[Freeipa-devel] [PATCH 0080] Expose the disabled User Auth Type

Nathaniel McCallum Thu, 13 Nov 2014 09:06:53 -0800

Additionally, fix a small bug in ipa-kdb so that the disabled User
Auth Type is properly handled.


https://fedorahosted.org/freeipa/ticket/4720

From 0fb04bcfac08a6da3246628fb4ab13138de8a1ca Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccal...@redhat.com>
Date: Thu, 13 Nov 2014 02:42:55 -0500
Subject: [PATCH] Expose the disabled User Auth Type

Additionally, fix a small bug in ipa-kdb so that the disabled User
Auth Type is properly handled.

https://fedorahosted.org/freeipa/ticket/4720
---
 API.txt                                |  2 +-
 VERSION                                |  4 ++--
 daemons/ipa-kdb/ipa_kdb_principals.c   | 13 +++++++------
 install/ui/src/freeipa/serverconfig.js |  1 +
 install/ui/test/data/ipa_init.json     |  1 +
 ipalib/plugins/config.py               |  2 +-
 ipalib/plugins/internal.py             |  1 +
 7 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/API.txt b/API.txt
index 0000491d7a76fd1d2d50208d314d1600839ce295..c92019886b0046adea4c2568be38a9adb50a3829 100644
--- a/API.txt
+++ b/API.txt
@@ -533,7 +533,7 @@ option: Int('ipasearchrecordslimit', attribute=True, autofill=False, cli_name='s
 option: Int('ipasearchtimelimit', attribute=True, autofill=False, cli_name='searchtimelimit', minvalue=-1, multivalue=False, required=False)
 option: Str('ipaselinuxusermapdefault', attribute=True, autofill=False, cli_name='ipaselinuxusermapdefault', multivalue=False, required=False)
 option: Str('ipaselinuxusermaporder', attribute=True, autofill=False, cli_name='ipaselinuxusermaporder', multivalue=False, required=False)
-option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password', u'radius', u'otp'))
+option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password', u'radius', u'otp', u'disabled'))
 option: Str('ipauserobjectclasses', attribute=True, autofill=False, cli_name='userobjectclasses', csv=True, multivalue=True, required=False)
 option: IA5Str('ipausersearchfields', attribute=True, autofill=False, cli_name='usersearch', multivalue=False, required=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
diff --git a/VERSION b/VERSION
index b0d41e5e1ec59ddefbdcccf588b97bac2ff798ee..d62722e22fd6c565ebd90563230fde6028212028 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=108
-# Last change: pvoborni - manage authorization of keytab operations
+IPA_API_VERSION_MINOR=109
+# Last change: npmccallum - expose disabled user auth type
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index e158c236eab5c7c5a7c12664dbde5d51cc55406d..4e9cf07c516b310962f2774729a761063d646e6b 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -324,17 +324,18 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
     enum ipadb_user_auth ua = IPADB_USER_AUTH_NONE;
     const struct ipadb_global_config *gcfg = NULL;
 
-    /* Get the user's user_auth settings. */
-    ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
-
     /* Get the global user_auth settings. */
     gcfg = ipadb_get_global_config(ipactx);
     if (gcfg != NULL)
         gua = gcfg->user_auth;
 
-    /* If the disabled flag is set, ignore everything else. */
-    if ((ua | gua) & IPADB_USER_AUTH_DISABLED)
-        return IPADB_USER_AUTH_DISABLED;
+    /* Get the user's user_auth settings if not disabled. */
+    if ((gua & IPADB_USER_AUTH_DISABLED) == 0)
+        ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
+
+    /* Filter out the disabled flag. */
+    gua &= ~IPADB_USER_AUTH_DISABLED;
+    ua &= ~IPADB_USER_AUTH_DISABLED;
 
     /* Determine which user_auth policy is active: user or global. */
     if (ua == IPADB_USER_AUTH_NONE)
diff --git a/install/ui/src/freeipa/serverconfig.js b/install/ui/src/freeipa/serverconfig.js
index d134c88824533ce83f8b0dc11ca3a059601b6f7d..efe1805698372b45afae38d1f9dd883034ee03c6 100644
--- a/install/ui/src/freeipa/serverconfig.js
+++ b/install/ui/src/freeipa/serverconfig.js
@@ -78,6 +78,7 @@ return {
                             name: 'ipauserauthtype',
                             flags: ['w_if_no_aci'],
                             options: [
+                                { label: '@i18n:authtype.type_disabled', value: 'disabled' },
                                 { label: '@i18n:authtype.type_password', value: 'password' },
                                 { label: '@i18n:authtype.type_radius', value: 'radius' },
                                 { label: '@i18n:authtype.type_otp', value: 'otp' }
diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
index bbe334b7df774f1956a6dca98d5bb54049a7ee00..03654312998af6ee868caf8f74e9ce33ac5f94a7 100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -53,6 +53,7 @@
                         "type_otp": "Two factor authentication (password + OTP)",
                         "type_password": "Password",
                         "type_radius": "Radius",
+                        "type_disabled": "Disable per-user override",
                         "user_tooltip": "Per-user setting, overwrites the global setting if any option is checked."
                     },
                     "buttons": {
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index 077ef2c42ea4b2c7a2c5801a6558408326d2c757..6267313d5e9af2d97f45f987115de143d7aa7915 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -228,7 +228,7 @@ class config(LDAPObject):
             cli_name='user_auth_type',
             label=_('Default user authentication types'),
             doc=_('Default types of supported user authentication'),
-            values=(u'password', u'radius', u'otp'),
+            values=(u'password', u'radius', u'otp', u'disabled'),
             csv=True,
         ),
     )
diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py
index b85f2d077110128963e26ccf0f43e21141c46f4a..e04e843400015edfaeac5bdc94300ab600b97a9d 100644
--- a/ipalib/plugins/internal.py
+++ b/ipalib/plugins/internal.py
@@ -195,6 +195,7 @@ class i18n_messages(Command):
             "type_otp": _("Two factor authentication (password + OTP)"),
             "type_password": _("Password"),
             "type_radius": _("Radius"),
+            "type_disabled": _("Disable per-user override"),
             "user_tooltip": _("Per-user setting, overwrites the global setting if any option is checked."),
         },
         "buttons": {
-- 
2.1.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0080] Expose the disabled User Auth Type

Reply via email to