Patch 0001: Make sdap_access_send() public so the IPA provider can consume it.
Patch 0002: Check that the user is not disabled before performing the HBAC check. I chose to do the nsAccountLock check first because it's a very fast operation against the cache, so if it returns PAM_PERM_DENIED we will skip the slower HBAC checks and jump straight to denial.
Patch 0001: Make sdap_access_send() public so the IPA provider can consume it.
Patch 0002: Check that the user is not disabled before performing the HBAC check. I chose to do the nsAccountLock check first because it's a very fast operation against the cache, so if it returns PAM_PERM_DENIED we will skip the slower HBAC checks and jump straight to denial.
Ack to both.
Jan
On Fri, 2012-03-09 at 13:18 +0100, Jan Zelený wrote:
Patch 0001: Make sdap_access_send() public so the IPA provider can consume it.
Patch 0002: Check that the user is not disabled before performing the HBAC check. I chose to do the nsAccountLock check first because it's a very fast operation against the cache, so if it returns PAM_PERM_DENIED we will skip the slower HBAC checks and jump straight to denial.
Ack to both.
Pushed to master and sssd-1-8.
sssd-devel@lists.fedorahosted.org
-
Jan Zelený -
Stephen Gallagher