Change the way has_keytab is determined, also check for password.

We need an indicator to see if a keytab has been set on host and
service entries. We also need a way to know if a one-time password is
set on a host.

This adds an ACI that grants search on userPassword and
krbPrincipalKey so we can do an existence search on them. This way
we can tell if the attribute is set and create a fake attribute
accordingly.

When a userPassword is set on a host a keytab is generated against
that password so we always set has_keytab to False if a password
exists. This is fine because when keytab gets generated for the
host the password is removed (hence one-time).

This adds has_keytab/has_password to the user, host and service plugins.

ticket https://fedorahosted.org/freeipa/ticket/1538

1 files changed, 8 insertions, 0 deletions

diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 88269d28..586ec61f 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -79,3 +79,11 @@ dn: cn=sudo,$SUFFIX
 changetype: modify
 add: aci
 aci: (targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)
+
+# This is used for the host/service one-time passwordn and keytab indirectors.
+# We can do a query on a DN to see if an attribute exists.
+dn: cn=accounts,$SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";)
+