From 204200d73bb135cb7b9b31b8f1ba5268d73094a5 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: May 26 2016 16:47:05 +0000
Subject: Return password-only preauth if passwords are allowed


Before this patch, if either password or password+otp were permitted,
only the otp preauth mech would be returned to the client. Now, the
client will receive either enc_ts or enc_chl in addition to otp.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>

---

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 5027810..910d55c 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -302,6 +302,8 @@ static void ipadb_validate_radius(struct ipadb_context *ipactx,
                                "ipatokenRadiusConfigLink");
     if (vals == NULL || vals[0] == NULL)
         *ua &= ~IPADB_USER_AUTH_RADIUS;
+    else
+        *ua = IPADB_USER_AUTH_RADIUS;
 
     if (vals != NULL)
         ldap_value_free_len(vals);
@@ -314,10 +316,6 @@ static void ipadb_validate_password(struct ipadb_context *ipactx,
     /* If no mechanisms are set, use password. */
     if (*ua == IPADB_USER_AUTH_NONE)
         *ua |= IPADB_USER_AUTH_PASSWORD;
-
-    /* If any other mechanism has passed validation, don't use password. */
-    else if (*ua & ~IPADB_USER_AUTH_PASSWORD)
-        *ua &= ~IPADB_USER_AUTH_PASSWORD;
 }
 
 static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,