The Identity, Policy and Audit system
CentOS Sources
2016-11-03 403b09ab980c02ef36095973349a13e0181c794a
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
From 4651261af43a311d23efa759e61143a6413c5dc5 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Fri, 5 Sep 2014 11:24:27 +0200
Subject: [PATCH] Hide pkinit functionality from production version
 
Rebased from original patch from Jan Zeleny and Rob Crittenden.
 
https://fedorahosted.org/freeipa/ticket/616
---
 ipaserver/install/ipa_replica_prepare.py   | 21 ++++-----------------
 ipaserver/install/server/common.py         | 30 ++++++++----------------------
 ipaserver/install/server/install.py        | 11 -----------
 ipaserver/install/server/replicainstall.py |  1 -
 4 files changed, 12 insertions(+), 51 deletions(-)
 
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index 80813086c6a7212bdb6ef9d54202b28808b80076..9ba536163bf5c2882d8fc593457dab78a08e849a 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -85,9 +85,6 @@ class ReplicaPrepare(admintool.AdminTool):
         parser.add_option("--allow-zone-overlap", dest="allow_zone_overlap",
             action="store_true", default=False, help="create DNS "
             "zone even if it already exists")
-        parser.add_option("--no-pkinit", dest="setup_pkinit",
-            action="store_false", default=True,
-            help="disables pkinit setup steps")
         parser.add_option("--ca", dest="ca_file", default=paths.CACERT_P12,
             metavar="FILE",
             help="location of CA PKCS#12 file, default /root/cacert.p12")
@@ -109,12 +106,6 @@ class ReplicaPrepare(admintool.AdminTool):
         group.add_option("--http_pkcs12", dest="http_cert_files",
             action="append",
             help=SUPPRESS_HELP)
-        group.add_option("--pkinit-cert-file", dest="pkinit_cert_files",
-            action="append", metavar="FILE",
-            help="File containing the Kerberos KDC SSL certificate and private key")
-        group.add_option("--pkinit_pkcs12", dest="pkinit_cert_files",
-            action="append",
-            help=SUPPRESS_HELP)
         group.add_option("--dirsrv-pin", dest="dirsrv_pin", sensitive=True,
             metavar="PIN",
             help="The password to unlock the Directory Server private key")
@@ -125,20 +116,12 @@ class ReplicaPrepare(admintool.AdminTool):
             help="The password to unlock the Apache Server private key")
         group.add_option("--http_pin", dest="http_pin", sensitive=True,
             help=SUPPRESS_HELP)
-        group.add_option("--pkinit-pin", dest="pkinit_pin", sensitive=True,
-            metavar="PIN",
-            help="The password to unlock the Kerberos KDC private key")
-        group.add_option("--pkinit_pin", dest="pkinit_pin", sensitive=True,
-            help=SUPPRESS_HELP)
         group.add_option("--dirsrv-cert-name", dest="dirsrv_cert_name",
             metavar="NAME",
             help="Name of the Directory Server SSL certificate to install")
         group.add_option("--http-cert-name", dest="http_cert_name",
             metavar="NAME",
             help="Name of the Apache Server SSL certificate to install")
-        group.add_option("--pkinit-cert-name", dest="pkinit_cert_name",
-            metavar="NAME",
-            help="Name of the Kerberos KDC SSL certificate to install")
         parser.add_option_group(group)
 
     def validate_options(self):
@@ -158,7 +141,11 @@ class ReplicaPrepare(admintool.AdminTool):
                 "option together with --no-reverse")
 
         #Automatically disable pkinit w/ dogtag until that is supported
+        # pkinit is disabled in production version
         options.setup_pkinit = False
+        options.pkinit_cert_files = None
+        options.pkinit_pin = None
+        options.pkinit_cert_name = None
 
         # If any of the PKCS#12 options are selected, all are required.
         cert_file_req = (options.dirsrv_cert_files, options.http_cert_files)
diff --git a/ipaserver/install/server/common.py b/ipaserver/install/server/common.py
index e6093d15cd1067a83ed89945c4a9c983c66ec06f..a64a0938f3829ce58e22b5b9043373aa7eb7dfe2 100644
--- a/ipaserver/install/server/common.py
+++ b/ipaserver/install/server/common.py
@@ -72,13 +72,7 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
         cli_metavar='FILE',
     )
 
