1 files changed, 12 insertions, 20 deletions

diff --git a/src/lib/Bcfg2/Server/Plugins/Metadata.py b/src/lib/Bcfg2/Server/Plugins/Metadata.py
index df98e6ea8..bd02739d5 100644
--- a/src/lib/Bcfg2/Server/Plugins/Metadata.py
+++ b/src/lib/Bcfg2/Server/Plugins/Metadata.py
@@ -677,8 +677,7 @@ class Metadata(Bcfg2.Server.Plugin.Metadata,
                     self.raddresses[clname] = set()
                 self.raddresses[clname].add(caddr)
             if 'auth' in client.attrib:
-                self.auth[client.get('name')] = client.get('auth',
-                                                           'cert+password')
+                self.auth[client.get('name')] = client.get('auth')
             if 'uuid' in client.attrib:
                 self.uuid[client.get('uuid')] = clname
             if client.get('secure', 'false').lower() == 'true':
@@ -1192,7 +1191,8 @@ class Metadata(Bcfg2.Server.Plugin.Metadata,
             # look at cert.cN
             client = certinfo['commonName']
             self.debug_log("Got cN %s; using as client name" % client)
-            auth_type = self.auth.get(client, 'cert+password')
+            auth_type = self.auth.get(client,
+                                      self.core.setup['authentication'])
         elif user == 'root':
             id_method = 'address'
             try:
@@ -1215,12 +1215,8 @@ class Metadata(Bcfg2.Server.Plugin.Metadata,
         self.debug_log("Authenticating client %s" % client)
 
         # next we validate the address
-        if id_method == 'uuid':
-            addr_is_valid = True
-        else:
-            addr_is_valid = self.validate_client_address(client, address)
-
-        if not addr_is_valid:
+        if (id_method != 'uuid' and
+            not self.validate_client_address(client, address)):
             return False
 
         if id_method == 'cert' and auth_type != 'cert+password':
@@ -1230,23 +1226,19 @@ class Metadata(Bcfg2.Server.Plugin.Metadata,
             # we are done if cert+password not required
             return True
 
-        if client not in self.passwords:
-            if client in self.secure:
-                self.logger.error("Client %s in secure mode but has no "
-                                  "password" % address[0])
-                return False
-            if password != self.password:
-                self.logger.error("Client %s used incorrect global password" %
-                                  address[0])
-                return False
+        if client not in self.passwords and client in self.secure:
+            self.logger.error("Client %s in secure mode but has no password" %
+                              address[0])
+            return False
+
         if client not in self.secure:
             if client in self.passwords:
                 plist = [self.password, self.passwords[client]]
             else:
                 plist = [self.password]
             if password not in plist:
-                self.logger.error("Client %s failed to use either allowed "
-                                  "password" % address[0])
+                self.logger.error("Client %s failed to use an allowed password"
+                                  % address[0])
                 return False
         else:
             # client in secure mode and has a client password