On Thu, 2014-12-04 at 19:56 +0100, Petr Vobornik wrote: > On 12/04/2014 07:25 PM, Nathaniel McCallum wrote: > > On Wed, 2014-12-03 at 17:18 +0100, Petr Vobornik wrote: > >> On 13.11.2014 18:04, Nathaniel McCallum wrote: > >>> Additionally, fix a small bug in ipa-kdb so that the disabled User > >>> Auth Type is properly handled. > >>> > >>> https://fedorahosted.org/freeipa/ticket/4720 > >>> > >> > >> The patch itself looks good to me, VERSION needs to be updated though. > >> > >> But I don't think it works. Don't know why. In my setup, user's config > >> was not ignored. > >> > >> When I tested login in Web UI with: > >> > >> - global config: disabled, otp > >> - user fbar's config: password > >> - fbar had an hotp token assigned > >> > >> I could still login with password and not with otp. If I added 'otp' to > >> fbar's config, I could also login with otp. > > > > How are you logging in? krb5 or LDAP bind? > > > > Forms-based in Web UI. It uses kinit internally.
Alright, I was able to reproduce this problem via a bisect. I think you hit a bug that was introduced in 953c6846b7cb8d75253538ab92a1360fceee0c3c and fixed by 9baa93da1cbf56c2a6f7e82e099bc3ff3f19e2e4. Those patches existed in my local branch as one patchset, but was merged in two sections. Unfortunately, though I had discovered and fixed the bug, the fix went in the wrong patch in the series. So you just happened to hit the narrow window where the bug existed in master (but not my local tree). On current master, everything works. I also tested on 4.1.2. A similar bug exists there on the old ipa-pwd-extop code. So if we want to land this patch on 4.1.x, we will need a fix for that code to avoid creating a security hole. Attached is a rebased patch. It has no changes except the VERSION update. Nathaniel
From c682bb96b716580bf5aa2248ecfd88d69eee6e29 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum <npmccal...@redhat.com> Date: Thu, 13 Nov 2014 02:42:55 -0500 Subject: [PATCH] Expose the disabled User Auth Type Additionally, fix a small bug in ipa-kdb so that the disabled User Auth Type is properly handled. https://fedorahosted.org/freeipa/ticket/4720 --- API.txt | 2 +- VERSION | 4 ++-- daemons/ipa-kdb/ipa_kdb_principals.c | 13 +++++++------ install/ui/src/freeipa/serverconfig.js | 1 + install/ui/test/data/ipa_init.json | 1 + ipalib/plugins/config.py | 2 +- ipalib/plugins/internal.py | 1 + 7 files changed, 14 insertions(+), 10 deletions(-) diff --git a/API.txt b/API.txt index 08615c80476171695dac262575c4e20e72615c36..a6a95783c24f20850688a3115118a2c5bec9f21c 100644 --- a/API.txt +++ b/API.txt @@ -533,7 +533,7 @@ option: Int('ipasearchrecordslimit', attribute=True, autofill=False, cli_name='s option: Int('ipasearchtimelimit', attribute=True, autofill=False, cli_name='searchtimelimit', minvalue=-1, multivalue=False, required=False) option: Str('ipaselinuxusermapdefault', attribute=True, autofill=False, cli_name='ipaselinuxusermapdefault', multivalue=False, required=False) option: Str('ipaselinuxusermaporder', attribute=True, autofill=False, cli_name='ipaselinuxusermaporder', multivalue=False, required=False) -option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password', u'radius', u'otp')) +option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password', u'radius', u'otp', u'disabled')) option: Str('ipauserobjectclasses', attribute=True, autofill=False, cli_name='userobjectclasses', csv=True, multivalue=True, required=False) option: IA5Str('ipausersearchfields', attribute=True, autofill=False, cli_name='usersearch', multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') diff --git a/VERSION b/VERSION index f587c65c8868a1693d2b19fb4dae97b7cdd4c65a..122594726d622ed95a55211d5d25cb481413d0d4 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=112 -# Last change: tbabej - change ipaassignedidview to Str +IPA_API_VERSION_MINOR=113 +# Last change: npmccallum - expose disabled user auth type diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index e158c236eab5c7c5a7c12664dbde5d51cc55406d..4e9cf07c516b310962f2774729a761063d646e6b 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -324,17 +324,18 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx, enum ipadb_user_auth ua = IPADB_USER_AUTH_NONE; const struct ipadb_global_config *gcfg = NULL; - /* Get the user's user_auth settings. */ - ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua); - /* Get the global user_auth settings. */ gcfg = ipadb_get_global_config(ipactx); if (gcfg != NULL) gua = gcfg->user_auth; - /* If the disabled flag is set, ignore everything else. */ - if ((ua | gua) & IPADB_USER_AUTH_DISABLED) - return IPADB_USER_AUTH_DISABLED; + /* Get the user's user_auth settings if not disabled. */ + if ((gua & IPADB_USER_AUTH_DISABLED) == 0) + ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua); + + /* Filter out the disabled flag. */ + gua &= ~IPADB_USER_AUTH_DISABLED; + ua &= ~IPADB_USER_AUTH_DISABLED; /* Determine which user_auth policy is active: user or global. */ if (ua == IPADB_USER_AUTH_NONE) diff --git a/install/ui/src/freeipa/serverconfig.js b/install/ui/src/freeipa/serverconfig.js index d134c88824533ce83f8b0dc11ca3a059601b6f7d..efe1805698372b45afae38d1f9dd883034ee03c6 100644 --- a/install/ui/src/freeipa/serverconfig.js +++ b/install/ui/src/freeipa/serverconfig.js @@ -78,6 +78,7 @@ return { name: 'ipauserauthtype', flags: ['w_if_no_aci'], options: [ + { label: '@i18n:authtype.type_disabled', value: 'disabled' }, { label: '@i18n:authtype.type_password', value: 'password' }, { label: '@i18n:authtype.type_radius', value: 'radius' }, { label: '@i18n:authtype.type_otp', value: 'otp' } diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json index bbe334b7df774f1956a6dca98d5bb54049a7ee00..03654312998af6ee868caf8f74e9ce33ac5f94a7 100644 --- a/install/ui/test/data/ipa_init.json +++ b/install/ui/test/data/ipa_init.json @@ -53,6 +53,7 @@ "type_otp": "Two factor authentication (password + OTP)", "type_password": "Password", "type_radius": "Radius", + "type_disabled": "Disable per-user override", "user_tooltip": "Per-user setting, overwrites the global setting if any option is checked." }, "buttons": { diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index 077ef2c42ea4b2c7a2c5801a6558408326d2c757..6267313d5e9af2d97f45f987115de143d7aa7915 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -228,7 +228,7 @@ class config(LDAPObject): cli_name='user_auth_type', label=_('Default user authentication types'), doc=_('Default types of supported user authentication'), - values=(u'password', u'radius', u'otp'), + values=(u'password', u'radius', u'otp', u'disabled'), csv=True, ), ) diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py index b85f2d077110128963e26ccf0f43e21141c46f4a..e04e843400015edfaeac5bdc94300ab600b97a9d 100644 --- a/ipalib/plugins/internal.py +++ b/ipalib/plugins/internal.py @@ -195,6 +195,7 @@ class i18n_messages(Command): "type_otp": _("Two factor authentication (password + OTP)"), "type_password": _("Password"), "type_radius": _("Radius"), + "type_disabled": _("Disable per-user override"), "user_tooltip": _("Per-user setting, overwrites the global setting if any option is checked."), }, "buttons": { -- 2.1.0
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel