[pve-devel] r5579 - in pve-access-control/trunk: . PVE PVE/API2
svn-commits at proxmox.com
svn-commits at proxmox.com
Tue Feb 22 08:41:39 CET 2011
Author: dietmar
Date: 2011-02-22 08:41:39 +0100 (Tue, 22 Feb 2011)
New Revision: 5579
Modified:
pve-access-control/trunk/ChangeLog
pve-access-control/trunk/PVE/API2/Domains.pm
pve-access-control/trunk/PVE/API2/User.pm
pve-access-control/trunk/PVE/AccessControl.pm
pve-access-control/trunk/README
Log:
realm is now part of the username.
Example: 'userid at realm'
Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog 2011-02-22 05:42:33 UTC (rev 5578)
+++ pve-access-control/trunk/ChangeLog 2011-02-22 07:41:39 UTC (rev 5579)
@@ -1,5 +1,8 @@
2011-02-22 Proxmox Support Team <support at proxmox.com>
+ * PVE/AccessControl.pm: realm is now part of the username.
+ Example: 'userid at realm'
+
* PVE/AccessControl.pm (parse_user_config): add firstname/lastname
and email fields.
Modified: pve-access-control/trunk/PVE/API2/Domains.pm
===================================================================
--- pve-access-control/trunk/PVE/API2/Domains.pm 2011-02-22 05:42:33 UTC (rev 5578)
+++ pve-access-control/trunk/PVE/API2/Domains.pm 2011-02-22 07:41:39 UTC (rev 5579)
@@ -43,9 +43,9 @@
my $cfg = cfs_read_file($domainconfigfile);
- foreach my $domid (keys %$cfg) {
- my $d = $cfg->{$domid};
- my $entry = { id => $domid, type => $d->{type} };
+ foreach my $realm (keys %$cfg) {
+ my $d = $cfg->{$realm};
+ my $entry = { id => $realm, type => $d->{type} };
$entry->{comment} = $d->{comment} if $d->{comment};
push @$res, $entry;
}
@@ -56,13 +56,13 @@
__PACKAGE__->register_method ({
name => 'create',
protected => 1,
- path => '{domid}',
+ path => '{realm}',
method => 'POST',
description => "Add an authentication server.",
parameters => {
additionalProperties => 0,
properties => {
- domid => get_standard_option('domid'),
+ realm => get_standard_option('realm'),
type => {
description => "Server type.",
type => 'string',
@@ -104,21 +104,21 @@
my $cfg = cfs_read_file($domainconfigfile);
- my $domid = $param->{domid};
+ my $realm = $param->{realm};
- die "domain '$domid' already exists\n"
- if $cfg->{$domid};
+ die "domain '$realm' already exists\n"
+ if $cfg->{$realm};
- die "unable to use reserved name '$domid'\n"
- if ($domid eq 'pam' || $domid eq 'pve');
+ die "unable to use reserved name '$realm'\n"
+ if ($realm eq 'pam' || $realm eq 'pve');
- $cfg->{$domid} = {
+ $cfg->{$realm} = {
type => $param->{type},
server1 => $param->{server1},
};
foreach my $p (qw(server2 port basedn)) {
- $cfg->{$domid}->{$p} = $param->{$p} if $param->{$p};
+ $cfg->{$realm}->{$p} = $param->{$p} if $param->{$p};
}
cfs_write_file($domainconfigfile, $cfg);
@@ -130,13 +130,13 @@
__PACKAGE__->register_method ({
name => 'update',
protected => 1,
- path => '{domid}',
+ path => '{realm}',
method => 'PUT',
description => "Add an authentication server.",
parameters => {
additionalProperties => 0,
properties => {
- domid => get_standard_option('domid'),
+ realm => get_standard_option('realm'),
server1 => {
description => "Server IP address (or DNS name)",
type => 'string',
@@ -174,17 +174,17 @@
my $cfg = cfs_read_file($domainconfigfile);
- my $domid = $param->{domid};
- delete $param->{domid};
+ my $realm = $param->{realm};
+ delete $param->{realm};
- die "unable to modify bultin domain '$domid'\n"
- if ($domid eq 'pam' || $domid eq 'pve');
+ die "unable to modify bultin domain '$realm'\n"
+ if ($realm eq 'pam' || $realm eq 'pve');
- die "domain '$domid' does not exist\n"
- if !$cfg->{$domid};
+ die "domain '$realm' does not exist\n"
+ if !$cfg->{$realm};
foreach my $p (keys %$param) {
- $cfg->{$domid}->{$p} = $param->{$p};
+ $cfg->{$realm}->{$p} = $param->{$p};
}
cfs_write_file($domainconfigfile, $cfg);
