Expose the disabled User Auth Type

Additionally, fix a small bug in ipa-kdb so that the disabled User Auth Type is properly handled. https://fedorahosted.org/freeipa/ticket/4720 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-11-13 02:42:55 -05:00
parent c438d9be91
commit 9549a5984b
7 changed files with 14 additions and 10 deletions
--- a/API.txt
+++ b/API.txt
@@ -533,7 +533,7 @@ option: Int('ipasearchrecordslimit', attribute=True, autofill=False, cli_name='s
 option: Int('ipasearchtimelimit', attribute=True, autofill=False, cli_name='searchtimelimit', minvalue=-1, multivalue=False, required=False)
 option: Str('ipaselinuxusermapdefault', attribute=True, autofill=False, cli_name='ipaselinuxusermapdefault', multivalue=False, required=False)
 option: Str('ipaselinuxusermaporder', attribute=True, autofill=False, cli_name='ipaselinuxusermaporder', multivalue=False, required=False)
-option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password', u'radius', u'otp'))
+option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password', u'radius', u'otp', u'disabled'))
 option: Str('ipauserobjectclasses', attribute=True, autofill=False, cli_name='userobjectclasses', csv=True, multivalue=True, required=False)
 option: IA5Str('ipausersearchfields', attribute=True, autofill=False, cli_name='usersearch', multivalue=False, required=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
--- a/4
+++ b/4
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=112
-# Last change: tbabej - change ipaassignedidview to Str
+IPA_API_VERSION_MINOR=113
+# Last change: npmccallum - expose disabled user auth type
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -324,17 +324,18 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
    enum ipadb_user_auth ua = IPADB_USER_AUTH_NONE;
    const struct ipadb_global_config *gcfg = NULL;

-    /* Get the user's user_auth settings. */
-    ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
-
    /* Get the global user_auth settings. */
    gcfg = ipadb_get_global_config(ipactx);
    if (gcfg != NULL)
        gua = gcfg->user_auth;

-    /* If the disabled flag is set, ignore everything else. */
-    if ((ua | gua) & IPADB_USER_AUTH_DISABLED)
-        return IPADB_USER_AUTH_DISABLED;
+    /* Get the user's user_auth settings if not disabled. */
+    if ((gua & IPADB_USER_AUTH_DISABLED) == 0)
+        ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
+
+    /* Filter out the disabled flag. */
+    gua &= ~IPADB_USER_AUTH_DISABLED;
+    ua &= ~IPADB_USER_AUTH_DISABLED;

    /* Determine which user_auth policy is active: user or global. */
    if (ua == IPADB_USER_AUTH_NONE)
--- a/install/ui/src/freeipa/serverconfig.js
+++ b/install/ui/src/freeipa/serverconfig.js
@@ -78,6 +78,7 @@ return {
                            name: 'ipauserauthtype',
                            flags: ['w_if_no_aci'],
                            options: [
+                                { label: '@i18n:authtype.type_disabled', value: 'disabled' },
                                { label: '@i18n:authtype.type_password', value: 'password' },
                                { label: '@i18n:authtype.type_radius', value: 'radius' },
                                { label: '@i18n:authtype.type_otp', value: 'otp' }
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -53,6 +53,7 @@
                        "type_otp": "Two factor authentication (password + OTP)",
                        "type_password": "Password",
                        "type_radius": "Radius",
+                        "type_disabled": "Disable per-user override",
                        "user_tooltip": "Per-user setting, overwrites the global setting if any option is checked."
                    },
                    "buttons": {
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -228,7 +228,7 @@ class config(LDAPObject):
            cli_name='user_auth_type',
            label=_('Default user authentication types'),
            doc=_('Default types of supported user authentication'),
-            values=(u'password', u'radius', u'otp'),
+            values=(u'password', u'radius', u'otp', u'disabled'),
            csv=True,
        ),
    )
--- a/ipalib/plugins/internal.py
+++ b/ipalib/plugins/internal.py
@@ -195,6 +195,7 @@ class i18n_messages(Command):
            "type_otp": _("Two factor authentication (password + OTP)"),
            "type_password": _("Password"),
            "type_radius": _("Radius"),
+            "type_disabled": _("Disable per-user override"),
            "user_tooltip": _("Per-user setting, overwrites the global setting if any option is checked."),
        },
        "buttons": {