[pve-devel] r5579 - in pve-access-control/trunk: . PVE PVE/API2

svn-commits at proxmox.com svn-commits at proxmox.com
Tue Feb 22 08:41:39 CET 2011


Author: dietmar
Date: 2011-02-22 08:41:39 +0100 (Tue, 22 Feb 2011)
New Revision: 5579

Modified:
   pve-access-control/trunk/ChangeLog
   pve-access-control/trunk/PVE/API2/Domains.pm
   pve-access-control/trunk/PVE/API2/User.pm
   pve-access-control/trunk/PVE/AccessControl.pm
   pve-access-control/trunk/README
Log:
realm is now part of the username.
	Example: 'userid at realm'


Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog	2011-02-22 05:42:33 UTC (rev 5578)
+++ pve-access-control/trunk/ChangeLog	2011-02-22 07:41:39 UTC (rev 5579)
@@ -1,5 +1,8 @@
 2011-02-22  Proxmox Support Team  <support at proxmox.com>
 
+	* PVE/AccessControl.pm: realm is now part of the username.
+	Example: 'userid at realm'
+
 	* PVE/AccessControl.pm (parse_user_config): add firstname/lastname
 	and email fields.
 

Modified: pve-access-control/trunk/PVE/API2/Domains.pm
===================================================================
--- pve-access-control/trunk/PVE/API2/Domains.pm	2011-02-22 05:42:33 UTC (rev 5578)
+++ pve-access-control/trunk/PVE/API2/Domains.pm	2011-02-22 07:41:39 UTC (rev 5579)
@@ -43,9 +43,9 @@
 
 	my $cfg = cfs_read_file($domainconfigfile);
  
-	foreach my $domid (keys %$cfg) {
-	    my $d = $cfg->{$domid};
-	    my $entry = { id => $domid, type => $d->{type} };
+	foreach my $realm (keys %$cfg) {
+	    my $d = $cfg->{$realm};
+	    my $entry = { id => $realm, type => $d->{type} };
 	    $entry->{comment} = $d->{comment} if $d->{comment};
 	    push @$res, $entry;
 	}
@@ -56,13 +56,13 @@
 __PACKAGE__->register_method ({
     name => 'create', 
     protected => 1,
-    path => '{domid}', 
+    path => '{realm}', 
     method => 'POST',
     description => "Add an authentication server.",
     parameters => {
    	additionalProperties => 0,
 	properties => {
-	    domid =>  get_standard_option('domid'),
+	    realm =>  get_standard_option('realm'),
 	    type => {
 		description => "Server type.",
 		type => 'string', 
@@ -104,21 +104,21 @@
 			
 		my $cfg = cfs_read_file($domainconfigfile);
 
-		my $domid = $param->{domid};
+		my $realm = $param->{realm};
 	
-		die "domain '$domid' already exists\n" 
-		    if $cfg->{$domid};
+		die "domain '$realm' already exists\n" 
+		    if $cfg->{$realm};
 
-		die "unable to use reserved name '$domid'\n"
-		    if ($domid eq 'pam' || $domid eq 'pve');
+		die "unable to use reserved name '$realm'\n"
+		    if ($realm eq 'pam' || $realm eq 'pve');
 
-		$cfg->{$domid} = {
+		$cfg->{$realm} = {
 		    type => $param->{type},
 		    server1 => $param->{server1},
 		};
 
 		foreach my $p (qw(server2 port basedn)) {
-		    $cfg->{$domid}->{$p} = $param->{$p} if $param->{$p};
+		    $cfg->{$realm}->{$p} = $param->{$p} if $param->{$p};
 		}
 
 		cfs_write_file($domainconfigfile, $cfg);
@@ -130,13 +130,13 @@
 __PACKAGE__->register_method ({
     name => 'update', 
     protected => 1,
-    path => '{domid}', 
+    path => '{realm}', 
     method => 'PUT',
     description => "Add an authentication server.",
     parameters => {
    	additionalProperties => 0,
 	properties => {
-	    domid =>  get_standard_option('domid'),
+	    realm =>  get_standard_option('realm'),
 	    server1 => { 
 		description => "Server IP address (or DNS name)",		
 		type => 'string',
@@ -174,17 +174,17 @@
 			
 		my $cfg = cfs_read_file($domainconfigfile);
 
