Don't allow a one-time password to be set on enrolled hosts. This will
invalidate the existing keytab.
rob
>From 3ea2e26ceaf241f9d60b221efc640f77d60493eb Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Thu, 8 Sep 2011 13:47:37 -0400
Subject: [PATCH] Don't allow a OTP to be set on an enrolled host
Setting a password invalidates the existing keytab
https://fedorahosted.org/freeipa/ticket/1719
---
ipalib/plugins/host.py | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 76f2045..6c6ad7d 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -604,6 +604,14 @@ class host_mod(LDAPUpdate):
)
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+ # Allow an existing OTP to be reset but don't allow a OTP to be
+ # added to an enrolled host.
+ if 'userpassword' in options:
+ entry = {}
+ self.obj.get_password_attributes(ldap, dn, entry)
+ if not entry['has_password'] and entry['has_keytab']:
+ raise errors.ValidationError(name='password', error=_('Password cannot be set on enrolled host.'))
+
# Once a principal name is set it cannot be changed
if 'cn' in entry_attrs:
raise errors.ACIError(info='cn is immutable')
--
1.7.6
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
