From 9549a5984b5b1d7106035d8126a3ead915b2129b Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum Date: Thu, 13 Nov 2014 02:42:55 -0500 Subject: Expose the disabled User Auth Type Additionally, fix a small bug in ipa-kdb so that the disabled User Auth Type is properly handled. https://fedorahosted.org/freeipa/ticket/4720 Reviewed-By: Petr Vobornik --- API.txt | 2 +- VERSION | 4 ++-- daemons/ipa-kdb/ipa_kdb_principals.c | 13 +++++++------ install/ui/src/freeipa/serverconfig.js | 1 + install/ui/test/data/ipa_init.json | 1 + ipalib/plugins/config.py | 2 +- ipalib/plugins/internal.py | 1 + 7 files changed, 14 insertions(+), 10 deletions(-) diff --git a/API.txt b/API.txt index 08615c804..a6a95783c 100644 --- a/API.txt +++ b/API.txt @@ -533,7 +533,7 @@ option: Int('ipasearchrecordslimit', attribute=True, autofill=False, cli_name='s option: Int('ipasearchtimelimit', attribute=True, autofill=False, cli_name='searchtimelimit', minvalue=-1, multivalue=False, required=False) option: Str('ipaselinuxusermapdefault', attribute=True, autofill=False, cli_name='ipaselinuxusermapdefault', multivalue=False, required=False) option: Str('ipaselinuxusermaporder', attribute=True, autofill=False, cli_name='ipaselinuxusermaporder', multivalue=False, required=False) -option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password', u'radius', u'otp')) +option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password', u'radius', u'otp', u'disabled')) option: Str('ipauserobjectclasses', attribute=True, autofill=False, cli_name='userobjectclasses', csv=True, multivalue=True, required=False) option: IA5Str('ipausersearchfields', attribute=True, autofill=False, cli_name='usersearch', multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') diff --git a/VERSION b/VERSION index f587c65c8..122594726 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=112 -# Last change: tbabej - change ipaassignedidview to Str +IPA_API_VERSION_MINOR=113 +# Last change: npmccallum - expose disabled user auth type diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 9d43ebc66..828ba760c 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -324,17 +324,18 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx, enum ipadb_user_auth ua = IPADB_USER_AUTH_NONE; const struct ipadb_global_config *gcfg = NULL; - /* Get the user's user_auth settings. */ - ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua); - /* Get the global user_auth settings. */ gcfg = ipadb_get_global_config(ipactx); if (gcfg != NULL) gua = gcfg->user_auth; - /* If the disabled flag is set, ignore everything else. */ - if ((ua | gua) & IPADB_USER_AUTH_DISABLED) - return IPADB_USER_AUTH_DISABLED; + /* Get the user's user_auth settings if not disabled. */ + if ((gua & IPADB_USER_AUTH_DISABLED) == 0) + ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua); + + /* Filter out the disabled flag. */ + gua &= ~IPADB_USER_AUTH_DISABLED; + ua &= ~IPADB_USER_AUTH_DISABLED; /* Determine which user_auth policy is active: user or global. */ if (ua == IPADB_USER_AUTH_NONE) diff --git a/install/ui/src/freeipa/serverconfig.js b/install/ui/src/freeipa/serverconfig.js index d134c8882..efe180569 100644 --- a/install/ui/src/freeipa/serverconfig.js +++ b/install/ui/src/freeipa/serverconfig.js @@ -78,6 +78,7 @@ return { name: 'ipauserauthtype', flags: ['w_if_no_aci'], options: [ + { label: '@i18n:authtype.type_disabled', value: 'disabled' }, { label: '@i18n:authtype.type_password', value: 'password' }, { label: '@i18n:authtype.type_radius', value: 'radius' }, { label: '@i18n:authtype.type_otp', value: 'otp' } diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json index bbe334b7d..036543129 100644 --- a/install/ui/test/data/ipa_init.json +++ b/install/ui/test/data/ipa_init.json @@ -53,6 +53,7 @@ "type_otp": "Two factor authentication (password + OTP)", "type_password": "Password", "type_radius": "Radius", + "type_disabled": "Disable per-user override", "user_tooltip": "Per-user setting, overwrites the global setting if any option is checked." }, "buttons": { diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index 077ef2c42..6267313d5 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -228,7 +228,7 @@ class config(LDAPObject): cli_name='user_auth_type', label=_('Default user authentication types'), doc=_('Default types of supported user authentication'), - values=(u'password', u'radius', u'otp'), + values=(u'password', u'radius', u'otp', u'disabled'), csv=True, ), ) diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py index b85f2d077..e04e84340 100644 --- a/ipalib/plugins/internal.py +++ b/ipalib/plugins/internal.py @@ -195,6 +195,7 @@ class i18n_messages(Command): "type_otp": _("Two factor authentication (password + OTP)"), "type_password": _("Password"), "type_radius": _("Radius"), + "type_disabled": _("Disable per-user override"), "user_tooltip": _("Per-user setting, overwrites the global setting if any option is checked."), }, "buttons": { -- cgit