-		my $domid = $param->{domid};
-		delete $param->{domid};
+		my $realm = $param->{realm};
+		delete $param->{realm};
 
-		die "unable to modify bultin domain '$domid'\n"
-		    if ($domid eq 'pam' || $domid eq 'pve');
+		die "unable to modify bultin domain '$realm'\n"
+		    if ($realm eq 'pam' || $realm eq 'pve');
 
-		die "domain '$domid' does not exist\n" 
-		    if !$cfg->{$domid};
+		die "domain '$realm' does not exist\n" 
+		    if !$cfg->{$realm};
 
 		foreach my $p (keys %$param) {
-		    $cfg->{$domid}->{$p} = $param->{$p};
+		    $cfg->{$realm}->{$p} = $param->{$p};
 		}
 
 		cfs_write_file($domainconfigfile, $cfg);
@@ -196,13 +196,13 @@
 # fixme: return format!
 __PACKAGE__->register_method ({
     name => 'read', 
-    path => '{domid}', 
+    path => '{realm}', 
     method => 'GET',
     description => "Get auth server configuration.",
     parameters => {
    	additionalProperties => 0,
 	properties => {
-	    domid =>  get_standard_option('domid'),
+	    realm =>  get_standard_option('realm'),
 	},
     },
     returns => {},
@@ -211,10 +211,10 @@
 
 	my $cfg = cfs_read_file($domainconfigfile);
 
-	my $domid = $param->{domid};
+	my $realm = $param->{realm};
 	
-	my $data = $cfg->{$domid};
-	die "domain '$domid' does not exist\n" if !$data;
+	my $data = $cfg->{$realm};
+	die "domain '$realm' does not exist\n" if !$data;
 
 	return $data;
     }});
@@ -223,13 +223,13 @@
 __PACKAGE__->register_method ({
     name => 'delete', 
     protected => 1,
-    path => '{domid}', 
+    path => '{realm}', 
     method => 'DELETE',
     description => "Delete an authentication server.",
     parameters => {
    	additionalProperties => 0,
 	properties => {
-	    domid =>  get_standard_option('domid'),
+	    realm =>  get_standard_option('realm'),
 	}
     },
     returns => { type => 'null' },
@@ -241,11 +241,11 @@
 
 		my $cfg = cfs_read_file($domainconfigfile);
 
-		my $domid = $param->{domid};
+		my $realm = $param->{realm};
 	
-		die "domain '$domid' does not exist\n" if !$cfg->{$domid};
+		die "domain '$realm' does not exist\n" if !$cfg->{$realm};
 
-		delete $cfg->{$domid};
+		delete $cfg->{$realm};
 
 		cfs_write_file($domainconfigfile, $cfg);
 	    }, "delete auth server failed");

Modified: pve-access-control/trunk/PVE/API2/User.pm
===================================================================
--- pve-access-control/trunk/PVE/API2/User.pm	2011-02-22 05:42:33 UTC (rev 5578)
+++ pve-access-control/trunk/PVE/API2/User.pm	2011-02-22 07:41:39 UTC (rev 5579)
@@ -20,7 +20,7 @@
 
     my $res = {};
 
-    foreach my $prop (qw(domid enabled expire firstname lastname email comment)) {
+    foreach my $prop (qw(enabled expire firstname lastname email comment)) {
 	$res->{$prop} = $data->{$prop} if defined($data->{$prop});
     }
 
@@ -101,7 +101,6 @@
    	additionalProperties => 0,
 	properties => {
 	    userid => get_standard_option('userid'),
-	    domid =>  get_standard_option('domid', { optional => 1 }),
 	    password => { type => 'string', optional => 1 },
 	    groups => { type => 'string', optional => 1, format => 'pve-groupid-list'},
 	    firstname => { type => 'string', optional => 1 },
@@ -123,20 +122,17 @@
 	PVE::AccessControl::lock_user_config(
 	    sub {
 			
-		my $username = PVE::AccessControl::verify_username($param->{userid});
+		my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
 	
 		my $usercfg = cfs_read_file("user.cfg");
 
 		die "user '$username' already exists\n" 
 		    if $usercfg->{users}->{$username};
 			 
-		my $domid = $param->{domid};
-
-		PVE::AccessControl::domain_set_password($domid, $username, $param->{password})
+		PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
 		    if $param->{password};
 
