From d3c24bb0a65dae85e665ebc617ab4f084c2299fd Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 8 Sep 2011 13:47:37 -0400
Subject: Don't allow a OTP to be set on an enrolled host

Setting a password invalidates the existing keytab

https://fedorahosted.org/freeipa/ticket/1719
---
 ipalib/plugins/host.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 76f204567..6c6ad7d95 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -604,6 +604,14 @@ class host_mod(LDAPUpdate):
     )
 
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        # Allow an existing OTP to be reset but don't allow a OTP to be
+        # added to an enrolled host.
+        if 'userpassword' in options:
+            entry = {}
+            self.obj.get_password_attributes(ldap, dn, entry)
+            if not entry['has_password'] and entry['has_keytab']:
+                raise errors.ValidationError(name='password', error=_('Password cannot be set on enrolled host.'))
+
         # Once a principal name is set it cannot be changed
         if 'cn' in entry_attrs:
             raise errors.ACIError(info='cn is immutable')
-- 
cgit