From db12c0959a317085e49935f1c60cf75c05e0b1bd Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Fri, 15 Sep 2017 14:06:39 +0200
Subject: [PATCH] library/ipajoin.py: Fix principal usage with otp

With otp usage the user supplied principal may not be used for join.
---
 library/ipajoin.py                | 2 +-
 roles/ipaclient/tasks/install.yml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/library/ipajoin.py b/library/ipajoin.py
index efb72dda..1ae9ff1a 100644
--- a/library/ipajoin.py
+++ b/library/ipajoin.py
@@ -231,7 +231,7 @@ def main():
 
     options.ca_cert_file = ca_cert_file
     options.unattended = True
-    options.principal = principal
+    options.principal = principal if principal != "" else None
     options.force = False
     options.password = password
 
diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index 2d148c36..9380c3dc 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -55,7 +55,7 @@
 
 - name: Install - Check if one of password and keytab are set
   fail: msg="At least one of password or keytab must be specified"
-  when: ipaclient_password is undefined and ipaclient_keytab is undefined
+  when: ipaclient_password is undefined and ipaclient_keytab is undefined or ipaclient_password == "" or ipaclient_keytab == ""
 
 - name: Install - Join IPA
   ipajoin:
@@ -66,7 +66,7 @@
     basedn: "{{ ipadiscovery.basedn }}"
     hostname: "{{ ipadiscovery.hostname }}"
     force_join: "{{ ipaclient_force_join | default(omit) }}"
-    principal: "{{ ipaclient_principal | default(omit) }}"
+    principal: "{{ ipaclient_principal if not ipaclient_use_otp | bool else '' }}"
     password: "{{ ipaclient_password | default(omit) }}"
     keytab: "{{ ipaclient_keytab | default(omit) }}"
     #ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
-- 
GitLab