From 23306a28c9181065ab3f2828ab2df56c152e2c62 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 20 Nov 2018 10:51:18 +0100
Subject: [PATCH] ipa-replica-install: password and admin-password options
 mutually exclusive

Currently it is possible to run ipa-replica-install in one step,
and provide --password and --admin-password simultaneously.
This is confusing as --password is intended for one-time pwd
when the ipa-replica-install command is delegated to a user
who doesn't know the admin password.

The fix makes --password and --admin-password options
mutually exclusive.

Fixes https://pagure.io/freeipa/issue/6353

Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 ipaserver/install/server/replicainstall.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 03d096d79..d3e28a1b2 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -771,6 +771,10 @@ def promote_check(installer):
 
     client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
     if not client_fstore.has_files():
+        # One-step replica installation
+        if options.password and options.admin_password:
+            raise ScriptError("--password and --admin-password options are "
+                              "mutually exclusive")
         ensure_enrolled(installer)
     else:
         if (options.domain_name or options.server or options.realm_name or