From 6181844c0ce62b8d7d35554032346396b20ad3c0 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Nov 11 2016 11:17:25 +0000
Subject: use DM credentials to retrieve service keytab only in DLO


In DL0 directory manager password is bundled in the supplied replica file and
the replica installer can use it to authenticate against master when
retrieving service keytabs.

In DL1, however, DM credentials are generated randomly and used during local
DS instance creation. The proper DM password is imported by custodia much
later to the process. We must not allow the installer to contact the remote
master using this random password since it would fail.

https://fedorahosted.org/freeipa/ticket/6405

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

---

diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index da08dae..62bd499 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -167,6 +167,7 @@ class Service(object):
         self.api = api
         self.service_user = service_user
         self.dm_password = None  # silence pylint
+        self.promote = False
 
     @property
     def admin_conn(self):
@@ -567,7 +568,7 @@ class Service(object):
 
         if ldap_uri.startswith("ldapi://") and os.geteuid() == 0:
             args.extend(["-Y", "EXTERNAL"])
-        elif self.dm_password is not None:
+        elif self.dm_password is not None and not self.promote:
             args.extend(
                 ['-D', 'cn=Directory Manager',
                  '-w', self.dm_password])