depot/patches/base/kanidm/unixd-authenticated.patch

64 lines
2.4 KiB
Diff
Raw Permalink Normal View History

diff --git a/unix_integration/resolver/src/idprovider/kanidm.rs b/unix_integration/resolver/src/idprovider/kanidm.rs
index 63cedb4d5..35c45fb0e 100644
--- a/unix_integration/resolver/src/idprovider/kanidm.rs
+++ b/unix_integration/resolver/src/idprovider/kanidm.rs
@@ -7,6 +7,7 @@ use kanidm_proto::internal::OperationError;
2024-06-04 17:08:36 +03:00
use kanidm_proto::v1::{UnixGroupToken, UnixUserToken};
use std::collections::BTreeSet;
use std::time::{Duration, SystemTime};
2023-12-02 20:06:15 +02:00
+use std::env;
use tokio::sync::{broadcast, Mutex};
2023-12-02 20:06:15 +02:00
use kanidm_lib_crypto::CryptoPolicy;
@@ -38,6 +39,8 @@ struct KanidmProviderInternal {
hmac_key: HmacKey,
crypto_policy: CryptoPolicy,
pam_allow_groups: BTreeSet<String>,
+ auth_name: Option<String>,
+ auth_password: Option<String>,
2023-12-02 20:06:15 +02:00
}
pub struct KanidmProvider {
@@ -102,6 +105,19 @@ impl KanidmProvider {
.map(|GroupMap { local, with }| (local, Id::Name(with)))
.collect();
2023-12-02 20:06:15 +02:00
+ let env_username: Option<String>;
+ let env_password: Option<String>;
+ match (env::var_os("KANIDM_NAME"), env::var_os("KANIDM_PASSWORD")) {
+ (Some(username), Some(password)) => {
+ env_username = Some(username.into_string().unwrap());
+ env_password = Some(password.into_string().unwrap());
+ },
+ _ => {
+ env_username = None;
+ env_password = None;
+ }
+ }
+
Ok(KanidmProvider {
inner: Mutex::new(KanidmProviderInternal {
state: CacheState::OfflineNextCheck(now),
@@ -109,6 +125,8 @@ impl KanidmProvider {
hmac_key,
crypto_policy,
pam_allow_groups,
+ auth_name: env_username,
+ auth_password: env_password
}),
map_group,
})
@@ -256,7 +274,11 @@ impl KanidmProviderInternal {
2023-12-02 20:06:15 +02:00
}
2024-06-04 17:08:36 +03:00
async fn attempt_online(&mut self, _tpm: &mut tpm::BoxedDynTpm, now: SystemTime) -> bool {
- match self.client.auth_anonymous().await {
2023-12-02 20:06:15 +02:00
+ let auth_method = match (&self.auth_name, &self.auth_password) {
+ (Some(name), Some(password)) => self.client.auth_simple_password(name, password).await,
+ _ => self.client.auth_anonymous().await
2023-12-02 20:06:15 +02:00
+ };
+ match auth_method {
Ok(_uat) => {
self.state = CacheState::Online;
true