-    pkinit_cert_files = Knob(
-        (list, str), None,
-        description=("File containing the Kerberos KDC SSL certificate and "
-                     "private key"),
-        cli_name='pkinit-cert-file',
-        cli_metavar='FILE',
-    )
+    pkinit_cert_files = None
 
     dirsrv_pin = Knob(
         str, None,
@@ -94,12 +88,7 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
         cli_metavar='PIN',
     )
 
-    pkinit_pin = Knob(
-        str, None,
-        sensitive=True,
-        description="The password to unlock the Kerberos KDC private key",
-        cli_metavar='PIN',
-    )
+    pkinit_pin = None
 
     dirsrv_cert_name = Knob(
         str, None,
@@ -113,11 +102,7 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
         cli_metavar='NAME',
     )
 
-    pkinit_cert_name = Knob(
-        str, None,
-        description="Name of the Kerberos KDC SSL certificate to install",
-        cli_metavar='NAME',
-    )
+    pkinit_cert_name = None
 
     ca_cert_files = Knob(
         (list, str), None,
@@ -341,10 +326,7 @@ class BaseServer(common.Installable, common.Interactive, core.Composite):
         cli_short_name='N',
     )
 
-    no_pkinit = Knob(
-        bool, False,
-        description="disables pkinit setup steps",
-    )
+    no_pkinit = False
 
     no_ui_redirect = Knob(
         bool, False,
@@ -384,6 +366,10 @@ class BaseServer(common.Installable, common.Interactive, core.Composite):
         if not os.path.exists(value):
             raise ValueError("File %s does not exist." % value)
 
+    pkinit_cert_files = None
+    pkinit_pin = None
+    pkinit_cert_name = None
+    no_pkinit = False
 
     def __init__(self, **kwargs):
         super(BaseServer, self).__init__(**kwargs)
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index b33b0243d4d909a561b59d93f0014c390146b333..c292c4d24bfde1484769698ee2a7ef59a6fcc52c 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -1169,11 +1169,6 @@ class ServerCA(BaseServerCA):
         cli_aliases=['http_pkcs12'],
     )
 
-    pkinit_cert_files = Knob(
-        BaseServerCA.pkinit_cert_files,
-        cli_aliases=['pkinit_pkcs12'],
-    )
-
     dirsrv_pin = Knob(
         BaseServerCA.dirsrv_pin,
         cli_aliases=['dirsrv_pin'],
@@ -1184,14 +1179,8 @@ class ServerCA(BaseServerCA):
         cli_aliases=['http_pin'],
     )
 
-    pkinit_pin = Knob(
-        BaseServerCA.pkinit_pin,
-        cli_aliases=['pkinit_pin'],
-    )
-
     dirsrv_cert_name = Knob(BaseServerCA.dirsrv_cert_name)
     http_cert_name = Knob(BaseServerCA.http_cert_name)
-    pkinit_cert_name = Knob(BaseServerCA.pkinit_cert_name)
     ca_cert_files = Knob(BaseServerCA.ca_cert_files)
     subject = Knob(BaseServerCA.subject)
     ca_signing_algorithm = Knob(BaseServerCA.ca_signing_algorithm)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index f54ff7da06c57b9c8251429cbdacc5c300805f84..7695adf0d537237b24660e8871011f04f242e744 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1587,7 +1587,6 @@ class Replica(BaseServer):
     mkhomedir = Knob(BaseServer.mkhomedir)
     no_host_dns = Knob(BaseServer.no_host_dns)
     no_ntp = Knob(BaseServer.no_ntp)
-    no_pkinit = Knob(BaseServer.no_pkinit)
     no_ui_redirect = Knob(BaseServer.no_ui_redirect)
     ssh_trust_dns = Knob(BaseServer.ssh_trust_dns)
     no_ssh = Knob(BaseServer.no_ssh)
-- 
2.9.3