ipa-kdb: Add OTP support

If OTP is enabled for a user, then:
  1. Long-term keys are not provided to KDB
  2. The user string 'otp' is defined to KDB

Since it is not secure to send radius configuration information
over krb5 user strings, we simply set the string to a known default
('[]') which enables the default configuration in the KDC.

https://fedorahosted.org/freeipa/ticket/3561
http://freeipa.org/page/V3/OTP

1 files changed, 13 insertions, 0 deletions

diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 9daaab80d..54869d8f9 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -75,9 +75,18 @@
 #define IPA_SETUP "ipa-setup-override-restrictions"
 
 #define IPA_KRB_AUTHZ_DATA_ATTR "ipaKrbAuthzData"
+#define IPA_USER_AUTH_TYPE "ipaUserAuthType"
 
 struct ipadb_mspac;
 
+enum ipadb_user_auth {
+  IPADB_USER_AUTH_EMPTY    = 0,
+  IPADB_USER_AUTH_DISABLED = 1 << 0,
+  IPADB_USER_AUTH_PASSWORD = 1 << 1,
+  IPADB_USER_AUTH_RADIUS   = 1 << 2,
+  IPADB_USER_AUTH_OTP      = 1 << 3,
+};
+
 struct ipadb_context {
     char *uri;
     char *base;
@@ -92,6 +101,7 @@ struct ipadb_context {
     bool disable_last_success;
     bool disable_lockout;
     char **authz_data;
+    enum ipadb_user_auth user_auth;
 };
 
 #define IPA_E_DATA_MAGIC 0x0eda7a
@@ -259,3 +269,6 @@ void ipadb_audit_as_req(krb5_context kcontext,
                         krb5_timestamp authtime,
                         krb5_error_code error_code);
 
+/* AUTH METHODS */
+void ipadb_get_user_auth(LDAP *lcontext, LDAPMessage *le,
+                         enum ipadb_user_auth *user_auth);