IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Don't allow a OTP to be set on an enrolled host

Browse Source 
Setting a password invalidates the existing keytab

https://fedorahosted.org/freeipa/ticket/1719
This commit is contained in:
Rob Crittenden 2011-09-08 13:47:37 -04:00 committed by Endi S. Dewata
parent 9c4b004076
commit c97eb871c5
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ipalib/plugins/host.py
View File

@ -604,6 +604,14 @@ class host_mod(LDAPUpdate):
) )
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
# Allow an existing OTP to be reset but don't allow a OTP to be
# added to an enrolled host.
if 'userpassword' in options:
entry = {}
self.obj.get_password_attributes(ldap, dn, entry)
if not entry['has_password'] and entry['has_keytab']:
raise errors.ValidationError(name='password', error=_('Password cannot be set on enrolled host.'))
# Once a principal name is set it cannot be changed # Once a principal name is set it cannot be changed
if 'cn' in entry_attrs: if 'cn' in entry_attrs:
raise errors.ACIError(info='cn is immutable') raise errors.ACIError(info='cn is immutable')