Return password-only preauth if passwords are allowed

Before this patch, if either password or password+otp were permitted,
only the otp preauth mech would be returned to the client. Now, the
client will receive either enc_ts or enc_chl in addition to otp.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>
This commit is contained in:
Nathaniel McCallum 2016-02-21 19:43:52 -05:00 committed by Martin Basti
parent 168a6c7d47
commit 204200d73b

View File

@ -302,6 +302,8 @@ static void ipadb_validate_radius(struct ipadb_context *ipactx,
"ipatokenRadiusConfigLink");
if (vals == NULL || vals[0] == NULL)
*ua &= ~IPADB_USER_AUTH_RADIUS;
else
*ua = IPADB_USER_AUTH_RADIUS;
if (vals != NULL)
ldap_value_free_len(vals);
@ -314,10 +316,6 @@ static void ipadb_validate_password(struct ipadb_context *ipactx,
/* If no mechanisms are set, use password. */
if (*ua == IPADB_USER_AUTH_NONE)
*ua |= IPADB_USER_AUTH_PASSWORD;
/* If any other mechanism has passed validation, don't use password. */
else if (*ua & ~IPADB_USER_AUTH_PASSWORD)
*ua &= ~IPADB_USER_AUTH_PASSWORD;
}
static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,