Expose the disabled User Auth Type

Additionally, fix a small bug in ipa-kdb so that the disabled User
Auth Type is properly handled.

https://fedorahosted.org/freeipa/ticket/4720

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>

1 files changed, 7 insertions, 6 deletions

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 9d43ebc66..828ba760c 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -324,17 +324,18 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
     enum ipadb_user_auth ua = IPADB_USER_AUTH_NONE;
     const struct ipadb_global_config *gcfg = NULL;
 
-    /* Get the user's user_auth settings. */
-    ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
-
     /* Get the global user_auth settings. */
     gcfg = ipadb_get_global_config(ipactx);
     if (gcfg != NULL)
         gua = gcfg->user_auth;
 
-    /* If the disabled flag is set, ignore everything else. */
-    if ((ua | gua) & IPADB_USER_AUTH_DISABLED)
-        return IPADB_USER_AUTH_DISABLED;
+    /* Get the user's user_auth settings if not disabled. */
+    if ((gua & IPADB_USER_AUTH_DISABLED) == 0)
+        ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
+
+    /* Filter out the disabled flag. */
+    gua &= ~IPADB_USER_AUTH_DISABLED;
+    ua &= ~IPADB_USER_AUTH_DISABLED;
 
     /* Determine which user_auth policy is active: user or global. */
     if (ua == IPADB_USER_AUTH_NONE)