1 files changed, 19 insertions, 0 deletions

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
index 34045e208..60a8ca3be 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
@@ -786,6 +786,9 @@ static int ipapwd_post_op(Slapi_PBlock *pb)
     struct tm utctime;
     char timestr[GENERALIZED_TIME_LENGTH+1];
     int ret;
+    char *errMsg = "Internal operations error\n";
+    struct ipapwd_krbcfg *krbcfg = NULL;
+    char *principal = NULL;
 
     LOG_TRACE("=>\n");
 
@@ -812,6 +815,12 @@ static int ipapwd_post_op(Slapi_PBlock *pb)
         return 0;
     }
 
+    ret = ipapwd_gen_checks(pb, &errMsg, &krbcfg, 0);
+    if (ret != 0) {
+        LOG_FATAL("ipapwd_gen_checks failed!?\n");
+        return 0;
+    }
+
     /* prepare changes that can be made only as root */
     smods = slapi_mods_new();
 
@@ -860,9 +869,19 @@ static int ipapwd_post_op(Slapi_PBlock *pb)
     if (ret)
         LOG("Failed to set additional password attributes in the post-op!\n");
 
+    if (pwdop->pwdata.changetype == IPA_CHANGETYPE_NORMAL) {
+        principal = slapi_entry_attr_get_charptr(pwdop->pwdata.target,
+                                                 "krbPrincipalName");
+    } else {
+        principal = slapi_ch_smprintf("root/admin@%s", krbcfg->realm);
+    }
+    ipapwd_set_extradata(pwdop->pwdata.dn, principal, pwdop->pwdata.timeNow);
+
 done:
     if (pwdop && pwdop->pwdata.target) slapi_entry_free(pwdop->pwdata.target);
     slapi_mods_free(&smods);
+    slapi_ch_free_string(&principal);
+    free_ipapwd_krbcfg(&krbcfg);
     return 0;
 }