diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2011-09-08 13:47:37 -0400 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2011-09-10 00:03:19 +0000 |
| commit | c97eb871c53c4a8c3bbd0f9f4b2ff23bc390bc71 (patch) | |
| tree | 8fe888197db71a38e18b8d50471ec085826b0a5a /ipalib | |
| parent | 9c4b004076b0ccc09f22830aa48740f79f8ea190 (diff) | |
| download | freeipa.git-c97eb871c53c4a8c3bbd0f9f4b2ff23bc390bc71.tar.gz freeipa.git-c97eb871c53c4a8c3bbd0f9f4b2ff23bc390bc71.tar.xz freeipa.git-c97eb871c53c4a8c3bbd0f9f4b2ff23bc390bc71.zip | |
Don't allow a OTP to be set on an enrolled host
Setting a password invalidates the existing keytab
https://fedorahosted.org/freeipa/ticket/1719
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/plugins/host.py | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 76f20456..6c6ad7d9 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -604,6 +604,14 @@ class host_mod(LDAPUpdate): ) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + # Allow an existing OTP to be reset but don't allow a OTP to be + # added to an enrolled host. + if 'userpassword' in options: + entry = {} + self.obj.get_password_attributes(ldap, dn, entry) + if not entry['has_password'] and entry['has_keytab']: + raise errors.ValidationError(name='password', error=_('Password cannot be set on enrolled host.')) + # Once a principal name is set it cannot be changed if 'cn' in entry_attrs: raise errors.ACIError(info='cn is immutable') |