Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[TACACS] Stop authorization after user being rejected by server. #14249

Merged
merged 4 commits into from
May 30, 2023
Merged

[TACACS] Stop authorization after user being rejected by server. #14249

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1abcfe3
Stop authorization after user rejected by server.
liuh-80 Mar 15, 2023
e157289
Fix PR comments
liuh-80 May 19, 2023
ed11e64
Fix crlf issue
liuh-80 May 19, 2023
e823635
Fix tab issue
liuh-80 May 19, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 18 additions & 6 deletions src/tacacs/nss/patch/0001-Modify-user-map-profile.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,16 +10,17 @@ Subject: [PATCH] Modify user map profile
* Added "many_to_one" mode, create one local user for many TACACS+ users which
has the same privilege.
* Modified configuration parse and file to adapt to the new user map profile.
* Stop authorization after user being rejected by server.
---
Makefile.am | 4 +-
Makefile.in | 2 +-
configure.ac | 2 +-
debian/changelog | 11 +
debian/control | 11 +-
debian/libnss-tacplus.symbols | 1 -
nss_tacplus.c | 1004 +++++++++++++++++++----------------------
tacplus_nss.conf | 91 ++--
8 files changed, 518 insertions(+), 608 deletions(-)
nss_tacplus.c | 1018 +++++++++++++++------------------
tacplus_nss.conf | 91 ++-
8 files changed, 527 insertions(+), 613 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 293951e..b33c455 100644
Expand Down Expand Up @@ -1153,7 +1154,18 @@ index 79e62b9..ecfa0b0 100644
done = 1; /* break out of loop after arep cleanup */
}
else {
@@ -692,30 +724,12 @@ lookup_tacacs_user(struct pwbuf *pb)
@@ -685,6 +717,10 @@ lookup_tacacs_user(struct pwbuf *pb)
" invalid (%d)", nssname,
tac_ntop(tac_srv[srvr].addr->ai_addr), pb->name,
arep.status);
+
+ if (arep.status == TAC_PLUS_AUTHOR_STATUS_FAIL) {
+ done = 1; /* break out of loop after server reject user */
+ }
}
if(arep.msg)
free(arep.msg);
@@ -692,30 +728,12 @@ lookup_tacacs_user(struct pwbuf *pb)
tac_free_attrib(&arep.attr);
}

Expand Down Expand Up @@ -1186,7 +1198,7 @@ index 79e62b9..ecfa0b0 100644
*
* We try the lookup to the tacacs server first. If we can't make a
* connection to the server for some reason, we also try looking up
@@ -730,20 +744,25 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
@@ -730,20 +748,25 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
int result;
struct pwbuf pbuf;

Expand Down Expand Up @@ -1221,7 +1233,7 @@ index 79e62b9..ecfa0b0 100644
/* marshal the args for the lower level functions */
pbuf.name = (char *)name;
pbuf.pw = pw;
@@ -751,126 +770,13 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
@@ -751,126 +774,13 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
pbuf.buflen = buflen;
pbuf.errnop = errnop;

Expand Down