 		$usercfg->{users}->{$username} = { enabled => 1 };
-		$usercfg->{users}->{$username}->{domid} = $domid if $domid;
 		$usercfg->{users}->{$username}->{expire} = $param->{expire} if $param->{expire};
 
 		if ($param->{groups}) {
@@ -174,7 +170,6 @@
     returns => {
    	additionalProperties => 0,
 	properties => {
-	    domid => get_standard_option('domid'),
 	    enabled => { type => 'boolean' },
 	    expire => { type => 'integer' },
 	    firstname => { type => 'string', optional => 1 },
@@ -209,7 +204,6 @@
    	additionalProperties => 0,
 	properties => {
 	    userid => get_standard_option('userid'),
-	    domid =>  get_standard_option('domid', { optional => 1 }),
 	    password => { type => 'string', optional => 1 },
 	    groups => { type => 'string', optional => 1,  format => 'pve-groupid-list'  },
 	    append => { 
@@ -241,7 +235,7 @@
 		die "conflicting parameters unlock/lock\n" 
 		    if $param->{unlock} && $param->{lock};
 
-		my ($username, undef, $domain) = 
+		my ($username, $ruid, $realm) = 
 		    PVE::AccessControl::verify_username($param->{userid});
 	
 		my $usercfg = cfs_read_file("user.cfg");
@@ -249,19 +243,15 @@
 		die "user '$username' does not exist\n" 
 		    if !$usercfg->{users}->{$username};
 
-		my $domid = $param->{domid};
-
-		PVE::AccessControl::domain_set_password($domid, $username, $param->{password})
+		PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
 		    if $param->{password};
 
 		$usercfg->{users}->{$username}->{enabled} = 1 if $param->{unlock};
 
 		$usercfg->{users}->{$username}->{enabled} = 0 if $param->{lock};
 
-		$usercfg->{users}->{$username}->{domid} = $domid if $domid;
+		$usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});
 
-		$usercfg->{users}->{$username}->{expire} = $param->{expire} if $param->{expire};
-
 		PVE::AccessControl::delete_user_group($username, $usercfg) 
 		    if (!$param->{append} && $param->{groups});
 
@@ -305,7 +295,7 @@
 	PVE::AccessControl::lock_user_config(
 	    sub {
 
-		my ($username, undef, $domain) = 
+		my ($username, $ruid, $realm) = 
 		    PVE::AccessControl::verify_username($param->{userid});
 
 		my $usercfg = cfs_read_file("user.cfg");
@@ -315,7 +305,7 @@
 
 		delete ($usercfg->{users}->{$username});
 
-		PVE::AccessControl::delete_shadow_password($username) if !$domain;
+		PVE::AccessControl::delete_shadow_password($ruid) if $realm eq 'pve';
 		PVE::AccessControl::delete_user_group($username, $usercfg);
 		PVE::AccessControl::delete_user_acl($username, $usercfg);
 

Modified: pve-access-control/trunk/PVE/AccessControl.pm
===================================================================
--- pve-access-control/trunk/PVE/AccessControl.pm	2011-02-22 05:42:33 UTC (rev 5578)
+++ pve-access-control/trunk/PVE/AccessControl.pm	2011-02-22 07:41:39 UTC (rev 5579)
@@ -143,28 +143,28 @@
 }
 
 sub authenticate_user_shadow {
-    my ($username, $password) = @_;
+    my ($userid, $password) = @_;
 
     die "no password\n" if !$password;
 
     my $shadow_cfg = cfs_read_file($shadowconfigfile);
     
-    if ($shadow_cfg->{users}->{$username}) {
-	my $encpw = crypt($password, $shadow_cfg->{users}->{$username}->{shadow});
-        die "invalid credentials\n" if ($encpw ne $shadow_cfg->{users}->{$username}->{shadow});
+    if ($shadow_cfg->{users}->{$userid}) {
+	my $encpw = crypt($password, $shadow_cfg->{users}->{$userid}->{shadow});
+        die "invalid credentials\n" if ($encpw ne $shadow_cfg->{users}->{$userid}->{shadow});
     } else {
 	die "no password set\n";
     }
 }
 
 sub authenticate_user_pam {
-    my ($username, $password) = @_;
+    my ($userid, $password) = @_;
 
