From a009f4c6d1ec0c4cef229c684cc226628a96496d Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Tue, 3 Feb 2015 11:04:32 -0500
Subject: [PATCH] Change PAM behavior for authorization

Previously, any PAM result was treated as good.  This isn't
actually of practical value, since we need a user object to
really do authorization.  Change strategy to give pam a chance
to deny anyone, but require the user to exist in confluent
even if pam says the user is a valid one.
---
 confluent_server/confluent/auth.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/confluent_server/confluent/auth.py b/confluent_server/confluent/auth.py
index 4c535f78..b04ddc63 100644
--- a/confluent_server/confluent/auth.py
+++ b/confluent_server/confluent/auth.py
@@ -160,7 +160,7 @@ def check_user_passphrase(name, passphrase, element=None, tenant=False):
         pammy.authenticate()
         pammy.acct_mgmt()
         del pammy
-        return authorize(user, element, tenant, skipuserobj=True)
+        return authorize(user, element, tenant, skipuserobj=False)
     except PAM.error:
         if credobj.haspam:
             return None