URL: https://github.com/freeipa/freeipa/pull/640 Author: stlaz Title: #640: Remove pkinit options from master/replica on DL0 Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/640/head:pr640 git checkout pr640
From 1869c6ee53550fb6b8dbf8618ae0f47eba7c6b20 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 22 Mar 2017 17:10:56 +0100 Subject: [PATCH 1/3] Fix the order of cert-files check Without this patch, if either of dirsrv_cert_files, http_cert_files or pkinit_cert_files is set along with no-pkinit, the user is first requested to add the remaining options and when they do that, they are told that they are using 'no-pkinit' along with 'pkinit-cert-file'. https://pagure.io/freeipa/issue/6801 --- ipaserver/install/server/__init__.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 14f1ec4..117f51c 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -340,16 +340,16 @@ def __init__(self, **kwargs): cert_file_opt = (self.pkinit_cert_files,) if not self.no_pkinit: cert_file_req += cert_file_opt - if any(cert_file_req + cert_file_opt) and not all(cert_file_req): - raise RuntimeError( - "--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file " - "or --no-pkinit are required if any key file options are used." - ) if self.no_pkinit and self.pkinit_cert_files: raise RuntimeError( "--no-pkinit and --pkinit-cert-file cannot be specified " "together" ) + if any(cert_file_req + cert_file_opt) and not all(cert_file_req): + raise RuntimeError( + "--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file " + "or --no-pkinit are required if any key file options are used." + ) if not self.interactive: if self.dirsrv_cert_files and self.dirsrv_pin is None: From 93628f3b744dfb42988b07020dad42cac76e0cd4 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 22 Mar 2017 17:26:51 +0100 Subject: [PATCH 2/3] Don't allow setting pkinit-related options on DL0 pkinit is not supported on DL0, remove options that allow to set it from ipa-{server,replica}-install. https://pagure.io/freeipa/issue/6801 --- install/tools/man/ipa-replica-install.1 | 2 +- install/tools/man/ipa-server-install.1 | 2 +- ipaserver/install/server/__init__.py | 8 ++++++++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index d63912c..7d24132 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -114,7 +114,7 @@ Install and configure a CA on this replica. If a CA is not configured then certificate operations will be forwarded to a master with a CA installed. .TP \fB\-\-no\-pkinit\fR -Disables pkinit setup steps +Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0. .TP \fB\-\-dirsrv\-cert\-file\fR=FILE File containing the Directory Server SSL certificate and private key diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index c48bdae..d5d28df 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -93,7 +93,7 @@ Type of the external CA. Possible values are "generic", "ms-cs". Default value i File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. .TP \fB\-\-no\-pkinit\fR -Disables pkinit setup steps +Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0. .TP \fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times. diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 117f51c..aac2236 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -335,6 +335,14 @@ def dirsrv_config_file(self, value): def __init__(self, **kwargs): super(ServerInstallInterface, self).__init__(**kwargs) + if self.domain_level == constants.DOMAIN_LEVEL_0: + if (self.no_pkinit or self.pkinit_cert_files is not None or + self.pkinit_pin is not None): + raise RuntimeError( + "pkinit on domain level 0 is not supported. Please don't " + "use any pkinit-related options.") + self.no_pkinit = True + # If any of the key file options are selected, all are required. cert_file_req = (self.dirsrv_cert_files, self.http_cert_files) cert_file_opt = (self.pkinit_cert_files,) From 8bcbe0526fd5160bb0a20c88e8b590f138e357cb Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 24 Mar 2017 12:29:53 +0100 Subject: [PATCH 3/3] replica-prepare man: remove pkinit option refs Remove the references to the pkinit options which was forgotten about in 46d4d534c0 https://pagure.io/freeipa/issue/6801 --- install/tools/man/ipa-replica-prepare.1 | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/install/tools/man/ipa-replica-prepare.1 b/install/tools/man/ipa-replica-prepare.1 index 2063657..afc5408 100644 --- a/install/tools/man/ipa-replica-prepare.1 +++ b/install/tools/man/ipa-replica-prepare.1 @@ -43,27 +43,18 @@ File containing the Directory Server SSL certificate and private key. The files \fB\-\-http\-cert\-file\fR=\fIFILE\fR File containing the Apache Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times. .TP -\fB\-\-pkinit\-cert\-file\fR=\fIFILE\fR -File containing the Kerberos KDC SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times. -.TP \fB\-\-dirsrv\-pin\fR=\fIPIN\fR The password to unlock the Directory Server private key .TP \fB\-\-http\-pin\fR=\fIPIN\fR The password to unlock the Apache Server private key .TP -\fB\-\-pkinit\-pin\fR=\fIPIN\fR -The password to unlock the Kerberos KDC private key -.TP \fB\-\-dirsrv\-cert\-name\fR=\fINAME\fR Name of the Directory Server SSL certificate to install .TP \fB\-\-http\-cert\-name\fR=\fINAME\fR Name of the Apache Server SSL certificate to install .TP -\fB\-\-pkinit\-cert\-name\fR=\fINAME\fR -Name of the Kerberos KDC SSL certificate to install -.TP \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR Directory Manager (existing master) password .TP @@ -81,9 +72,6 @@ Do not create reverse DNS zone \fB\-\-ca\fR=\fICA_FILE\fR Location of CA PKCS#12 file, default /root/cacert.p12 .TP -\fB\-\-no\-pkinit\fR -Disables pkinit setup steps -.TP \fB\-\-debug\fR Prints info log messages to the output .SH "EXIT STATUS"
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code