libnss-mapuser.git - Package for mapping radius users to local users (mirror of https://github.com/vyos/libnss-mapuser.git)

Age	Commit message (Collapse)	Author
2018-04-10	Add VSA shell:priv-lvl support for privileged radius user logins	Dave Olson
	Ticket: CM-19457 Reviewed By: roopa Testing Done: lots of variations of login, su, sudo, automated radius tests Now we always read the map files. If session is set, we try that file first, so that a user always sees their name, same as tacplus. If that's the wrong file, read through all of the map files, look for the correct match based on either name+session or auid+session, depending on getpwnam or getpwuid entry point Ignore same set of users as tacacs, including new radius_priv_user account for the privileged RADIUS user. create and delete the mapuser files from libpam-radius-auth now; we need to have the mapping file written early enough for the pam interfaces to get the correct info. Using the pam_script is too limiting, and since we are creating the database in libpam-radius-auth now, we'll delete it there as well to keep things symmetric, so delete the script and the references to the scripts A significant part of this effort was adding getgrent, getgrgid, and getgrnam support, so that the radius users are put into the netshow (unprivileged) and netedit and sudo (privileged) groups at login. A lot of restructuring went in as part of that, and cleaned up some longstanding bugs, including return values for the getpw* routines. Also cleaned up some whitespace issues. Also renamed some globals (debug, min_uid, init_common()) that might collide with other programs, so that when I build unstripped and normal visibility shared libs, they won't collide with programs calling the functions (saw this with "debug" and bgpd, for example).
2018-04-10	Cleanup whitespace by running 'indent -linux' on all the files	Dave Olson
	There were no code changes, just the indent whitespace and formatting changes.
2018-04-10	Fixed exclude_users to work, added more users, alway skip tacacs[0-9]*	Dave Olson
	Ticket: CM-19886 Reviewed By: nobody Testing Done: Somehow exclude_users wasn't implemented (or got deleted somewhere along the line). Make list match tacplus_client, except exclude our own mapped users by matching config items, and also skip any user starting with tacacs[0-9] inline instead of listing all 16 in exclude_users field in config file. Implemened for mapped_priv_user too, since that work is ongoing. Listed change in debian/changelog If debug is set to 2 or higher, print that the name lookup was skipped due to exclusion.
2017-08-07	Do not use mapuser functionality with useradd,userdel,usermod	Dave Olson
	Ticket: CM-17450 Reviewed By: olson Testing Done: ran programs with change The useradd family will not work correctly with the mapuser/mapuid functionality, and useradd provides no method to force creating a user that already exists. So check which program invoked us, using __progname (getprogname() could also be used for non-glibc use), and return NOTFOUND immediately in that case. This is a major hack, but it's simple, and avoids a significant issue. Unfortunately, the RADIUS protocol gives us no way to determine that an account name is valid without also authenticating, and libnss plugins do not have the ability to authenticate.
2017-06-15	Initial version of libnss-mapuser package	Dave Olson
	See README for details