diff options
Diffstat (limited to 'daemons')
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb_principals.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 9d43ebc66..828ba760c 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -324,17 +324,18 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx, enum ipadb_user_auth ua = IPADB_USER_AUTH_NONE; const struct ipadb_global_config *gcfg = NULL; - /* Get the user's user_auth settings. */ - ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua); - /* Get the global user_auth settings. */ gcfg = ipadb_get_global_config(ipactx); if (gcfg != NULL) gua = gcfg->user_auth; - /* If the disabled flag is set, ignore everything else. */ - if ((ua | gua) & IPADB_USER_AUTH_DISABLED) - return IPADB_USER_AUTH_DISABLED; + /* Get the user's user_auth settings if not disabled. */ + if ((gua & IPADB_USER_AUTH_DISABLED) == 0) + ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua); + + /* Filter out the disabled flag. */ + gua &= ~IPADB_USER_AUTH_DISABLED; + ua &= ~IPADB_USER_AUTH_DISABLED; /* Determine which user_auth policy is active: user or global. */ if (ua == IPADB_USER_AUTH_NONE) |