diff options
| author | Nathaniel McCallum <npmccallum@redhat.com> | 2016-02-21 19:43:52 -0500 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2016-05-26 18:47:05 +0200 |
| commit | 204200d73bb135cb7b9b31b8f1ba5268d73094a5 (patch) | |
| tree | a5f1c366e1ebc24f1297119a14e90316447a5d80 /daemons | |
| parent | 168a6c7d4778a2a3c729e3ac24e4ad9dfacb46c0 (diff) | |
| download | freeipa-204200d73bb135cb7b9b31b8f1ba5268d73094a5.tar.gz freeipa-204200d73bb135cb7b9b31b8f1ba5268d73094a5.tar.xz freeipa-204200d73bb135cb7b9b31b8f1ba5268d73094a5.zip | |
Return password-only preauth if passwords are allowed
Before this patch, if either password or password+otp were permitted,
only the otp preauth mech would be returned to the client. Now, the
client will receive either enc_ts or enc_chl in addition to otp.
https://fedorahosted.org/freeipa/ticket/433
Reviewed-By: Sumit Bose <sbose@redhat.com>
Diffstat (limited to 'daemons')
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_principals.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 502781087..910d55c4a 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -302,6 +302,8 @@ static void ipadb_validate_radius(struct ipadb_context *ipactx, "ipatokenRadiusConfigLink"); if (vals == NULL || vals[0] == NULL) *ua &= ~IPADB_USER_AUTH_RADIUS; + else + *ua = IPADB_USER_AUTH_RADIUS; if (vals != NULL) ldap_value_free_len(vals); @@ -314,10 +316,6 @@ static void ipadb_validate_password(struct ipadb_context *ipactx, /* If no mechanisms are set, use password. */ if (*ua == IPADB_USER_AUTH_NONE) *ua |= IPADB_USER_AUTH_PASSWORD; - - /* If any other mechanism has passed validation, don't use password. */ - else if (*ua & ~IPADB_USER_AUTH_PASSWORD) - *ua &= ~IPADB_USER_AUTH_PASSWORD; } static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx, |