After migrating from IPA 2.1.3 to IPA 2.2.0 we have found that OTP password reuse has been disabled. Is there any way around this as maintaining a system that can handle incrementing/changing values for the sole purpose of re-enrolling a server is cumbersome and excessively complex
Making OTP reusable defeats the purpose of the OTP. It becomes just another password. If you want this you can create an account in IPA, limit its privileges to just host enrolment and use the password associated with this account to re-provision systems. Would that solve the problem for you?
Also if you can preserve a PKI pair or a host keytab from the original host we can probably (in future) add a method that would allow a system to re-enrol itself again using already existing cert or keytab. But that would require some more thinking and definitely some work. Not something we would be able to implement quickly. Approach above is your best option for the time being.
see proposed solution in ticket #3374
no clone. alternate solution in #3374
Metadata Update from @shelltoesuperstar: - Issue assigned to someone - Issue set to the milestone: FreeIPA 3.2 - 2013/01
Login to comment on this ticket.