@@ -196,13 +196,13 @@
# fixme: return format!
__PACKAGE__->register_method ({
name => 'read',
- path => '{domid}',
+ path => '{realm}',
method => 'GET',
description => "Get auth server configuration.",
parameters => {
additionalProperties => 0,
properties => {
- domid => get_standard_option('domid'),
+ realm => get_standard_option('realm'),
},
},
returns => {},
@@ -211,10 +211,10 @@
my $cfg = cfs_read_file($domainconfigfile);
- my $domid = $param->{domid};
+ my $realm = $param->{realm};
- my $data = $cfg->{$domid};
- die "domain '$domid' does not exist\n" if !$data;
+ my $data = $cfg->{$realm};
+ die "domain '$realm' does not exist\n" if !$data;
return $data;
}});
@@ -223,13 +223,13 @@
__PACKAGE__->register_method ({
name => 'delete',
protected => 1,
- path => '{domid}',
+ path => '{realm}',
method => 'DELETE',
description => "Delete an authentication server.",
parameters => {
additionalProperties => 0,
properties => {
- domid => get_standard_option('domid'),
+ realm => get_standard_option('realm'),
}
},
returns => { type => 'null' },
@@ -241,11 +241,11 @@
my $cfg = cfs_read_file($domainconfigfile);
- my $domid = $param->{domid};
+ my $realm = $param->{realm};
- die "domain '$domid' does not exist\n" if !$cfg->{$domid};
+ die "domain '$realm' does not exist\n" if !$cfg->{$realm};
- delete $cfg->{$domid};
+ delete $cfg->{$realm};
cfs_write_file($domainconfigfile, $cfg);
}, "delete auth server failed");
Modified: pve-access-control/trunk/PVE/API2/User.pm
===================================================================
--- pve-access-control/trunk/PVE/API2/User.pm 2011-02-22 05:42:33 UTC (rev 5578)
+++ pve-access-control/trunk/PVE/API2/User.pm 2011-02-22 07:41:39 UTC (rev 5579)
@@ -20,7 +20,7 @@
my $res = {};
- foreach my $prop (qw(domid enabled expire firstname lastname email comment)) {
+ foreach my $prop (qw(enabled expire firstname lastname email comment)) {
$res->{$prop} = $data->{$prop} if defined($data->{$prop});
}
@@ -101,7 +101,6 @@
additionalProperties => 0,
properties => {
userid => get_standard_option('userid'),
- domid => get_standard_option('domid', { optional => 1 }),
password => { type => 'string', optional => 1 },
groups => { type => 'string', optional => 1, format => 'pve-groupid-list'},
firstname => { type => 'string', optional => 1 },
@@ -123,20 +122,17 @@
PVE::AccessControl::lock_user_config(
sub {
- my $username = PVE::AccessControl::verify_username($param->{userid});
+ my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
my $usercfg = cfs_read_file("user.cfg");
die "user '$username' already exists\n"
if $usercfg->{users}->{$username};
- my $domid = $param->{domid};
-
- PVE::AccessControl::domain_set_password($domid, $username, $param->{password})
+ PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
if $param->{password};
$usercfg->{users}->{$username} = { enabled => 1 };
- $usercfg->{users}->{$username}->{domid} = $domid if $domid;
$usercfg->{users}->{$username}->{expire} = $param->{expire} if $param->{expire};
if ($param->{groups}) {
@@ -174,7 +170,6 @@
returns => {
additionalProperties => 0,
properties => {
- domid => get_standard_option('domid'),
enabled => { type => 'boolean' },
expire => { type => 'integer' },
