mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
Return password-only preauth if passwords are allowed
Before this patch, if either password or password+otp were permitted, only the otp preauth mech would be returned to the client. Now, the client will receive either enc_ts or enc_chl in addition to otp. https://fedorahosted.org/freeipa/ticket/433 Reviewed-By: Sumit Bose <sbose@redhat.com>
This commit is contained in:
parent
168a6c7d47
commit
204200d73b
@ -302,6 +302,8 @@ static void ipadb_validate_radius(struct ipadb_context *ipactx,
|
||||
"ipatokenRadiusConfigLink");
|
||||
if (vals == NULL || vals[0] == NULL)
|
||||
*ua &= ~IPADB_USER_AUTH_RADIUS;
|
||||
else
|
||||
*ua = IPADB_USER_AUTH_RADIUS;
|
||||
|
||||
if (vals != NULL)
|
||||
ldap_value_free_len(vals);
|
||||
@ -314,10 +316,6 @@ static void ipadb_validate_password(struct ipadb_context *ipactx,
|
||||
/* If no mechanisms are set, use password. */
|
||||
if (*ua == IPADB_USER_AUTH_NONE)
|
||||
*ua |= IPADB_USER_AUTH_PASSWORD;
|
||||
|
||||
/* If any other mechanism has passed validation, don't use password. */
|
||||
else if (*ua & ~IPADB_USER_AUTH_PASSWORD)
|
||||
*ua &= ~IPADB_USER_AUTH_PASSWORD;
|
||||
}
|
||||
|
||||
static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
|
||||
|
Loading…
Reference in New Issue
Block a user