ipa-replica-install: password and admin-password options mutually exclusive

Currently it is possible to run ipa-replica-install in one step,
and provide --password and --admin-password simultaneously.
This is confusing as --password is intended for one-time pwd
when the ipa-replica-install command is delegated to a user
who doesn't know the admin password.

The fix makes --password and --admin-password options
mutually exclusive.

Fixes https://pagure.io/freeipa/issue/6353

Reviewed-By: Christian Heimes <[email protected]>

1 files changed, 4 insertions, 0 deletions

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 03d096d79..d3e28a1b2 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -771,6 +771,10 @@ def promote_check(installer):
 
     client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
     if not client_fstore.has_files():
+        # One-step replica installation
+        if options.password and options.admin_password:
+            raise ScriptError("--password and --admin-password options are "
+                              "mutually exclusive")
         ensure_enrolled(installer)
     else:
         if (options.domain_name or options.server or options.realm_name or