     # user (www-data) need to be able to read /etc/passwd /etc/shadow
 
     die "no password\n" if !$password;
 
-    my $pamh = new Authen::PAM ('common-auth', $username, sub {
+    my $pamh = new Authen::PAM ('common-auth', $userid, sub {
 	my @res;
 	while(@_) {
 	    my $msg_type = shift;
@@ -197,11 +197,11 @@
 
 sub authenticate_user_ad {
 
-    my ($server, $username, $password) = @_;
+    my ($server, $userid, $password) = @_;
     
     my $ldap = Net::LDAP->new($server) || die "$@\n";
 
-    my $res = $ldap->bind($username, password => $password);
+    my $res = $ldap->bind($userid, password => $password);
 
     my $code = $res->code();
     my $err = $res->error;
@@ -213,15 +213,14 @@
 
 sub authenticate_user_ldap {
 
-    my ($entry, $server, $username, $password) = @_;
+    my ($entry, $server, $userid, $password) = @_;
 
-    my (undef, $user, $domain) = verify_username($username);
     my $default_port = ($entry->{type} eq 'ldap') ? 389 : 636;
     my $port = $entry->{port} ? $entry->{port} : $default_port;
     my $conn_string = $entry->{type} . "://" if ($entry->{type} ne 'ldap');
     $conn_string .= $server . ":" . $port;
     my $ldap = Net::LDAP->new($conn_string, verify => 'none') || die "$@\n";
-    my $search = $entry->{user_attr} . "=" . $user;
+    my $search = $entry->{user_attr} . "=" . $userid;
     my $result = $ldap->search( base    => "$entry->{base_dn}",
 				scope   => "sub",
 				filter  => "$search",
@@ -240,37 +239,37 @@
 }
 
 sub authenticate_user_domain {
-    my ($domid, $username, $password) = @_;
+    my ($realm, $userid, $password) = @_;
  
     my $domain_cfg = cfs_read_file($domainconfigfile);
 
-    die "no auth domain specified" if !$domid;
+    die "no auth domain specified" if !$realm;
 
-    if ($domid eq 'pam') {
-	authenticate_user_pam($username, $password);
+    if ($realm eq 'pam') {
+	authenticate_user_pam($userid, $password);
 	return;
     } 
 
     eval {
-	if ($domid eq 'pve') {
-	    authenticate_user_shadow($username, $password);
+	if ($realm eq 'pve') {
+	    authenticate_user_shadow($userid, $password);
 	} else { 
 
-	    my $cfg = $domain_cfg->{$domid};
-	    die "auth domain '$domid' does not exists\n" if !$cfg;
+	    my $cfg = $domain_cfg->{$realm};
+	    die "auth domain '$realm' does not exists\n" if !$cfg;
     
 	    if ($cfg->{type} eq 'ad') {
-		eval { authenticate_user_ad($cfg->{server1}, $username, $password); };
+		eval { authenticate_user_ad($cfg->{server1}, $userid, $password); };
 		my $err = $@;
 		return if !$err;
 		die $err if !$cfg->{server2};
-		authenticate_user_ad($cfg->{server2}, $username, $password); 
+		authenticate_user_ad($cfg->{server2}, $userid, $password); 
 	    } elsif (($cfg->{type} eq 'ldap') || ($cfg->{type} eq 'ldaps')) {
-		eval { authenticate_user_ldap($cfg, $cfg->{server1}, $username, $password); };
+		eval { authenticate_user_ldap($cfg, $cfg->{server1}, $userid, $password); };
 		my $err = $@;
 		return if !$err;
 		die $err if !$cfg->{server2};
-		authenticate_user_ldap($cfg, $cfg->{server2}, $username, $password); 
+		authenticate_user_ldap($cfg, $cfg->{server2}, $userid, $password); 
 	    } else {
 		die "unknown auth type '$cfg->{type}'\n";
 	    }
@@ -304,8 +303,10 @@
 
 	die "no username specified\n" if !$username;
  
-	$username = verify_username($username);
- 
+	my ($userid, $realm);
+
+	($username, $userid, $realm) = verify_username($username);
+
 	my $usercfg = cfs_read_file('user.cfg');
 
 	if (!user_enabled($usercfg, $username)) {
@@ -315,18 +316,13 @@
 
 	my $ctime = time();
 	my $expire = $usercfg->{users}->{$username}->{expire};
-	my $domid = $usercfg->{users}->{$username}->{domid};
 
 	if ($expire && ($expire < $ctime)) {
 	    sleep(2);
 	    die "account expired\n"
 	}
 
