StandardAuthenticationUsers for IDP with LDAP #791

New application property "cuba.idp.standardAuthenticationUsers" -
list of users permitted to use standard authentication in IDP even if
LDAP is enabled.

modules/idp/src/com/haulmont/idp/IdpAuthConfig.java

@@ -59,4 +59,14 @@ public interface IdpAuthConfig extends Config {
     @Property("cuba.idp.ldap.userLoginField")
     @DefaultString("sAMAccountName")
     String getLdapUserLoginField();
+
+    /**
+     * @return list of users that are not allowed to use external authentication. They can use only standard authentication.
+     *         Empty list means that everyone is allowed to login using external authentication.
+     *
+     * @see #getAuthenticationMode()
+     */
+    @Property("cuba.idp.standardAuthenticationUsers")
+    @Factory(factory = CommaSeparatedStringListTypeFactory.class)
+    List<String> getStandardAuthenticationUsers();
 }

modules/idp/src/com/haulmont/idp/controllers/IdpLoginManager.java

@@ -53,7 +53,15 @@ public class IdpLoginManager implements InitializingBean {
     protected LdapTemplate ldapTemplate;
 
     public IdpService.IdpLoginResult login(AuthRequest auth, Locale sessionLocale) throws LoginException {
-        switch (authenticationConfig.getAuthenticationMode()) {
+        IdpAuthMode authenticationMode = authenticationConfig.getAuthenticationMode();
+        List<String> standardAuthenticationUsers = authenticationConfig.getStandardAuthenticationUsers();
+
+        if (standardAuthenticationUsers.contains(auth.getUsername())) {
+            // user can only use STANDARD authentication
+            authenticationMode = IdpAuthMode.STANDARD;
+        }
+
+        switch (authenticationMode) {
             case STANDARD: {
                 LoginPasswordCredentials credentials = new LoginPasswordCredentials(
                         auth.getUsername(),