From 27b351aba564804f65e5574919a88d6194c75256 Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Fri, 17 Sep 2021 12:43:47 +0100
Subject: Make LDAP be able to skip local 2FA (#16954)

This PR extends #16594 to allow LDAP to be able to be set to skip local 2FA too. The technique used here would be extensible to PAM and SMTP sources.

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 cmd/admin_auth_ldap.go | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'cmd/admin_auth_ldap.go')

diff --git a/cmd/admin_auth_ldap.go b/cmd/admin_auth_ldap.go
index 4314930a3e..feeaf17661 100644
--- a/cmd/admin_auth_ldap.go
+++ b/cmd/admin_auth_ldap.go
@@ -89,6 +89,10 @@ var (
 			Name:  "public-ssh-key-attribute",
 			Usage: "The attribute of the user’s LDAP record containing the user’s public ssh key.",
 		},
+		cli.BoolFlag{
+			Name:  "skip-local-2fa",
+			Usage: "Set to true to skip local 2fa for users authenticated by this source",
+		},
 	}
 
 	ldapBindDnCLIFlags = append(commonLdapCLIFlags,
@@ -245,6 +249,10 @@ func parseLdapConfig(c *cli.Context, config *ldap.Source) error {
 	if c.IsSet("allow-deactivate-all") {
 		config.AllowDeactivateAll = c.Bool("allow-deactivate-all")
 	}
+	if c.IsSet("skip-local-2fa") {
+		config.SkipLocalTwoFA = c.Bool("skip-local-2fa")
+	}
+
 	return nil
 }
 
-- 
cgit v1.2.3