firstname => { type => 'string', optional => 1 },
@@ -209,7 +204,6 @@
additionalProperties => 0,
properties => {
userid => get_standard_option('userid'),
- domid => get_standard_option('domid', { optional => 1 }),
password => { type => 'string', optional => 1 },
groups => { type => 'string', optional => 1, format => 'pve-groupid-list' },
append => {
@@ -241,7 +235,7 @@
die "conflicting parameters unlock/lock\n"
if $param->{unlock} && $param->{lock};
- my ($username, undef, $domain) =
+ my ($username, $ruid, $realm) =
PVE::AccessControl::verify_username($param->{userid});
my $usercfg = cfs_read_file("user.cfg");
@@ -249,19 +243,15 @@
die "user '$username' does not exist\n"
if !$usercfg->{users}->{$username};
- my $domid = $param->{domid};
-
- PVE::AccessControl::domain_set_password($domid, $username, $param->{password})
+ PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
if $param->{password};
$usercfg->{users}->{$username}->{enabled} = 1 if $param->{unlock};
$usercfg->{users}->{$username}->{enabled} = 0 if $param->{lock};
- $usercfg->{users}->{$username}->{domid} = $domid if $domid;
+ $usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});
- $usercfg->{users}->{$username}->{expire} = $param->{expire} if $param->{expire};
-
PVE::AccessControl::delete_user_group($username, $usercfg)
if (!$param->{append} && $param->{groups});
@@ -305,7 +295,7 @@
PVE::AccessControl::lock_user_config(
sub {
- my ($username, undef, $domain) =
+ my ($username, $ruid, $realm) =
PVE::AccessControl::verify_username($param->{userid});
my $usercfg = cfs_read_file("user.cfg");
@@ -315,7 +305,7 @@
delete ($usercfg->{users}->{$username});
- PVE::AccessControl::delete_shadow_password($username) if !$domain;
+ PVE::AccessControl::delete_shadow_password($ruid) if $realm eq 'pve';
PVE::AccessControl::delete_user_group($username, $usercfg);
PVE::AccessControl::delete_user_acl($username, $usercfg);
Modified: pve-access-control/trunk/PVE/AccessControl.pm
===================================================================
--- pve-access-control/trunk/PVE/AccessControl.pm 2011-02-22 05:42:33 UTC (rev 5578)
+++ pve-access-control/trunk/PVE/AccessControl.pm 2011-02-22 07:41:39 UTC (rev 5579)
@@ -143,28 +143,28 @@
}
sub authenticate_user_shadow {
- my ($username, $password) = @_;
+ my ($userid, $password) = @_;
die "no password\n" if !$password;
my $shadow_cfg = cfs_read_file($shadowconfigfile);
- if ($shadow_cfg->{users}->{$username}) {
- my $encpw = crypt($password, $shadow_cfg->{users}->{$username}->{shadow});
- die "invalid credentials\n" if ($encpw ne $shadow_cfg->{users}->{$username}->{shadow});
+ if ($shadow_cfg->{users}->{$userid}) {
+ my $encpw = crypt($password, $shadow_cfg->{users}->{$userid}->{shadow});
+ die "invalid credentials\n" if ($encpw ne $shadow_cfg->{users}->{$userid}->{shadow});
} else {
die "no password set\n";
}
}
sub authenticate_user_pam {
- my ($username, $password) = @_;
+ my ($userid, $password) = @_;
# user (www-data) need to be able to read /etc/passwd /etc/shadow
die "no password\n" if !$password;
- my $pamh = new Authen::PAM ('common-auth', $username, sub {
+ my $pamh = new Authen::PAM ('common-auth', $userid, sub {
