ipa-kdb: validate that an OTP user has tokens

This handles the case where a user is configured for OTP in ipaUserAuthType,
but the user has not yet created any tokens. Until the user creates tokens,
the user should still be able to log in via password. This logic already
exists in LDAP, but ipa-kdb needs to perform the same validation to know
what data to return to the KDC.

https://fedorahosted.org/freeipa/ticket/4154

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

1 files changed, 6 insertions, 4 deletions

diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index c807bbcfa..0f3996cdf 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -186,13 +186,13 @@ static const struct {
     { }
 };
 
-void ipadb_get_user_auth(LDAP *lcontext, LDAPMessage *le,
-                         enum ipadb_user_auth *userauth)
+void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le,
+                           enum ipadb_user_auth *userauth)
 {
     struct berval **vals;
     int i, j;
 
-    *userauth = IPADB_USER_AUTH_EMPTY;
+    *userauth = IPADB_USER_AUTH_NONE;
     vals = ldap_get_values_len(lcontext, le, IPA_USER_AUTH_TYPE);
     if (!vals)
         return;
@@ -205,6 +205,8 @@ void ipadb_get_user_auth(LDAP *lcontext, LDAPMessage *le,
             }
         }
     }
+
+    ldap_value_free_len(vals);
 }
 
 int ipadb_get_global_configs(struct ipadb_context *ipactx)
@@ -239,7 +241,7 @@ int ipadb_get_global_configs(struct ipadb_context *ipactx)
     }
 
     /* Check for permitted authentication types. */
-    ipadb_get_user_auth(ipactx->lcontext, res, &ipactx->user_auth);
+    ipadb_parse_user_auth(ipactx->lcontext, res, &ipactx->user_auth);
 
     vals = ldap_get_values_len(ipactx->lcontext, first,
                                "ipaConfigString");