From 2d40bf0ad9f03e345228cba4563091c91eb02f5b Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 27 Nov 2014 20:29:03 +0100 Subject: Skip CHAUTHTOK_PRELIM when using OTPs https://fedorahosted.org/sssd/ticket/2484 When OTPs are used, we can only used each authtoken at most once. When it comes to Kerberos password changes, this was only working previously by accident, because the old authtoken was first used to verify the old password is valid and not expired and then also to acquire a chpass principal. This patch looks at the user object in LDAP to check if the user has any OTPs enabled. If he does, the CHAUTHTOK_PRELIM step is skipped completely so that the OTP can be used to acquire the chpass ticket later. Reviewed-by: Sumit Bose --- src/providers/ipa/ipa_opts.h | 1 + 1 file changed, 1 insertion(+) (limited to 'src/providers/ipa/ipa_opts.h') diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h index f77ff1d05..66af64858 100644 --- a/src/providers/ipa/ipa_opts.h +++ b/src/providers/ipa/ipa_opts.h @@ -203,6 +203,7 @@ struct sdap_attr_map ipa_user_map[] = { { "ldap_user_nds_login_expiration_time", "loginExpirationTime", SYSDB_NDS_LOGIN_EXPIRATION_TIME, NULL }, { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL }, { "ldap_user_ssh_public_key", "ipaSshPubKey", SYSDB_SSH_PUBKEY, NULL }, + { "ldap_user_auth_type", "ipaUserAuthType", SYSDB_AUTH_TYPE, NULL }, SDAP_ATTR_MAP_TERMINATOR }; -- cgit