my @res;
while(@_) {
my $msg_type = shift;
@@ -197,11 +197,11 @@
sub authenticate_user_ad {
- my ($server, $username, $password) = @_;
+ my ($server, $userid, $password) = @_;
my $ldap = Net::LDAP->new($server) || die "$@\n";
- my $res = $ldap->bind($username, password => $password);
+ my $res = $ldap->bind($userid, password => $password);
my $code = $res->code();
my $err = $res->error;
@@ -213,15 +213,14 @@
sub authenticate_user_ldap {
- my ($entry, $server, $username, $password) = @_;
+ my ($entry, $server, $userid, $password) = @_;
- my (undef, $user, $domain) = verify_username($username);
my $default_port = ($entry->{type} eq 'ldap') ? 389 : 636;
my $port = $entry->{port} ? $entry->{port} : $default_port;
my $conn_string = $entry->{type} . "://" if ($entry->{type} ne 'ldap');
$conn_string .= $server . ":" . $port;
my $ldap = Net::LDAP->new($conn_string, verify => 'none') || die "$@\n";
- my $search = $entry->{user_attr} . "=" . $user;
+ my $search = $entry->{user_attr} . "=" . $userid;
my $result = $ldap->search( base => "$entry->{base_dn}",
scope => "sub",
filter => "$search",
@@ -240,37 +239,37 @@
}
sub authenticate_user_domain {
- my ($domid, $username, $password) = @_;
+ my ($realm, $userid, $password) = @_;
my $domain_cfg = cfs_read_file($domainconfigfile);
- die "no auth domain specified" if !$domid;
+ die "no auth domain specified" if !$realm;
- if ($domid eq 'pam') {
- authenticate_user_pam($username, $password);
+ if ($realm eq 'pam') {
+ authenticate_user_pam($userid, $password);
return;
}
eval {
- if ($domid eq 'pve') {
- authenticate_user_shadow($username, $password);
+ if ($realm eq 'pve') {
+ authenticate_user_shadow($userid, $password);
} else {
- my $cfg = $domain_cfg->{$domid};
- die "auth domain '$domid' does not exists\n" if !$cfg;
+ my $cfg = $domain_cfg->{$realm};
+ die "auth domain '$realm' does not exists\n" if !$cfg;
if ($cfg->{type} eq 'ad') {
- eval { authenticate_user_ad($cfg->{server1}, $username, $password); };
+ eval { authenticate_user_ad($cfg->{server1}, $userid, $password); };
my $err = $@;
return if !$err;
die $err if !$cfg->{server2};
- authenticate_user_ad($cfg->{server2}, $username, $password);
+ authenticate_user_ad($cfg->{server2}, $userid, $password);
} elsif (($cfg->{type} eq 'ldap') || ($cfg->{type} eq 'ldaps')) {
- eval { authenticate_user_ldap($cfg, $cfg->{server1}, $username, $password); };
+ eval { authenticate_user_ldap($cfg, $cfg->{server1}, $userid, $password); };
my $err = $@;
return if !$err;
die $err if !$cfg->{server2};
- authenticate_user_ldap($cfg, $cfg->{server2}, $username, $password);
+ authenticate_user_ldap($cfg, $cfg->{server2}, $userid, $password);
} else {
die "unknown auth type '$cfg->{type}'\n";
}
@@ -304,8 +303,10 @@
die "no username specified\n" if !$username;
- $username = verify_username($username);
-
+ my ($userid, $realm);
+
+ ($username, $userid, $realm) = verify_username($username);
+
my $usercfg = cfs_read_file('user.cfg');
if (!user_enabled($usercfg, $username)) {
@@ -315,18 +316,13 @@
my $ctime = time();
my $expire = $usercfg->{users}->{$username}->{expire};
- my $domid = $usercfg->{users}->{$username}->{domid};
if ($expire && ($expire < $ctime)) {
sleep(2);
