Merge pull request #236 from himmelblau-idm/stable-0.6.x_ignore_local…

…_map Ensure local users are ignored when CN mapping
himmelblau-idm · Oct 11, 2024 · f794609 · f794609
2 parents 39de06b + f344fcd
commit f794609
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 2 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -16,7 +16,7 @@ members = [
 resolver = "2"
 
 [workspace.package]
-version = "0.6.7"
+version = "0.6.8"
 authors = [
     "David Mulder <dmulder@suse.com>"
 ]
@@ -76,7 +76,7 @@ tracing-forest = "^0.1.6"
 rusqlite = "^0.32.0"
 hashbrown = { version = "0.14.0", features = ["serde", "inline-more", "ahash"] }
 lru = "^0.12.3"
-kanidm_lib_crypto = { path = "./src/crypto", version = "0.6.7" }
+kanidm_lib_crypto = { path = "./src/crypto", version = "0.6.8" }
 kanidm_utils_users = { path = "./src/users" }
 walkdir = "2"
 csv = "1.2.2"

diff --git a/platform/debian/scripts/postinst b/platform/debian/scripts/postinst
@@ -32,4 +32,5 @@ SSHD_CONFIG_DIR="/etc/ssh/sshd_config.d"
 SSHD_CONFIG_FILE="${SSHD_CONFIG_DIR}/himmelblau.conf"
 if [ -d "$SSHD_CONFIG_DIR" ]; then
     echo "KbdInteractiveAuthentication yes" > "$SSHD_CONFIG_FILE"
+    echo "Please restart the ssh daemon to ensure MFA works properly!"
 fi
diff --git a/src/glue/src/unix_config.rs b/src/glue/src/unix_config.rs
@@ -1,5 +1,8 @@
 use himmelblau_unix_common::config::HimmelblauConfig;
 use himmelblau_unix_common::constants::{DEFAULT_CONN_TIMEOUT, DEFAULT_SOCK_PATH};
+use himmelblau_unix_common::unix_passwd::parse_etc_passwd;
+use std::fs::File;
+use std::io::Read;
 
 pub struct KanidmUnixdConfig {
     pub domains: Vec<String>,
@@ -29,6 +32,21 @@ impl KanidmUnixdConfig {
     }
 
     pub fn map_cn_name(&self, account_id: &str) -> String {
+        // Make sure this account_id isn't a local user
+        let mut contents = vec![];
+        if let Ok(mut file) = File::open("/etc/passwd") {
+            let _ = file.read_to_end(&mut contents);
+        }
+        let local_users = parse_etc_passwd(contents.as_slice()).unwrap_or_default();
+        if local_users
+            .into_iter()
+            .map(|u| u.name.to_string())
+            .collect::<Vec<String>>()
+            .contains(&account_id.to_string())
+        {
+            return account_id.to_string();
+        }
+
         if self.cn_name_mapping && !account_id.contains('@') && !self.domains.is_empty() {
             return format!("{}@{}", account_id, self.domains[0]);
         }