From 4f117df6ec3e2a6bb1b14f5e36c6f758fa578d08 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tobias=20R=C3=BCetschi?= <tr@brief.li>
Date: Thu, 2 Feb 2017 20:10:32 +0100
Subject: [PATCH] univention udm_user: add parameter to control password update
 (#20699)

* univention udm_user: added support to set the password always

* module udm_user: added version 2.3 to update_password
---
 lib/ansible/modules/cloud/univention/udm_user.py | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/lib/ansible/modules/cloud/univention/udm_user.py b/lib/ansible/modules/cloud/univention/udm_user.py
index ac2d8acb11..dcebf50082 100644
--- a/lib/ansible/modules/cloud/univention/udm_user.py
+++ b/lib/ansible/modules/cloud/univention/udm_user.py
@@ -304,6 +304,13 @@ options:
         description:
             - "Define the whole position of users object inside the LDAP tree,
                e.g. C(cn=employee,cn=users,ou=school,dc=example,dc=com)."
+    update_password:
+        required: false
+        default: always
+        description:
+            - "C(always) will update passwords if they differ.
+               C(on_create) will only set the password for newly created users."
+        version_added: "2.3"
     ou:
         required: false
         default: ''
@@ -466,6 +473,9 @@ def main():
                                            type='str'),
             position                = dict(default='',
                                            type='str'),
+            update_password         = dict(default='always',
+                                           choices=['always', 'on_create'],
+                                           type='str'),
             ou                      = dict(default='',
                                            type='str'),
             subpath                 = dict(default='cn=users',
@@ -530,7 +540,7 @@ def main():
             password = module.params['password']
             if obj['password'] is None:
                 obj['password'] = password
-            else:
+            if module.params['update_password'] == 'always':
                 old_password = obj['password'].split('}', 2)[1]
                 if crypt.crypt(password, old_password) != old_password:
                     obj['overridePWHistory'] = module.params['overridePWHistory']