die "account expired\n"
}
- if ($username eq 'root') { # always use PAM for root
- authenticate_user_pam($username, $password);
- } else {
- authenticate_user_domain($domid, $username, $password);
- }
+ authenticate_user_domain($realm, $userid, $password);
};
die "auth failed: $@" if $@;
@@ -335,22 +331,22 @@
}
sub delete_shadow_password {
- my ($username) = @_;
+ my ($userid) = @_;
lock_shadow_config(sub {
my $shadow_cfg = cfs_read_file($shadowconfigfile);
- delete ($shadow_cfg->{users}->{$username})
- if $shadow_cfg->{users}->{$username};
+ delete ($shadow_cfg->{users}->{$userid})
+ if $shadow_cfg->{users}->{$userid};
cfs_write_file($shadowconfigfile, $shadow_cfg);
});
}
sub store_shadow_password {
- my ($username, $password) = @_;
+ my ($userid, $password) = @_;
lock_shadow_config(sub {
my $shadow_cfg = cfs_read_file($shadowconfigfile);
- $shadow_cfg->{users}->{$username}->{shadow} = encrypt_pw($password);
+ $shadow_cfg->{users}->{$userid}->{shadow} = encrypt_pw($password);
cfs_write_file($shadowconfigfile, $shadow_cfg);
});
}
@@ -363,31 +359,29 @@
}
sub store_pam_password {
- my ($username, $password) = @_;
+ my ($userid, $password) = @_;
my $cmd = ['/usr/sbin/usermod'];
my $epw = encrypt_pw($password);
push @$cmd, '-p', $epw;
- push @$cmd, $username;
+ push @$cmd, $userid;
run_command($cmd);
}
sub domain_set_password {
- my ($domid, $username, $password) = @_;
+ my ($realm, $userid, $password) = @_;
- if ($username eq 'root') {
- store_pam_password($username, $password);
- } elsif ($domid) {
- if ($domid eq 'pam') {
- store_pam_password($username, $password);
- } else {
- die "can't set password on auth domain '$domid'\n";
- }
+ die "no auth domain specified" if !$realm;
+
+ if ($realm eq 'pam') {
+ store_pam_password($userid, $password);
+ } elsif ($realm eq 'pve') {
+ store_shadow_password($userid, $password);
} else {
- store_shadow_password($username, $password);
+ die "can't set password on auth domain '$realm'\n";
}
}
@@ -576,6 +570,18 @@
return $path;
}
+my $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
+
+sub pve_verify_realm {
+ my ($realm, $noerr) = @_;
+
+ if ($realm !~ m/^${realm_regex}$/) {
+ return undef if $noerr;
+ die "value does not look like a valid realm\n";
+ }
+ return $realm;
+}
+
PVE::JSONSchema::register_format('pve-userid', \&verify_username);
sub verify_username {
my ($username, $noerr) = @_;
@@ -593,11 +599,11 @@
# we only allow a limited set of characters (colon is not allowed,
# because we store usernames in colon separated lists)!
- if ($username =~ m/^([A-Za-z0-9\.\-_]+)(\@([A-Za-z0-9\.\-_]+))?$/) {
- return wantarray ? ($username, $1, $3) : $username;
+ if ($username =~ m/^([^\s:]+)\@(${realm_regex})$/) {
+ return wantarray ? ($username, $1, $2) : $username;
}
- die "user name '$username' contains invalid characters\n" if !$noerr;
+ die "value '$username' does not look like a valid user name\n" if !$noerr;
return undef;
}
@@ -606,7 +612,7 @@
type => 'string', format => 'pve-userid',
});
-PVE::JSONSchema::register_standard_option('domid', {
+PVE::JSONSchema::register_standard_option('realm', {
description => "Authentication domain ID",
type => 'string', format => 'pve-configid',
});
