IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Return password-only preauth if passwords are allowed

Browse Source 
Before this patch, if either password or password+otp were permitted,
only the otp preauth mech would be returned to the client. Now, the
client will receive either enc_ts or enc_chl in addition to otp.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>
This commit is contained in:
Nathaniel McCallum 2016-02-21 19:43:52 -05:00 committed by Martin Basti
parent 168a6c7d47
commit 204200d73b
1 changed files with 2 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
daemons/ipa-kdb/ipa_kdb_principals.c
View File

@ -302,6 +302,8 @@ static void ipadb_validate_radius(struct ipadb_context *ipactx,
"ipatokenRadiusConfigLink"); "ipatokenRadiusConfigLink");
if (vals == NULL || vals[0] == NULL) if (vals == NULL || vals[0] == NULL)
*ua &= ~IPADB_USER_AUTH_RADIUS; *ua &= ~IPADB_USER_AUTH_RADIUS;
else
*ua = IPADB_USER_AUTH_RADIUS;
if (vals != NULL) if (vals != NULL)
ldap_value_free_len(vals); ldap_value_free_len(vals);
@ -314,10 +316,6 @@ static void ipadb_validate_password(struct ipadb_context *ipactx,
/* If no mechanisms are set, use password. */ /* If no mechanisms are set, use password. */
if (*ua == IPADB_USER_AUTH_NONE) if (*ua == IPADB_USER_AUTH_NONE)
*ua |= IPADB_USER_AUTH_PASSWORD; *ua |= IPADB_USER_AUTH_PASSWORD;
/* If any other mechanism has passed validation, don't use password. */
else if (*ua & ~IPADB_USER_AUTH_PASSWORD)
*ua &= ~IPADB_USER_AUTH_PASSWORD;
} }
static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx, static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,