From 1e1985b17c3988056bef045fa84a9c7aaf0c4c65 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 12 Jul 2010 17:45:06 -0400
Subject: Add API to delete a service principal key, service-disable.

I have to do some pretty low-level LDAP work to achieve this. Since
we can't read the key using our modlist generator won't work and lots of
tricks would be needed to use the LDAPUpdate object in any case.

I pulled usercertificate out of the global params and put into each
appropriate function because it makes no sense for service-disable.

This also adds a new variable, has_keytab, to service/host_show output.
This flag tells us whether there is a krbprincipalkey.
---
 ipaserver/plugins/ldap2.py | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'ipaserver/plugins')

diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index aebeb5c2..3c536e24 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -825,6 +825,22 @@ class ldap2(CrudBackend, Encoder):
         """Mark entry inactive."""
         self.set_entry_active(dn, False)
 
+    def remove_principal_key(self, dn):
+        """Remove a kerberos principal key."""
+
+        dn = self.normalize_dn(dn)
+
+        # We need to do this directly using the LDAP library because we
+        # don't have read access to krbprincipalkey so we need to delete
+        # it in the blind.
+        mod = [(_ldap.MOD_REPLACE, 'krbprincipalkey', None),
+               (_ldap.MOD_REPLACE, 'krblastpwdchange', None)]
+
+        try:
+            self.conn.modify_s(dn, mod)
+        except _ldap.LDAPError, e:
+            self._handle_errors(e, **{})
+
     # CrudBackend methods
 
     def _get_normalized_entry_for_crud(self, dn, attrs_list=None):
-- 
cgit