a simple pam user mapper module

mysql-test/suite/plugins/r/pam.result

@@ -2,7 +2,7 @@ install plugin pam soname 'auth_pam.so';
 create user test_pam identified via pam using 'mariadb_mtr';
 #
 # athentication is successful, challenge/pin are ok
-# note that current_user() differts from user()
+# note that current_user() differs from user()
 #
 Challenge input first.
 Enter: not very secret challenge

mysql-test/suite/plugins/t/pam.test

@@ -29,7 +29,7 @@ EOF
 
 --echo #
 --echo # athentication is successful, challenge/pin are ok
---echo # note that current_user() differts from user()
+--echo # note that current_user() differs from user()
 --echo #
 --exec $MYSQL_TEST -u test_pam --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good.txt
 

plugin/auth_pam/mapper/pam_user_map.c

+/*
+  Pam module to change user names arbitrarily in the pam stack.
+
+  Compile as
+  
+     gcc pam_user_map.c -shared -lpam -fPIC -o pam_user_map.so
+
+  Install as appropriate (for example, in /lib/security/).
+  Add to your /etc/pam.d/mysql (preferrably, at the end) this line:
+=========================================================
+auth            required        pam_user_map.so
+=========================================================
+
+  And create /etc/security/user_map.conf with the desired mapping
+  in the format:  orig_user_name: mapped_user_name
+=========================================================
+#comments and emty lines are ignored
+john: jack
+bob:  admin
+top:  accounting
+=========================================================
+
+*/
+
+#include <stdio.h>
+#include <syslog.h>
+#include <security/pam_modules.h>
+
+#define FILENAME "/etc/security/user_map.conf"
+#define skip(what) while (*s && (what)) s++
+
+int pam_sm_authenticate(pam_handle_t *pamh, int flags,
+    int argc, const char *argv[])
+{
+  int pam_err, line= 0;
+  const char *username;
+  char buf[256];
+  FILE *f;
+
+  f= fopen(FILENAME, "r");
+  if (f == NULL)
+  {
+    pam_syslog(pamh, LOG_ERR, "Cannot open '%s'\n", FILENAME);
+    return PAM_SYSTEM_ERR;
+  }
+
+  pam_err = pam_get_item(pamh, PAM_USER, (const void**)&username);
+  if (pam_err != PAM_SUCCESS)
+    goto ret;
+
+  while (fgets(buf, sizeof(buf), f) != NULL)
+  {
+    char *s= buf, *from, *to, *end_from, *end_to;
+    line++;
+
+    skip(isspace(*s));
+    if (*s == '#' || *s == 0) continue;
+    from= s;
+    skip(isalnum(*s) || (*s == '_'));
+    end_from= s;
+    skip(isspace(*s));
+    if (end_from == from || *s++ != ':') goto syntax_error;
+    skip(isspace(*s));
+    to= s;
+    skip(isalnum(*s) || (*s == '_'));
+    end_to= s;
+    if (end_to == to) goto syntax_error;
+
+    *end_from= *end_to= 0;
+    if (strcmp(username, from) == 0)
+    {
+      pam_err= pam_set_item(pamh, PAM_USER, to);
+      goto ret;
+    }
+  }
+  pam_err= PAM_SUCCESS;
+  goto ret;
+
+syntax_error:
+  pam_syslog(pamh, LOG_ERR, "Syntax error at %s:%d", FILENAME, line);
+  pam_err= PAM_SYSTEM_ERR;
+ret:
+  fclose(f);
+  return pam_err;
+}
+
+int pam_sm_setcred(pam_handle_t *pamh, int flags,
+                   int argc, const char *argv[])
+{
+
+    return PAM_SUCCESS;
+}
+

plugin/auth_pam/testing/pam_mariadb_mtr.c

@@ -10,7 +10,7 @@
   Create /etc/pam.d/mariadb_mtr with
 =========================================================
 auth            required        pam_mariadb_mtr.so pam_test
-account         required        pam_mariadb_mtr.so
+account         required        pam_permit.so
 =========================================================
 */
 
@@ -21,8 +21,7 @@ account         required        pam_mariadb_mtr.so
 
 #define N 3
 
-PAM_EXTERN int
-pam_sm_authenticate(pam_handle_t *pamh, int flags,
+int pam_sm_authenticate(pam_handle_t *pamh, int flags,
                         int argc, const char *argv[])
 {
   struct pam_conv *conv;
@@ -69,16 +68,7 @@ ret:
   return retval;
 }
 
-PAM_EXTERN int
-pam_sm_setcred(pam_handle_t *pamh, int flags,
-    int argc, const char *argv[])
-{
-
-    return PAM_SUCCESS;
-}
-
-PAM_EXTERN int
-pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
+int pam_sm_setcred(pam_handle_t *pamh, int flags,
                    int argc, const char *argv[])
 {