2 files changed, 48 insertions, 10 deletions

diff --git a/ipalib/plugins/passwd.py b/ipalib/plugins/passwd.py
index 901a56f20..b7d82f355 100644
--- a/ipalib/plugins/passwd.py
+++ b/ipalib/plugins/passwd.py
@@ -22,6 +22,7 @@ from ipalib import Command
 from ipalib import Str, Password
 from ipalib import _
 from ipalib import output
+from ipalib.plugins.user import split_principal, validate_principal, normalize_principal
 
 __doc__ = _("""
 Set a user's password
@@ -46,12 +47,13 @@ class passwd(Command):
     __doc__ = _("Set a user's password.")
 
     takes_args = (
-        Str('principal',
+        Str('principal', validate_principal,
             cli_name='user',
             label=_('User name'),
             primary_key=True,
             autofill=True,
             create_default=lambda **kw: util.get_current_principal(),
+            normalizer=lambda value: normalize_principal(value),
         ),
         Password('password',
                  label=_('Password'),
@@ -75,13 +77,6 @@ class passwd(Command):
         """
         ldap = self.api.Backend.ldap2
 
-        if principal.find('@') != -1:
-            principal_parts = principal.split('@')
-            if len(principal_parts) > 2:
-                raise errors.MalformedUserPrincipal(principal=principal)
-        else:
-            principal = '%s@%s' % (principal, self.api.env.realm)
-
         (dn, entry_attrs) = ldap.find_entry_by_attr(
             'krbprincipalname', principal, 'posixaccount', [''],
             ",".join([api.env.container_user, api.env.basedn])
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 92a026d0a..35866d6e9 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -84,6 +84,48 @@ def convert_nsaccountlock(entry_attrs):
         nsaccountlock = Bool('temp')
         entry_attrs['nsaccountlock'] = nsaccountlock.convert(entry_attrs['nsaccountlock'][0])
 
+def split_principal(principal):
+    """
+    Split the principal into its components and do some basic validation.
+
+    Automatically append our realm if it wasn't provided.
+    """
+    realm = None
+    parts = principal.split('@')
+    user = parts[0].lower()
+    if len(parts) > 2:
+        raise errors.MalformedUserPrincipal(
+            principal=principal
+        )
+
+    if len(parts) == 2:
+        realm = parts[1].upper()
+        # At some point we'll support multiple realms
+        if realm != api.env.realm:
+            raise errors.RealmMismatch()
+    else:
+        realm = api.env.realm
+
+    return (user, realm)
+
+def validate_principal(ugettext, principal):
+    """
+    All the real work is done in split_principal.
+    """
+    (user, realm) = split_principal(principal)
+    return None
+
+def normalize_principal(principal):
+    """
+    Ensure that the name in the principal is lower-case. The realm is
+    upper-case by convention but it isn't required.
+
+    The principal is validated at this point.
+    """
+    (user, realm) = split_principal(principal)
+    return unicode('%s@%s' % (user, realm))
+
+
 class user(LDAPObject):
     """
     User object.
@@ -169,12 +211,13 @@ class user(LDAPObject):
             label=_('Login shell'),
             default=u'/bin/sh',
         ),
-        Str('krbprincipalname?',
+        Str('krbprincipalname?', validate_principal,
             cli_name='principal',
             label=_('Kerberos principal'),
-            default_from=lambda uid: '%s@%s' % (uid, api.env.realm),
+            default_from=lambda uid: '%s@%s' % (uid.lower(), api.env.realm),
             autofill=True,
             flags=['no_update'],
+            normalizer=lambda value: normalize_principal(value),
         ),
         Str('mail*',
             cli_name='email',