diff options
| author | Dave Olson <olson@cumulusnetworks.com> | 2018-02-26 09:52:09 -0800 |
|---|---|---|
| committer | Dave Olson <olson@cumulusnetworks.com> | 2018-04-10 12:33:12 -0700 |
| commit | a8740bec7979f1060ab6759808e9f02dce184e46 (patch) | |
| tree | 487107efe6069f172c7e4454b6bc2335416f4326 /nss_mapname.c | |
| parent | 800323e6d53315de4d12f73626b4461a8cf63090 (diff) | |
| download | libnss-mapuser-a8740bec7979f1060ab6759808e9f02dce184e46.tar.gz libnss-mapuser-a8740bec7979f1060ab6759808e9f02dce184e46.zip | |
Fixed exclude_users to work, added more users, alway skip tacacs[0-9]*
Ticket: CM-19886
Reviewed By: nobody
Testing Done:
Somehow exclude_users wasn't implemented (or got deleted somewhere
along the line).
Make list match tacplus_client, except exclude our own mapped users
by matching config items, and also skip any user starting with
tacacs[0-9] inline instead of listing all 16 in exclude_users field
in config file.
Implemened for mapped_priv_user too, since that work is ongoing.
Listed change in debian/changelog
If debug is set to 2 or higher, print that the name lookup was skipped
due to exclusion.
Diffstat (limited to 'nss_mapname.c')
| -rw-r--r-- | nss_mapname.c | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/nss_mapname.c b/nss_mapname.c index 9132f6e..f795cf5 100644 --- a/nss_mapname.c +++ b/nss_mapname.c @@ -37,6 +37,7 @@ #include "map_common.h" +#include <stdbool.h> static const char *nssname = "nss_mapuser"; /* for syslogs */ @@ -62,6 +63,7 @@ enum nss_status _nss_mapname_getpwnam_r(const char *name, struct passwd *pw, { enum nss_status status = NSS_STATUS_NOTFOUND; struct pwbuf pbuf; + bool islocal = 0; /* * the useradd family will not add/mod/del users correctly with @@ -78,6 +80,43 @@ enum nss_status _nss_mapname_getpwnam_r(const char *name, struct passwd *pw, return status; } + /* + * Ignore any name starting with tacacs[0-9] in case a + * tacplus client is installed. Cleaner than listing + * all 16 in the exclude_users list or implementing + * some form of wildcard. Also ignore our own mappeduser + * and mapped_priv_user names if set. + */ + if ((mappeduser && !strcmp(mappeduser, name)) || + (mapped_priv_user && !strcmp(mapped_priv_user, name))) + islocal = 1; + else if (!strncmp("tacacs", name, 6) && isdigit(name[6])) + islocal = 1; + else if (exclude_users) { + char *user, *list; + list = strdup(exclude_users); + if (list) { + static const char *delim = ", \t\n"; + user = strtok(list, delim); + list = NULL; + while (user) { + if(!strcmp(user, name)) { + islocal = 1; + break; + } + user = strtok(NULL, delim); + } + free(list); + } + } + if (islocal) { + if(debug > 1) + syslog(LOG_DEBUG, "%s: skipped excluded user: %s", nssname, + name); + return 2; + } + + /* marshal the args for the lower level functions */ pbuf.name = (char *)name; pbuf.pw = pw; |