library/ipajoin.py: Fix principal usage with otp

With otp usage the user supplied principal may not be used for join.

library/ipajoin.py: Fix principal usage with otp
db12c095 · Thomas Woerner · 6a9bc0df · db12c095 · db12c095
Commit db12c095 authored 7 years ago by Thomas Woerner
--- a/library/ipajoin.py
+++ b/library/ipajoin.py
@@ -231,7 +231,7 @@ def main():
    options.ca_cert_file = ca_cert_file
    options.unattended = True
-    options.principal = principal
+    options.principal = principal if principal != "" else None
    options.force = False
    options.password = password

--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -55,7 +55,7 @@
 - name: Install - Check if one of password and keytab are set
  fail: msg="At least one of password or keytab must be specified"
-  when: ipaclient_password is undefined and ipaclient_keytab is undefined
+  when: ipaclient_password is undefined and ipaclient_keytab is undefined or ipaclient_password == "" or ipaclient_keytab == ""
 - name: Install - Join IPA
  ipajoin:
@@ -66,7 +66,7 @@
    basedn: "{{ ipadiscovery.basedn }}"
    hostname: "{{ ipadiscovery.hostname }}"
    force_join: "{{ ipaclient_force_join | default(omit) }}"
-    principal: "{{ ipaclient_principal | default(omit) }}"
+    principal: "{{ ipaclient_principal if not ipaclient_use_otp | bool else '' }}"
    password: "{{ ipaclient_password | default(omit) }}"
    keytab: "{{ ipaclient_keytab | default(omit) }}"
    #ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"