]->priority,
|
|
|
71e593 |
+ certmap_list[c]->match_rule,
|
|
|
71e593 |
+ certmap_list[c]->map_rule,
|
|
|
71e593 |
+ certmap_list[c]->domains);
|
|
|
71e593 |
+ if (ret != 0) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
71e593 |
+ "sss_certmap_add_rule failed for rule [%s] "
|
|
|
71e593 |
+ "with error [%d][%s], skipping. "
|
|
|
71e593 |
+ "Please check for typos and if rule syntax is supported.\n",
|
|
|
71e593 |
+ certmap_list[c]->name, ret, sss_strerror(ret));
|
|
|
71e593 |
+ continue;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ ret = EOK;
|
|
|
71e593 |
+
|
|
|
71e593 |
+done:
|
|
|
71e593 |
+ talloc_free(certmap_list);
|
|
|
71e593 |
+
|
|
|
71e593 |
+ return ret;
|
|
|
71e593 |
+}
|
|
|
71e593 |
+
|
|
|
71e593 |
+errno_t files_map_cert_to_user(struct files_id_ctx *id_ctx,
|
|
|
71e593 |
+ struct dp_id_data *data)
|
|
|
71e593 |
+{
|
|
|
71e593 |
+ errno_t ret;
|
|
|
71e593 |
+ char *filter;
|
|
|
71e593 |
+ char *user;
|
|
|
71e593 |
+ struct ldb_message *msg = NULL;
|
|
|
71e593 |
+ struct sysdb_attrs *attrs = NULL;
|
|
|
71e593 |
+ TALLOC_CTX *tmp_ctx;
|
|
|
71e593 |
+
|
|
|
71e593 |
+ tmp_ctx = talloc_new(NULL);
|
|
|
71e593 |
+ if (tmp_ctx == NULL) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
|
|
|
71e593 |
+ return ENOMEM;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ ret = sss_cert_derb64_to_ldap_filter(tmp_ctx, data->filter_value, "",
|
|
|
71e593 |
+ id_ctx->sss_certmap_ctx,
|
|
|
71e593 |
+ id_ctx->domain, &filter);
|
|
|
71e593 |
+ if (ret != EOK) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
71e593 |
+ "sss_cert_derb64_to_ldap_filter failed.\n");
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+ if (filter == NULL || filter[0] != '('
|
|
|
71e593 |
+ || filter[strlen(filter) - 1] != ')') {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
71e593 |
+ "sss_cert_derb64_to_ldap_filter returned bad filter [%s].\n",
|
|
|
71e593 |
+ filter);
|
|
|
71e593 |
+ ret = EINVAL;
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ filter[strlen(filter) - 1] = '\0';
|
|
|
71e593 |
+ user = sss_create_internal_fqname(tmp_ctx, &filter[1],
|
|
|
71e593 |
+ id_ctx->domain->name);
|
|
|
71e593 |
+ if (user == NULL) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "sss_create_internal_fqname failed.\n");
|
|
|
71e593 |
+ ret = ENOMEM;
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+ DEBUG(SSSDBG_TRACE_ALL, "Certificate mapped to user: [%s].\n", user);
|
|
|
71e593 |
+
|
|
|
71e593 |
+ ret = sysdb_search_user_by_name(tmp_ctx, id_ctx->domain, user, NULL, &msg;;
|
|
|
71e593 |
+ if (ret == EOK) {
|
|
|
71e593 |
+ attrs = sysdb_new_attrs(tmp_ctx);
|
|
|
71e593 |
+ if (attrs == NULL) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n");
|
|
|
71e593 |
+ ret = ENOMEM;
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ ret = sysdb_attrs_add_base64_blob(attrs, SYSDB_USER_MAPPED_CERT,
|
|
|
71e593 |
+ data->filter_value);
|
|
|
71e593 |
+ if (ret != EOK) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_base64_blob failed.\n");
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ ret = sysdb_set_entry_attr(id_ctx->domain->sysdb, msg->dn, attrs,
|
|
|
71e593 |
+ SYSDB_MOD_ADD);
|
|
|
71e593 |
+ if (ret != EOK) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed.\n");
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+ } else if (ret == ENOENT) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_TRACE_ALL, "Mapped user [%s] not found.\n", user);
|
|
|
71e593 |
+ ret = EOK;
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ } else {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_user_by_name failed.\n");
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ ret = EOK;
|
|
|
71e593 |
+
|
|
|
71e593 |
+done:
|
|
|
71e593 |
+ talloc_free(tmp_ctx);
|
|
|
71e593 |
+
|
|
|
71e593 |
+ return ret;
|
|
|
71e593 |
+}
|
|
|
71e593 |
diff --git a/src/providers/files/files_id.c b/src/providers/files/files_id.c
|
|
|
71e593 |
index 41314c66b1e435b51fe0b9bc18779c11ad261773..f6f8c7311be5fd9511ff4d417975b3195678d053 100644
|
|
|
71e593 |
--- a/src/providers/files/files_id.c
|
|
|
71e593 |
+++ b/src/providers/files/files_id.c
|
|
|
71e593 |
@@ -87,6 +87,26 @@ files_account_info_handler_send(TALLOC_CTX *mem_ctx,
|
|
|
71e593 |
? true \
|
|
|
71e593 |
: false;
|
|
|
71e593 |
break;
|
|
|
71e593 |
+ case BE_REQ_BY_CERT:
|
|
|
