051d61f ipa-pwd-extop: differentiate OTP requirements in LDAP binds

2 files Authored by abbra 6 months ago, Committed by frenaud 6 months ago,
    ipa-pwd-extop: differentiate OTP requirements in LDAP binds
    
    For users who has no OTP tokens defined (yet), a missing token should
    not be seen as a failure. This is needed to allow a basic password
    change.
    
    The logic around enforcement of OTP over LDAP bind is the following:
    ----------------------------------------------------------------------
    - when LDAP OTP control is requested by the LDAP client, OTP is
      explicitly required
    - when EnforceLDAPOTP is set in the IPA configuration, OTP is implicitly
      required, regardless of the state of LDAP client
    
    In either case, only users with 'user-auth-type: otp' are allowed to
    authenticate.
    
    If these users have no OTP token associated yet, they will be allowed to
    authenticate with their password. This is to allow initial password
    change and adding an OTP token.
    ----------------------------------------------------------------------
    
    Implement test that simulates lifecycle for new user who get to change
    their password before adding an OTP token.
    
    Related: https://pagure.io/freeipa/issue/5169
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>