-	if ($username eq 'root') { # always use PAM for root
-	    authenticate_user_pam($username, $password);
-	} else {
-	    authenticate_user_domain($domid, $username, $password);
-	}
+	authenticate_user_domain($realm, $userid, $password);
     };
 
     die "auth failed: $@" if $@;
@@ -335,22 +331,22 @@
 }
 
 sub delete_shadow_password {
-    my ($username) = @_;
+    my ($userid) = @_;
  
     lock_shadow_config(sub {
 	my $shadow_cfg = cfs_read_file($shadowconfigfile);
-	delete ($shadow_cfg->{users}->{$username})
-	    if $shadow_cfg->{users}->{$username};
+	delete ($shadow_cfg->{users}->{$userid})
+	    if $shadow_cfg->{users}->{$userid};
 	cfs_write_file($shadowconfigfile, $shadow_cfg);
     });
 }
 
 sub store_shadow_password {
-    my ($username, $password) = @_;
+    my ($userid, $password) = @_;
   
     lock_shadow_config(sub {
 	my $shadow_cfg = cfs_read_file($shadowconfigfile);
-	$shadow_cfg->{users}->{$username}->{shadow} = encrypt_pw($password);
+	$shadow_cfg->{users}->{$userid}->{shadow} = encrypt_pw($password);
 	cfs_write_file($shadowconfigfile, $shadow_cfg);
     });
 }
@@ -363,31 +359,29 @@
 }
 
 sub store_pam_password {
-    my ($username, $password) = @_;
+    my ($userid, $password) = @_;
 
     my $cmd = ['/usr/sbin/usermod'];
 
     my $epw = encrypt_pw($password);
     push @$cmd, '-p', $epw;
 
-    push @$cmd, $username;
+    push @$cmd, $userid;
 
     run_command($cmd);
 }
 
 sub domain_set_password {
-    my ($domid, $username, $password) = @_;
+    my ($realm, $userid, $password) = @_;
 
-    if ($username eq 'root') {
-	store_pam_password($username, $password);
-    } elsif ($domid) {
-	if ($domid eq 'pam') {
-	    store_pam_password($username, $password);
-	} else {
-	    die "can't set password on auth domain '$domid'\n";
-	}
+    die "no auth domain specified" if !$realm;
+
+    if ($realm eq 'pam') {
+	store_pam_password($userid, $password);
+    } elsif ($realm eq 'pve') {
+	store_shadow_password($userid, $password);
     } else {
-	store_shadow_password($username, $password);
+	die "can't set password on auth domain '$realm'\n";
     }
 }
 
@@ -576,6 +570,18 @@
     return $path;
 } 
 
+my $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
+
+sub pve_verify_realm {
+    my ($realm, $noerr) = @_;
+ 
+    if ($realm !~ m/^${realm_regex}$/) {
+	return undef if $noerr;
+	die "value does not look like a valid realm\n"; 
+    }
+    return $realm;
+}
+
 PVE::JSONSchema::register_format('pve-userid', \&verify_username);
 sub verify_username {
     my ($username, $noerr) = @_;
@@ -593,11 +599,11 @@
 
     # we only allow a limited set of characters (colon is not allowed,
     # because we store usernames in colon separated lists)!
-    if ($username =~ m/^([A-Za-z0-9\.\-_]+)(\@([A-Za-z0-9\.\-_]+))?$/) {
-	return wantarray ? ($username, $1, $3) : $username;
+    if ($username =~ m/^([^\s:]+)\@(${realm_regex})$/) {
+	return wantarray ? ($username, $1, $2) : $username;
     }
 
-    die "user name '$username' contains invalid characters\n" if !$noerr;
+    die "value '$username' does not look like a valid user name\n" if !$noerr;
 
     return undef;
 }
@@ -606,7 +612,7 @@
     type => 'string', format => 'pve-userid',
 });
 
-PVE::JSONSchema::register_standard_option('domid', {
+PVE::JSONSchema::register_standard_option('realm', {
     description => "Authentication domain ID",
     type => 'string', format => 'pve-configid',
 });
@@ -661,10 +667,8 @@
 
