diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2014-11-27 20:29:03 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-12-13 23:41:33 +0100 |
| commit | fc4862295d512e464feff60cbc5df8c50bf83644 (patch) | |
| tree | 428eda11c3a67924d4ee4f8f7af3a0108a67c1ec /src/providers/ipa | |
| parent | 2e84796d8e23ee6e406c0625288655e056b0d90d (diff) | |
| download | sssd-fc4862295d512e464feff60cbc5df8c50bf83644.tar.gz sssd-fc4862295d512e464feff60cbc5df8c50bf83644.tar.xz sssd-fc4862295d512e464feff60cbc5df8c50bf83644.zip | |
Skip CHAUTHTOK_PRELIM when using OTPs
https://fedorahosted.org/sssd/ticket/2484
When OTPs are used, we can only used each authtoken at most once. When
it comes to Kerberos password changes, this was only working previously
by accident, because the old authtoken was first used to verify the old
password is valid and not expired and then also to acquire a chpass
principal.
This patch looks at the user object in LDAP to check if the user has any
OTPs enabled. If he does, the CHAUTHTOK_PRELIM step is skipped
completely so that the OTP can be used to acquire the chpass ticket
later.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Diffstat (limited to 'src/providers/ipa')
| -rw-r--r-- | src/providers/ipa/ipa_opts.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h index f77ff1d05..66af64858 100644 --- a/src/providers/ipa/ipa_opts.h +++ b/src/providers/ipa/ipa_opts.h @@ -203,6 +203,7 @@ struct sdap_attr_map ipa_user_map[] = { { "ldap_user_nds_login_expiration_time", "loginExpirationTime", SYSDB_NDS_LOGIN_EXPIRATION_TIME, NULL }, { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL }, { "ldap_user_ssh_public_key", "ipaSshPubKey", SYSDB_SSH_PUBKEY, NULL }, + { "ldap_user_auth_type", "ipaUserAuthType", SYSDB_AUTH_TYPE, NULL }, SDAP_ATTR_MAP_TERMINATOR }; |