ipa-pwd-extop: add MFA note in case of a successful LDAP bind with OTP

In case there is a successful OTP authentication attempt, register it as
an operation note on the BIND operation in LDAP. 389-ds then will print
a multi-factor authentication note in both access and security logs
according to https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html

Fixes: https://pagure.io/freeipa/issue/5169

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c

@@ -1551,6 +1551,16 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
     /* Attempt to write out kerberos keys for the user. */
     ipapwd_write_krb_keys(pb, discard_const(dn), entry, credentials);
 
+#ifdef USE_OP_NOTE_MFA_AUTH
+    /* If it was a successful authentication with OTP required, mark it
+     * for access log to notice multi-factor authentication has happened
+     * https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html
+     */
+    if (!syncreq && otpreq) {
+        slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_MFA_AUTH);
+    }
+#endif
+
     slapi_entry_free(entry);
     slapi_sdn_free(&sdn);
     return 0;

server.m4

@@ -31,6 +31,14 @@ PKG_CHECK_MODULES([DIRSRV], [dirsrv  >= 1.3.0])
 # slapi-plugin.h includes nspr.h
 DIRSRV_CFLAGS="$DIRSRV_CFLAGS $NSPR_CFLAGS"
 
+bck_cflags="$CFLAGS"
+CFLAGS="$CFLAGS $DIRSRV_CFLAGS"
+AC_CHECK_DECL([SLAPI_OP_NOTE_MFA_AUTH], [
+    AC_DEFINE(USE_OP_NOTE_MFA_AUTH,1,
+              [Use LDAP operation note for multi-factor LDAP BIND])],
+    [], [[#include <dirsrv/slapi-plugin.h>]])
+CFLAGS="$bck_cflags"
+
 dnl -- sss_idmap is needed by the extdom exop --
 PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap])
 PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.15.2])