     # fixme: remove 'root' group (not required)?
 
-    # add root user and group (superuser)
-    $cfg->{users}->{root}->{enabled} = 1;
-    $cfg->{users}->{root}->{groups}->{root} = 1;
-    $cfg->{groups}->{root}->{users}->{root} = 1;
+    # add root user 
+    $cfg->{users}->{'root at pam'}->{enabled} = 1;
 }
 
 sub parse_user_config {
@@ -691,18 +695,14 @@
 	my $et = shift @data;
 
 	if ($et eq 'user') {
-	    my ($user, $enabled, $expire, $domid, $firstname, $lastname, $email, $comment) = @data;
+	    my ($user, $enabled, $expire, $firstname, $lastname, $email, $comment) = @data;
 
-	    if (!verify_username($user, 1)) {
-		warn "user config - ignore user '$user' - invalid characters in user name\n";
+	    my (undef, undef, $realm) = verify_username($user, 1);
+	    if (!$realm) {
+		warn "user config - ignore user '$user' - invalid user name\n";
 		next;
 	    }
 
-	    if ($domid && !PVE::JSONSchema::pve_verify_configid($domid, 1)) {
-		warn "user config - ignore user '$user' - (illegal characters in domain '$domid')\n";
-		next;
-	    }
-
 	    $enabled = $enabled ? 1 : 0;
 
 	    $expire = 0 if !$expire;
@@ -722,7 +722,6 @@
 		enabled => $enabled,
 		# group => $group,
 	    };
-	    $cfg->{users}->{$user}->{domid} = $domid ? $domid : 'pve';
 	    $cfg->{users}->{$user}->{firstname} = decode_text($firstname) if $firstname;
 	    $cfg->{users}->{$user}->{lastname} = decode_text($lastname) if $lastname;
 	    $cfg->{users}->{$user}->{email} = $email;
@@ -839,8 +838,8 @@
 	    next;
 	}
 
-	my ($username,$crypt_pass) = split (/:/, $line);
-	$shadow->{users}->{$username}->{shadow} = $crypt_pass;
+	my ($userid, $crypt_pass) = split (/:/, $line);
+	$shadow->{users}->{$userid}->{shadow} = $crypt_pass;
     }
 
     return $shadow;
@@ -851,8 +850,8 @@
 
     my $data = '';
 
-    foreach my $domid (sort keys %$cfg) {
-	my $entry = $cfg->{$domid};
+    foreach my $realm (sort keys %$cfg) {
+	my $entry = $cfg->{$realm};
 	my $type = $entry->{type};
 	next if !$type;
 
@@ -861,7 +860,7 @@
 	my $formats = $valid_attributes->{$type};
 	next if !$formats;
 
-	$data .= "$type: $domid\n";
+	$data .= "$type: $realm\n";
 
 	foreach my $k (sort keys %$entry) {
 	    next if $k eq 'type';
@@ -898,7 +897,7 @@
 	next if $line =~ m/^\s*$/; # skip empty lines
 
 	if ($line =~ m/^(\S+):\s*(\S+)\s*$/) {
-	    my $domid = $2;
+	    my $realm = $2;
 	    my $type = lc($1);
 
 	    my $ignore = 0;
@@ -907,10 +906,10 @@
 	    my $formats = $valid_attributes->{$type};
 	    if (!$formats) {
 		$ignore = 1;
-		warn "ignoring domain '$domid' - (unsupported authentication type '$type')\n";
-	    } elsif (!PVE::JSONSchema::pve_verify_configid($domid, 1)) {
+		warn "ignoring domain '$realm' - (unsupported authentication type '$type')\n";
+	    } elsif (!pve_verify_realm($realm, 1)) {
 		$ignore = 1;
-		warn "ignoring domain '$domid' - (illegal characters)\n";
+		warn "ignoring domain '$realm' - (illegal characters)\n";
 	    } else {
 		$entry = { type => $type };
 	    }
@@ -952,15 +951,15 @@
 	    if ($ignore) {
 		# do nothing
 	    } elsif (!$entry->{server1}) {
-		warn "ignoring domain '$domid' - missing server attribute\n";
+		warn "ignoring domain '$realm' - missing server attribute\n";
 	    } elsif ((($entry->{type} eq "ldap") || ($entry->{type} eq "ldaps")) && 
 		     (!$entry->{user_attr})) {
-		warn "ignoring domain '$domid' - missing user attribute\n";
+		warn "ignoring domain '$realm' - missing user attribute\n";
 	    } elsif ((($entry->{type} eq "ldap") || ($entry->{type} eq "ldaps")) && 
 		     (!$entry->{base_dn})) {
-		warn "ignoring domain '$domid' - missing base_dn attribute\n";
+		warn "ignoring domain '$realm' - missing base_dn attribute\n";
 	    } else {
-		$cfg->{$domid} = $entry;
+		$cfg->{$realm} = $entry;
 	    }
      
