#2232 [freebsd] pam_sss: add ignore_unknown_user option
Closed: Fixed None Opened 5 years ago by petef.

FreeBSD's openpam doesn't have a built in way of ignoring an unknown user (e.g. treating PAM_USER_UNKNOWN as a pass for a required module, like Linux's user_unknown=ignore tag), so there needs to be an ignore_unknown_user flag built in to the PAM module. This patch makes pam_sss return PAM_IGNORE instead of PAM_USER_UNKNOWN when ignore_unknown_user is passed in from the PAM config. FWIW, this is how pam_ldap works on FreeBSD with local accounts, too.

This patch allows us to keep pam_sss marked as required for the PAM "account" facility (to enforce HBAC rules) but still allow local users to log in.

Thanks a lot for the patch! It looks OK to me, builds fine and the intent looks fine as well. Can you send the patch to sssd-devel so other developers can take a look as well?

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.11.5
rhbz: => 0

Updated patch (0001-PAM-add-ignore_unknown_user-option.patch)

owner: somebody => jhrozek

Fields changed

owner: jhrozek => somebody

Fields changed

resolution: => fixed
status: new => closed

Lukas implemented additional improvement for cases when sssd is not running:

Metadata Update from @petef:
- Issue set to the milestone: SSSD 1.11.5

2 years ago

Login to comment on this ticket.