mfa: improve edge cases and documentation

builtin/credential/ldap/cli.go

@@ -64,6 +64,10 @@ To use it, first configure it through the "config" endpoint, and then
 login by specifying username and password. If password is not provided
 on the command line, it will be read from stdin.
 
+If multi-factor authentication (MFA) is enabled, a "method" and/or "passcode"
+may be provided depending on the MFA backend enabled. To check
+which MFA backend is in use, read "auth/[mount]/mfa_config".
+
     Example: vault auth -method=ldap username=john
 
     `

helper/mfa/duo/duo.go

@@ -75,7 +75,9 @@ func duoHandler(
 	case "deny":
 		return logical.ErrorResponse(preauth.Response.Status_Msg), nil
 	case "enroll":
-		return logical.ErrorResponse(preauth.Response.Status_Msg), nil
+		return logical.ErrorResponse(fmt.Sprintf("%s (%s)",
+			preauth.Response.Status_Msg,
+			preauth.Response.Enroll_Portal_Url)), nil
 	case "auth":
 		break
 	}

helper/mfa/duo/path_duo_config.go

@@ -33,16 +33,13 @@ func pathDuoConfig() *framework.Path {
 }
 
 func GetDuoConfig(req *logical.Request) (*DuoConfig, error) {
-	entry, err := req.Storage.Get("duo/config")
-	if err != nil {
-		return nil, err
-	}
-	if entry == nil {
-		return nil, nil
-	}
 	var result DuoConfig
-	if err := entry.DecodeJSON(&result); err != nil {
-		return nil, err
+	// all config parameters are optional, so path need not exist
+	entry, err := req.Storage.Get("duo/config")
+	if err == nil && entry != nil {
+		if err := entry.DecodeJSON(&result); err != nil {
+			return nil, err
+		}
 	}
 	if result.UsernameFormat == "" {
 		result.UsernameFormat = "%s"