71e593 |
+ if (data->filter_type != BE_FILTER_CERT) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
71e593 |
+ "Unexpected filter type for lookup by cert: %d\n",
|
|
|
71e593 |
+ data->filter_type);
|
|
|
71e593 |
+ ret = EINVAL;
|
|
|
71e593 |
+ goto immediate;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+ if (id_ctx->sss_certmap_ctx == NULL) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_TRACE_ALL, "Certificate mapping not configured.\n");
|
|
|
71e593 |
+ ret = EOK;
|
|
|
71e593 |
+ goto immediate;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ ret = files_map_cert_to_user(id_ctx, data);
|
|
|
71e593 |
+ if (ret != EOK) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "files_map_cert_to_user failed");
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+ goto immediate;
|
|
|
71e593 |
+ break;
|
|
|
71e593 |
default:
|
|
|
71e593 |
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
71e593 |
"Unexpected entry type: %d\n", data->entry_type & BE_REQ_TYPE_MASK);
|
|
|
71e593 |
diff --git a/src/providers/files/files_init.c b/src/providers/files/files_init.c
|
|
|
71e593 |
index c793bed9cc99db958b50ed9f6d69a2f8f337b409..1ce4bcf2728004d043c1d26b97aa7c41fb81e181 100644
|
|
|
71e593 |
--- a/src/providers/files/files_init.c
|
|
|
71e593 |
+++ b/src/providers/files/files_init.c
|
|
|
71e593 |
@@ -196,9 +196,16 @@ int sssm_files_init(TALLOC_CTX *mem_ctx,
|
|
|
71e593 |
"Authentication with certificates/Smartcards might not work "
|
|
|
71e593 |
"as expected.\n");
|
|
|
71e593 |
/* not fatal, ignored */
|
|
|
71e593 |
+ } else {
|
|
|
71e593 |
+ ret = files_init_certmap(ctx, ctx);
|
|
|
71e593 |
+ if (ret != EOK) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "files_init_certmap failed. "
|
|
|
71e593 |
+ "Authentication with certificates/Smartcards might not work "
|
|
|
71e593 |
+ "as expected.\n");
|
|
|
71e593 |
+ /* not fatal, ignored */
|
|
|
71e593 |
+ }
|
|
|
71e593 |
}
|
|
|
71e593 |
|
|
|
71e593 |
-
|
|
|
71e593 |
*_module_data = ctx;
|
|
|
71e593 |
ret = EOK;
|
|
|
71e593 |
done:
|
|
|
71e593 |
@@ -234,3 +241,15 @@ int sssm_files_id_init(TALLOC_CTX *mem_ctx,
|
|
|
71e593 |
|
|
|
71e593 |
return EOK;
|
|
|
71e593 |
}
|
|
|
71e593 |
+
|
|
|
71e593 |
+int sssm_files_auth_init(TALLOC_CTX *mem_ctx,
|
|
|
71e593 |
+ struct be_ctx *be_ctx,
|
|
|
71e593 |
+ void *module_data,
|
|
|
71e593 |
+ struct dp_method *dp_methods)
|
|
|
71e593 |
+{
|
|
|
71e593 |
+ dp_set_method(dp_methods, DPM_AUTH_HANDLER,
|
|
|
71e593 |
+ files_auth_handler_send, files_auth_handler_recv, NULL, void,
|
|
|
71e593 |
+ struct pam_data, struct pam_data *);
|
|
|
71e593 |
+
|
|
|
71e593 |
+ return EOK;
|
|
|
71e593 |
+}
|
|
|
71e593 |
diff --git a/src/providers/files/files_private.h b/src/providers/files/files_private.h
|
|
|
71e593 |
index f44e6d4584e5bd593ef77147b649341c3ace42ed..fd178193086672e7f5ef9541eb81eb462366d824 100644
|
|
|
71e593 |
--- a/src/providers/files/files_private.h
|
|
|
71e593 |
+++ b/src/providers/files/files_private.h
|
|
|
71e593 |
@@ -38,6 +38,7 @@ struct files_id_ctx {
|
|
|
71e593 |
struct be_ctx *be;
|
|
|
71e593 |
struct sss_domain_info *domain;
|
|
|
71e593 |
struct files_ctx *fctx;
|
|
|
71e593 |
+ struct sss_certmap_ctx *sss_certmap_ctx;
|
|
|
71e593 |
|
|
|
71e593 |
const char **passwd_files;
|
|
|
71e593 |
const char **group_files;
|
|
|
71e593 |
@@ -71,4 +72,20 @@ errno_t files_account_info_handler_recv(TALLOC_CTX *mem_ctx,
|
|
|
71e593 |
void files_account_info_finished(struct files_id_ctx *id_ctx,
|
|
|
71e593 |
int req_type,
|
|
|
71e593 |
errno_t ret);
|
|
|
71e593 |
+
|
|
|
71e593 |
+/* files_auth.c */
|
|
|
71e593 |
+struct tevent_req *files_auth_handler_send(TALLOC_CTX *mem_ctx,
|
|
|
71e593 |
+ void *unused,
|
|
|
71e593 |
+ struct pam_data *pd,
|
|
|
71e593 |
+ struct dp_req_params *params);
|
|
|
71e593 |
+
|
|
|
71e593 |
+errno_t files_auth_handler_recv(TALLOC_CTX *mem_ctx,
|
|
|
71e593 |
+ struct tevent_req *req,
|
|
|
71e593 |
+ struct pam_data **_data);
|
|
|
71e593 |
+
|
|
|
71e593 |
+/* files_certmap.c */
|
|
|
71e593 |
+errno_t files_init_certmap(TALLOC_CTX *mem_ctx, struct files_id_ctx *id_ctx);
|
|
|
71e593 |
+
|
|
|
71e593 |
+errno_t files_map_cert_to_user(struct files_id_ctx *id_ctx,
|
|
|
71e593 |
+ struct dp_id_data *data);
|
|
|
71e593 |
#endif /* __FILES_PRIVATE_H_ */
|
|
|
71e593 |
--
|
|
|
71e593 |
2.14.4
|
|
|
71e593 |
|