4 files changed, 61 insertions, 31 deletions

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 1ff7a2a6d..94f57388d 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -36,6 +36,12 @@ from ipalib.util import json_serialize
 from ipalib.dn import *
 
 global_output_params = (
+    Flag('has_keytab',
+        label=_('Keytab'),
+    ),
+    Flag('has_password',
+        label=_('Password'),
+    ),
     Str('member',
         label=_('Failed members'),
     ),
@@ -319,6 +325,7 @@ class LDAPObject(Object):
     uuid_attribute = ''
     attribute_members = {}
     rdnattr = None
+    password_attributes = []
     # Can bind as this entry (has userPassword or krbPrincipalKey)
     bindable = False
     relationships = {
@@ -407,6 +414,25 @@ class LDAPObject(Object):
                         )
             del entry_attrs[attr]
 
+    def get_password_attributes(self, ldap, dn, entry_attrs):
+        """
+        Search on the entry to determine if it has a password or
+        keytab set.
+
+        A tuple is used to determine which attribute is set
+        in entry_attrs. The value is set to True/False whether a
+        given password type is set.
+        """
+        for (pwattr, attr) in self.password_attributes:
+            search_filter = '(%s=*)' % pwattr
+            try:
+                (entries, truncated) = ldap.find_entries(
+                    search_filter, [pwattr], dn, ldap.SCOPE_BASE
+                )
+                entry_attrs[attr] = True
+            except errors.NotFound:
+                entry_attrs[attr] = False
+
     def handle_not_found(self, *keys):
         pkey = ''
         if self.primary_key:
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 5cd1056ec..6e9efec1a 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -162,9 +162,6 @@ def remove_fwd_ptr(ipaddr, host, domain, recordtype):
         pass
 
 host_output_params = (
-    Flag('has_keytab',
-        label=_('Keytab'),
-    ),
     Str('managedby_host',
         label='Managed by',
     ),
@@ -224,7 +221,7 @@ class host(LDAPObject):
     default_attributes = [
         'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname',
         'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof',
-        'krblastpwdchange', 'managedby', 'memberindirect', 'memberofindirect',
+        'managedby', 'memberindirect', 'memberofindirect',
     ]
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
@@ -242,6 +239,8 @@ class host(LDAPObject):
         'managedby': ('Managed by', 'man_by_', 'not_man_by_'),
         'managing': ('Managing', 'man_', 'not_man_'),
     }
+    password_attributes = [('userpassword', 'has_password'),
+                           ('krbprincipalkey', 'has_keytab')]
 
     label = _('Hosts')
     label_singular = _('Host')
@@ -466,6 +465,11 @@ class host_add(LDAPCreate):
 
         if options.get('all', False):
                 entry_attrs['managing'] = self.obj.get_managed_hosts(dn)
+        self.obj.get_password_attributes(ldap, dn, entry_attrs)
+        if entry_attrs['has_password']:
+            # If an OTP is set there is no keytab, at least not one
+            # fetched anywhere.
+            entry_attrs['has_keytab'] = False
 
         return dn
 
@@ -691,8 +695,13 @@ class host_find(LDAPSearch):
 
     def post_callback(self, ldap, entries, truncated, *args, **options):
         for entry in entries:
-            entry_attrs = entry[1]
+            (dn, entry_attrs) = entry
             set_certificate_attrs(entry_attrs)
+            self.obj.get_password_attributes(ldap, dn, entry_attrs)
+            if entry_attrs['has_password']:
+                # If an OTP is set there is no keytab, at least not one
+                # fetched anywhere.
+                entry_attrs['has_keytab'] = False
 
             if options.get('all', False):
                 entry_attrs['managing'] = self.obj.get_managed_hosts(entry[0])
@@ -714,11 +723,10 @@ class host_show(LDAPRetrieve):
     member_attributes = ['managedby']
 
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
-        if 'krblastpwdchange' in entry_attrs:
-            entry_attrs['has_keytab'] = True
-            if not options.get('all', False):
-                del entry_attrs['krblastpwdchange']
-        else:
+        self.obj.get_password_attributes(ldap, dn, entry_attrs)
+        if entry_attrs['has_password']:
+            # If an OTP is set there is no keytab, at least not one
+            # fetched anywhere.
             entry_attrs['has_keytab'] = False
 
         set_certificate_attrs(entry_attrs)
@@ -766,7 +774,7 @@ class host_disable(LDAPQuery):
 
         dn = self.obj.get_dn(*keys, **options)
         try:
-            (dn, entry_attrs) = ldap.get_entry(dn, ['krblastpwdchange', 'usercertificate'])
+            (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate'])
         except errors.NotFound:
             self.obj.handle_not_found(*keys)
 
@@ -816,7 +824,8 @@ class host_disable(LDAPQuery):
             ldap.update_entry(dn, {'usercertificate': None})
             done_work = True
 