@@ -661,10 +667,8 @@
# fixme: remove 'root' group (not required)?
- # add root user and group (superuser)
- $cfg->{users}->{root}->{enabled} = 1;
- $cfg->{users}->{root}->{groups}->{root} = 1;
- $cfg->{groups}->{root}->{users}->{root} = 1;
+ # add root user
+ $cfg->{users}->{'root at pam'}->{enabled} = 1;
}
sub parse_user_config {
@@ -691,18 +695,14 @@
my $et = shift @data;
if ($et eq 'user') {
- my ($user, $enabled, $expire, $domid, $firstname, $lastname, $email, $comment) = @data;
+ my ($user, $enabled, $expire, $firstname, $lastname, $email, $comment) = @data;
- if (!verify_username($user, 1)) {
- warn "user config - ignore user '$user' - invalid characters in user name\n";
+ my (undef, undef, $realm) = verify_username($user, 1);
+ if (!$realm) {
+ warn "user config - ignore user '$user' - invalid user name\n";
next;
}
- if ($domid && !PVE::JSONSchema::pve_verify_configid($domid, 1)) {
- warn "user config - ignore user '$user' - (illegal characters in domain '$domid')\n";
- next;
- }
-
$enabled = $enabled ? 1 : 0;
$expire = 0 if !$expire;
@@ -722,7 +722,6 @@
enabled => $enabled,
# group => $group,
};
- $cfg->{users}->{$user}->{domid} = $domid ? $domid : 'pve';
$cfg->{users}->{$user}->{firstname} = decode_text($firstname) if $firstname;
$cfg->{users}->{$user}->{lastname} = decode_text($lastname) if $lastname;
$cfg->{users}->{$user}->{email} = $email;
@@ -839,8 +838,8 @@
next;
}
- my ($username,$crypt_pass) = split (/:/, $line);
- $shadow->{users}->{$username}->{shadow} = $crypt_pass;
+ my ($userid, $crypt_pass) = split (/:/, $line);
+ $shadow->{users}->{$userid}->{shadow} = $crypt_pass;
}
return $shadow;
@@ -851,8 +850,8 @@
my $data = '';
- foreach my $domid (sort keys %$cfg) {
- my $entry = $cfg->{$domid};
+ foreach my $realm (sort keys %$cfg) {
+ my $entry = $cfg->{$realm};
my $type = $entry->{type};
next if !$type;
@@ -861,7 +860,7 @@
my $formats = $valid_attributes->{$type};
next if !$formats;
- $data .= "$type: $domid\n";
+ $data .= "$type: $realm\n";
foreach my $k (sort keys %$entry) {
next if $k eq 'type';
@@ -898,7 +897,7 @@
next if $line =~ m/^\s*$/; # skip empty lines
if ($line =~ m/^(\S+):\s*(\S+)\s*$/) {
- my $domid = $2;
+ my $realm = $2;
my $type = lc($1);
my $ignore = 0;
@@ -907,10 +906,10 @@
my $formats = $valid_attributes->{$type};
if (!$formats) {
$ignore = 1;
- warn "ignoring domain '$domid' - (unsupported authentication type '$type')\n";
- } elsif (!PVE::JSONSchema::pve_verify_configid($domid, 1)) {
+ warn "ignoring domain '$realm' - (unsupported authentication type '$type')\n";
+ } elsif (!pve_verify_realm($realm, 1)) {
$ignore = 1;
- warn "ignoring domain '$domid' - (illegal characters)\n";
+ warn "ignoring domain '$realm' - (illegal characters)\n";
} else {
$entry = { type => $type };
}
@@ -952,15 +951,15 @@
if ($ignore) {
# do nothing
} elsif (!$entry->{server1}) {
- warn "ignoring domain '$domid' - missing server attribute\n";
+ warn "ignoring domain '$realm' - missing server attribute\n";
} elsif ((($entry->{type} eq "ldap") || ($entry->{type} eq "ldaps")) &&
(!$entry->{user_attr})) {
- warn "ignoring domain '$domid' - missing user attribute\n";
+ warn "ignoring domain '$realm' - missing user attribute\n";
