>From 318cb108cdd74b4150dd45c28609a28f495a3a8e Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 26 May 2014 18:31:06 +0200
Subject: [PATCH 1/3] PAM: add ignore_authinfo_unavail option

Resolves:
https://fedorahosted.org/sssd/ticket/2232
---
 src/man/pam_sss.8.xml    | 14 ++++++++++++++
 src/sss_client/pam_sss.c | 11 +++++++++++
 2 files changed, 25 insertions(+)

diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml
index e42cb2d621705cba9083692a47699b9692af5e8e..859d42eeae0fab9a3097010252ae1b4e04d306da 100644
--- a/src/man/pam_sss.8.xml
+++ b/src/man/pam_sss.8.xml
@@ -40,6 +40,9 @@
             <arg choice='opt'>
                 <replaceable>ignore_unknown_user</replaceable>
             </arg>
+            <arg choice='opt'>
+                <replaceable>ignore_authinfo_unavail</replaceable>
+            </arg>
         </cmdsynopsis>
     </refsynopsisdiv>
 
@@ -116,6 +119,17 @@
                     the PAM framework to ignore this module.</para>
                 </listitem>
             </varlistentry>
+            <varlistentry>
+                <term>
+                    <option>ignore_authinfo_unavail</option>
+                </term>
+                <listitem>
+                    <para>
+                    Specifies  that  the  PAM module should return PAM_IGNORE
+                    if it cannot contact the SSSD daemon. This causes
+                    the PAM framework to ignore this module.</para>
+                </listitem>
+            </varlistentry>
         </variablelist>
     </refsect1>
 
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 4dae7e1cab5a50e919177b9da1901be594609794..fdd6daab947f37e5235c0f201aa61fb3d0dd88a2 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -48,6 +48,7 @@
 #define FLAGS_FORWARD_PASS   (1 << 1)
 #define FLAGS_USE_AUTHTOK    (1 << 2)
 #define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
+#define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
 
 #define PWEXP_FLAG "pam_sss:password_expired_flag"
 #define FD_DESTRUCTOR "pam_sss:fd_destructor"
@@ -1308,6 +1309,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
             *quiet_mode = true;
         } else if (strcmp(*argv, "ignore_unknown_user") == 0) {
             *flags |= FLAGS_IGNORE_UNKNOWN_USER;
+        } else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) {
+            *flags |= FLAGS_IGNORE_AUTHINFO_UNAVAIL;
         } else {
             logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
         }
@@ -1452,6 +1455,10 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
         if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
             ret = PAM_IGNORE;
         }
+        if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
+                && ret == PAM_AUTHINFO_UNAVAIL) {
+            ret = PAM_IGNORE;
+        }
         return ret;
     }
 
@@ -1494,6 +1501,10 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
                 && pam_status == PAM_USER_UNKNOWN) {
             pam_status = PAM_IGNORE;
         }
+        if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
+                && pam_status == PAM_AUTHINFO_UNAVAIL) {
+            pam_status = PAM_IGNORE;
+        }
 
         switch (task) {
             case SSS_PAM_AUTHENTICATE:
-- 
1.9.3