From 2d95d0df95cb2a257fbbb110746f93bdbe19bff2 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Fri, 15 Sep 2017 12:49:22 +0200
Subject: [PATCH] roles/ipaclient: New ipaclient_use_otp setting to force otp
 usage

The use of otp can be forced to not transfer the admin password while setting
up the ipa client. Only the one-time-password will be transferred to the
client machine.

ipaclient_password will be overwritten by the otp password.
---
 roles/ipaclient/defaults/main.yml | 1 +
 roles/ipaclient/tasks/install.yml | 8 +++++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/roles/ipaclient/defaults/main.yml b/roles/ipaclient/defaults/main.yml
index a1a6d5ec..5a6eea64 100644
--- a/roles/ipaclient/defaults/main.yml
+++ b/roles/ipaclient/defaults/main.yml
@@ -5,3 +5,4 @@ ipaclient_force_join: no
 ipaclient_ntp: no
 ipaclient_mkhomedir: no
 ipaclient_kinit_attempts: 5
+ipaclient_use_otp: "false"
diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index 46ba466a..756446c5 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -17,9 +17,11 @@
   register: ipadiscovery
 
 # The following block is executed when using OTP to enroll IPA client
-# ie when neither ipaclient_password not ipaclient_keytab is set
+# ie when ipaclient_use_otp is set.
 # It connects to ipaserver and add the host with --random option in order
 # to create a OneTime Password
+# If a keytab is specified in the hostent, then the hostent will be disabled
+# if ipaclient_use_otp is set.
 - block:
   - name: Install - Get a One-Time Password for client enrollment
     ipahost:
@@ -38,9 +40,9 @@
 
   - name: Install - Store the previously obtained OTP
     set_fact:
-      ipaclient_otp: "{{ipahost_output.host.randompassword if ipahost_output.host is defined else 'dummyotp' }}"
+      ipaclient_password: "{{ ipahost_output.host.randompassword if ipahost_output.host is defined }}"
 
-  when: ipaclient_password is not defined and ipaclient_keytab is not defined
+  when: ipaclient_use_otp | bool
 
 - fail: msg="At least one of password, keytab or otp must be specified"
   when: ipaclient_password is undefined and ipaclient_keytab is undefined and ipaclient_otp is undefined
-- 
GitLab