 	} else {
@@ -987,9 +986,9 @@
     my ($filename, $cfg) = @_;
 
     my $data = '';
-    foreach my $user (keys %{$cfg->{users}}) {
-	my $crypt_pass = $cfg->{users}->{$user}->{shadow};
-	$data .= "$user:$crypt_pass:\n";
+    foreach my $userid (keys %{$cfg->{users}}) {
+	my $crypt_pass = $cfg->{users}->{$userid}->{shadow};
+	$data .= "$userid:$crypt_pass:\n";
     }
 
     return $data
@@ -1001,24 +1000,21 @@
     my $data = '';
 
     foreach my $user (keys %{$cfg->{users}}) {
-	next if $user eq 'root';
+	next if $user eq 'root at pam';
 
 	my $d = $cfg->{users}->{$user};
-	my $domid = $d->{domid} || 'pve';
 	my $firstname = $d->{firstname} ? encode_text($d->{firstname}) : '';
 	my $lastname = $d->{lastname} ? encode_text($d->{lastname}) : '';
 	my $email = $d->{email} || '';
 	my $comment = $d->{comment} ? encode_text($d->{comment}) : '';
 	my $expire = int($d->{expire}) || 0;
 	my $enabled = $d->{enabled} ? 1 : 0;
-	$data .= "user:$user:$enabled:$expire:$domid:$firstname:$lastname:$email:$comment:\n";
+	$data .= "user:$user:$enabled:$expire:$firstname:$lastname:$email:$comment:\n";
     }
 
     $data .= "\n";
 
     foreach my $group (keys %{$cfg->{groups}}) {
-	next if $group eq 'root';
-
 	my $d = $cfg->{groups}->{$group};
 	my $list = join (',', keys %{$d->{users}});
 	my $comment = $d->{comment} ? encode_text($d->{comment}) : '';	
@@ -1061,7 +1057,7 @@
 
 	foreach my $user (keys %{$d->{users}}) {
 	    # no need to save, because root is always 'Administartor'
-	    next if $user eq 'root'; 
+	    next if $user eq 'root at pam'; 
 
 	    my $l0 = '';
 	    my $l1 = '';
@@ -1095,7 +1091,7 @@
 sub roles {
     my ($cfg, $user, $path) = @_;
 
-    return 'Administrator' if $user eq 'root'; # root can do anything
+    return 'Administrator' if $user eq 'root at pam'; # root can do anything
 
     my $perm = {};
 

Modified: pve-access-control/trunk/README
===================================================================
--- pve-access-control/trunk/README	2011-02-22 05:42:33 UTC (rev 5578)
+++ pve-access-control/trunk/README	2011-02-22 07:41:39 UTC (rev 5579)
@@ -12,12 +12,12 @@
 User Authentication
 ===================
 
-Proxmox VE can use several different authentication servers. Those
+Proxmox VE can use different authentication servers. Those
 servers are listed in '/etc/pve/priv/domain.cfg', indexed by a unique
-ID (called authentication domain or realm).
+ID (called 'authentication domain' or 'realm').
 
 User names need to be unique. We create unique names by adding the
-'realm' to the user ID.
+'realm' to the user ID: <userid>@<realm>
 
 File format 'domain.cfg'
 ----example domains.cfg ------------------
@@ -61,11 +61,9 @@
 group:
 
 	group_name: the name of the group
-	comment: a more verbose description
 	user_list: list of login names
+	comment: a more verbose description
 
-	special group root: group root has full administrative privileges
-
 privileges: 
 
 	defines rights required to execute actions or read



More information about the pve-devel mailing list