-        if 'krblastpwdchange' in entry_attrs:
+        self.obj.get_password_attributes(ldap, dn, entry_attrs)
+        if entry_attrs['has_keytab']:
             ldap.remove_principal_key(dn)
             done_work = True
 
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index 11970f401..bcaa76afb 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -83,9 +83,6 @@ from ipapython.ipautil import file_exists
 
 
 output_params = (
-    Flag('has_keytab',
-        label=_('Keytab'),
-    ),
     Str('managedby_host',
         label='Managed by',
     ),
@@ -207,7 +204,7 @@ class service(LDAPObject):
         'ipaservice', 'pkiuser'
     ]
     search_attributes = ['krbprincipalname', 'managedby']
-    default_attributes = ['krbprincipalname', 'usercertificate', 'managedby', 'krblastpwdchange']
+    default_attributes = ['krbprincipalname', 'usercertificate', 'managedby']
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
         'managedby': ['host'],
@@ -216,6 +213,7 @@ class service(LDAPObject):
     relationships = {
         'managedby': ('Managed by', 'man_by_', 'not_man_by_'),
     }
+    password_attributes = [('krbprincipalkey', 'has_keytab')]
 
     label = _('Services')
     label_singular = _('Service')
@@ -379,13 +377,8 @@ class service_find(LDAPSearch):
 
     def post_callback(self, ldap, entries, truncated, *args, **options):
         for entry in entries:
-            entry_attrs = entry[1]
-            if 'krblastpwdchange' in entry_attrs:
-                entry_attrs['has_keytab'] = True
-                if not options.get('all', False):
-                    del entry_attrs['krblastpwdchange']
-            else:
-                entry_attrs['has_keytab'] = False
+            (dn, entry_attrs) = entry
+            self.obj.get_password_attributes(ldap, dn, entry_attrs)
             set_certificate_attrs(entry_attrs)
 
 api.register(service_find)
@@ -403,12 +396,7 @@ class service_show(LDAPRetrieve):
     )
 
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
-        if 'krblastpwdchange' in entry_attrs:
-            entry_attrs['has_keytab'] = True
-            if not options.get('all', False):
-                del entry_attrs['krblastpwdchange']
-        else:
-            entry_attrs['has_keytab'] = False
+        self.obj.get_password_attributes(ldap, dn, entry_attrs)
 
         set_certificate_attrs(entry_attrs)
 
@@ -461,7 +449,7 @@ class service_disable(LDAPQuery):
         ldap = self.obj.backend
 
         dn = self.obj.get_dn(*keys, **options)
-        (dn, entry_attrs) = ldap.get_entry(dn, ['krblastpwdchange', 'usercertificate'])
+        (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate'])
 
         # See if we do any work at all here and if not raise an exception
         done_work = False
@@ -493,7 +481,8 @@ class service_disable(LDAPQuery):
             ldap.update_entry(dn, {'usercertificate': None})
             done_work = True
 
-        if 'krblastpwdchange' in entry_attrs:
+        self.obj.get_password_attributes(ldap, dn, entry_attrs)
+        if entry_attrs['has_keytab']:
             ldap.remove_principal_key(dn)
             done_work = True
 
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 3068c6291..2112c03d0 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -113,6 +113,8 @@ class user(LDAPObject):
     }
     rdnattr = 'uid'
     bindable = True
+    password_attributes = [('userpassword', 'has_password'),
+                           ('krbprincipalkey', 'has_keytab')]
 
     label = _('Users')
     label_singular = _('User')
@@ -407,6 +409,7 @@ class user_add(LDAPCreate):
                 newentry = wait_for_value(ldap, dn, 'objectclass', 'mepOriginEntry')
                 entry_from_entry(entry_attrs, newentry)
 
+        self.obj.get_password_attributes(ldap, dn, entry_attrs)
         return dn
 
 api.register(user_add)
@@ -443,6 +446,7 @@ class user_mod(LDAPUpdate):
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         convert_nsaccountlock(entry_attrs)
         self.obj._convert_manager(entry_attrs, **options)
+        self.obj.get_password_attributes(ldap, dn, entry_attrs)
         return dn
 
 api.register(user_mod)
@@ -472,6 +476,7 @@ class user_find(LDAPSearch):
         for entry in entries:
             (dn, attrs) = entry
             self.obj._convert_manager(attrs, **options)
+            self.obj.get_password_attributes(ldap, dn, attrs)
             convert_nsaccountlock(attrs)
 
     msg_summary = ngettext(
@@ -488,6 +493,7 @@ class user_show(LDAPRetrieve):
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         convert_nsaccountlock(entry_attrs)
         self.obj._convert_manager(entry_attrs, **options)
+        self.obj.get_password_attributes(ldap, dn, entry_attrs)
         return dn
 
 api.register(user_show)