Username mappings

Makefile.am

@@ -42,8 +42,8 @@ endif
 pamdir = $(libdir)/security
 pam_LTLIBRARIES = pam_krb5.la
 pam_krb5_la_SOURCES = account.c alt-auth.c auth.c cache.c context.c fast.c \
-	internal.h options.c password.c prompting.c public.c setcred.c	   \
-	support.c
+	internal.h mappings.c options.c password.c prompting.c public.c    \
+	setcred.c support.c
 pam_krb5_la_LDFLAGS = -module -shared -avoid-version $(VERSION_LDFLAGS) \
 	$(AM_LDFLAGS)
 pam_krb5_la_LIBADD = pam-util/libpamutil.la portable/libportable.la \
@@ -92,9 +92,9 @@ tests_tap_libtap_a_SOURCES = tests/tap/basic.c tests/tap/basic.h	\
 
 # The list of objects and libraries used for module testing by programs that
 # link with the fake PAM library or with both it and the module.
-MODULE_OBJECTS = account.lo alt-auth.lo auth.lo cache.lo context.lo fast.lo \
-	options.lo password.lo prompting.lo public.lo setcred.lo support.lo \
-	pam-util/libpamutil.la tests/fakepam/libfakepam.a
+MODULE_OBJECTS = account.lo alt-auth.lo auth.lo cache.lo context.lo fast.lo  \
+	mappings.lo options.lo password.lo prompting.lo public.lo setcred.lo \
+	support.lo pam-util/libpamutil.la tests/fakepam/libfakepam.a
 
 # The test programs themselves.
 tests_module_alt_auth_t_LDADD = $(MODULE_OBJECTS) tests/tap/libtap.a \

auth.c

@@ -591,8 +591,7 @@ password_auth_attempt(struct pam_args *args, const char *service,
     /*
      * First, try authenticating as the alternate principal if one were
      * configured.  If that fails or wasn't configured, continue on to trying
-     * search_k5login or a regular authentication unless configuration
-     * indicates that regular authentication should not be attempted.
+     * a mappings login.
      */
     if (args->config->alt_auth_map != NULL) {
         retval = pamk5_alt_auth(args, service, opts, pass, creds);
@@ -612,6 +611,18 @@ password_auth_attempt(struct pam_args *args, const char *service,
                 return retval;
     }
 
+    /*
+     * Next try authentication as a mapped user if any mappings were
+     * configured.  If that fails or wasn't configured continue on with
+     * search_k5login or a regular authentication unless configuration
+     * indicates that regular authentication should not be attempted.
+     */
+    if (args->config->mappings != NULL) {
+        retval = pamk5_mappings_auth(args, service, opts, pass, creds);
+        if (retval == 0)
+            return retval;
+    }
+
     /* Attempt regular authentication, via either search_k5login or normal. */
     if (args->config->search_k5login)
         retval = k5login_password_auth(args, creds, opts, service, pass);

internal.h

@@ -59,6 +59,7 @@ struct pam_config {
     bool force_alt_auth;         /* Alt principal must be used if it exists. */
     bool ignore_k5login;         /* Don't check .k5login files. */
     bool ignore_root;            /* Skip authentication for root. */
+    struct vector *mappings;     /* regex patterns to map principals. */
     long minimum_uid;            /* Ignore users below this UID. */
     bool only_alt_auth;          /* Alt principal must be used. */
     bool search_k5login;         /* Try password with each line of .k5login. */
@@ -204,6 +205,12 @@ krb5_error_code pamk5_alt_auth(struct pam_args *, const char *service,
                                krb5_creds *);
 int pamk5_alt_auth_verify(struct pam_args *);
 
+/* mappings support. */
+krb5_error_code pamk5_mappings_auth(struct pam_args *, const char *service,
+                                    krb5_get_init_creds_opt *,
+                                    const char *pass, krb5_creds *);
+int pamk5_mappings_auth_verify(struct pam_args *);
+
 /* FAST support.  Set up FAST protection of authentication. */
 void pamk5_fast_setup(struct pam_args *, krb5_get_init_creds_opt *);