} elsif ((($entry->{type} eq "ldap") || ($entry->{type} eq "ldaps")) &&
(!$entry->{base_dn})) {
- warn "ignoring domain '$domid' - missing base_dn attribute\n";
+ warn "ignoring domain '$realm' - missing base_dn attribute\n";
} else {
- $cfg->{$domid} = $entry;
+ $cfg->{$realm} = $entry;
}
} else {
@@ -987,9 +986,9 @@
my ($filename, $cfg) = @_;
my $data = '';
- foreach my $user (keys %{$cfg->{users}}) {
- my $crypt_pass = $cfg->{users}->{$user}->{shadow};
- $data .= "$user:$crypt_pass:\n";
+ foreach my $userid (keys %{$cfg->{users}}) {
+ my $crypt_pass = $cfg->{users}->{$userid}->{shadow};
+ $data .= "$userid:$crypt_pass:\n";
}
return $data
@@ -1001,24 +1000,21 @@
my $data = '';
foreach my $user (keys %{$cfg->{users}}) {
- next if $user eq 'root';
+ next if $user eq 'root at pam';
my $d = $cfg->{users}->{$user};
- my $domid = $d->{domid} || 'pve';
my $firstname = $d->{firstname} ? encode_text($d->{firstname}) : '';
my $lastname = $d->{lastname} ? encode_text($d->{lastname}) : '';
my $email = $d->{email} || '';
my $comment = $d->{comment} ? encode_text($d->{comment}) : '';
my $expire = int($d->{expire}) || 0;
my $enabled = $d->{enabled} ? 1 : 0;
- $data .= "user:$user:$enabled:$expire:$domid:$firstname:$lastname:$email:$comment:\n";
+ $data .= "user:$user:$enabled:$expire:$firstname:$lastname:$email:$comment:\n";
}
$data .= "\n";
foreach my $group (keys %{$cfg->{groups}}) {
- next if $group eq 'root';
-
my $d = $cfg->{groups}->{$group};
my $list = join (',', keys %{$d->{users}});
my $comment = $d->{comment} ? encode_text($d->{comment}) : '';
@@ -1061,7 +1057,7 @@
foreach my $user (keys %{$d->{users}}) {
# no need to save, because root is always 'Administartor'
- next if $user eq 'root';
+ next if $user eq 'root at pam';
my $l0 = '';
my $l1 = '';
@@ -1095,7 +1091,7 @@
sub roles {
my ($cfg, $user, $path) = @_;
- return 'Administrator' if $user eq 'root'; # root can do anything
+ return 'Administrator' if $user eq 'root at pam'; # root can do anything
my $perm = {};
Modified: pve-access-control/trunk/README
===================================================================
--- pve-access-control/trunk/README 2011-02-22 05:42:33 UTC (rev 5578)
+++ pve-access-control/trunk/README 2011-02-22 07:41:39 UTC (rev 5579)
@@ -12,12 +12,12 @@
User Authentication
===================
-Proxmox VE can use several different authentication servers. Those
+Proxmox VE can use different authentication servers. Those
servers are listed in '/etc/pve/priv/domain.cfg', indexed by a unique
-ID (called authentication domain or realm).
+ID (called 'authentication domain' or 'realm').
User names need to be unique. We create unique names by adding the
-'realm' to the user ID.
+'realm' to the user ID: <userid>@<realm>
File format 'domain.cfg'
----example domains.cfg ------------------
@@ -61,11 +61,9 @@
group:
group_name: the name of the group
- comment: a more verbose description
user_list: list of login names
+ comment: a more verbose description
- special group root: group root has full administrative privileges
-
privileges:
defines rights required to execute actions or read
More information about the pve-devel
mailing list