|
 |
99b6f7 |
From 7b9f8b3ba5c2768879906227e4f526b2675337ea Mon Sep 17 00:00:00 2001
|
|
|
99b6f7 |
From: Martin Kosek <mkosek@redhat.com>
|
|
|
99b6f7 |
Date: Wed, 22 May 2013 09:38:50 +0200
|
|
|
99b6f7 |
Subject: [PATCH 1001/1006] Hide pkinit functionality from production version
|
|
|
99b6f7 |
|
|
|
99b6f7 |
Rebased from original patch from Jan Zeleny and Rob Crittenden.
|
|
|
99b6f7 |
|
|
|
99b6f7 |
https://fedorahosted.org/freeipa/ticket/616
|
|
|
99b6f7 |
---
|
|
|
99b6f7 |
install/tools/ipa-replica-install | 5 +++--
|
|
|
99b6f7 |
install/tools/ipa-server-install | 10 ++++------
|
|
|
99b6f7 |
ipaserver/install/ipa_replica_prepare.py | 11 +++--------
|
|
|
99b6f7 |
3 files changed, 10 insertions(+), 16 deletions(-)
|
|
|
99b6f7 |
|
|
|
99b6f7 |
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
|
|
|
99b6f7 |
index 79f8a7ab48f75ac2d9cd5149df6eda4784b3854a..36bf492946d5e4873827d7d3149be659447065aa 100755
|
|
|
99b6f7 |
--- a/install/tools/ipa-replica-install
|
|
|
99b6f7 |
+++ b/install/tools/ipa-replica-install
|
|
|
99b6f7 |
@@ -96,8 +96,6 @@ def parse_options():
|
|
|
99b6f7 |
parser.add_option_group(basic_group)
|
|
|
99b6f7 |
|
|
|
99b6f7 |
cert_group = OptionGroup(parser, "certificate system options")
|
|
|
99b6f7 |
- cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
|
|
|
99b6f7 |
- default=True, help="disables pkinit setup steps")
|
|
|
99b6f7 |
cert_group.add_option("--skip-schema-check", dest="skip_schema_check", action="store_true",
|
|
|
99b6f7 |
default=False, help="skip check for updated CA DS schema on the remote master")
|
|
|
99b6f7 |
parser.add_option_group(cert_group)
|
|
|
99b6f7 |
@@ -122,6 +120,9 @@ def parse_options():
|
|
|
99b6f7 |
options, args = parser.parse_args()
|
|
|
99b6f7 |
safe_options = parser.get_safe_opts(options)
|
|
|
99b6f7 |
|
|
|
99b6f7 |
+ # pkinit is disabled in production version
|
|
|
99b6f7 |
+ options.setup_pkinit = False
|
|
|
99b6f7 |
+
|
|
|
99b6f7 |
if len(args) != 1:
|
|
|
99b6f7 |
parser.error("you must provide a file generated by ipa-replica-prepare")
|
|
|
99b6f7 |
|
|
|
99b6f7 |
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
|
|
|
99b6f7 |
index fafa14ea18195546b160c175d7fd656a066327b5..00aed1953f58c7f7c6a3c9bae8dcab8b8a669b62 100755
|
|
|
99b6f7 |
--- a/install/tools/ipa-server-install
|
|
|
99b6f7 |
+++ b/install/tools/ipa-server-install
|
|
|
99b6f7 |
@@ -173,20 +173,14 @@ def parse_options():
|
|
|
99b6f7 |
help="PEM file containing a certificate signed by the external CA")
|
|
|
99b6f7 |
cert_group.add_option("", "--external_ca_file", dest="external_ca_file",
|
|
|
99b6f7 |
help="PEM file containing the external CA chain")
|
|
|
99b6f7 |
- cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
|
|
|
99b6f7 |
- default=True, help="disables pkinit setup steps")
|
|
|
99b6f7 |
cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
|
|
|
99b6f7 |
help="PKCS#12 file containing the Directory Server SSL certificate")
|
|
|
99b6f7 |
cert_group.add_option("--http_pkcs12", dest="http_pkcs12",
|
|
|
99b6f7 |
help="PKCS#12 file containing the Apache Server SSL certificate")
|
|
|
99b6f7 |
- cert_group.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12",
|
|
|
99b6f7 |
- help="PKCS#12 file containing the Kerberos KDC SSL certificate")
|
|
|
99b6f7 |
cert_group.add_option("--dirsrv_pin", dest="dirsrv_pin", sensitive=True,
|
|
|
99b6f7 |
help="The password of the Directory Server PKCS#12 file")
|
|
|
99b6f7 |
cert_group.add_option("--http_pin", dest="http_pin", sensitive=True,
|
|
|
99b6f7 |
help="The password of the Apache Server PKCS#12 file")
|
|
|
99b6f7 |
- cert_group.add_option("--pkinit_pin", dest="pkinit_pin",
|
|
|
99b6f7 |
- help="The password of the Kerberos KDC PKCS#12 file")
|
|
|
99b6f7 |
cert_group.add_option("--root-ca-file", dest="root_ca_file",
|
|
|
99b6f7 |
help="PEM file with root CA certificate(s) to trust")
|
|
|
99b6f7 |
cert_group.add_option("--subject", action="callback", callback=subject_callback,
|
|
|
99b6f7 |
@@ -236,6 +230,10 @@ def parse_options():
|
|
|
99b6f7 |
options, args = parser.parse_args()
|
|
|
99b6f7 |
safe_options = parser.get_safe_opts(options)
|
|
|
99b6f7 |
|
|
|
99b6f7 |
+ # pkinit is disabled in production version
|
|
|
99b6f7 |
+ options.pkinit_pin = False
|
|
|
99b6f7 |
+ options.pkinit_pkcs12 = False
|
|
|
99b6f7 |
+
|
|
|
99b6f7 |
if options.dm_password is not None:
|
|
|
99b6f7 |
try:
|
|
|
99b6f7 |
validate_dm_password(options.dm_password)
|
|
|
99b6f7 |
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
|
|
|
99b6f7 |
index 83bf2b28c370c77c5e901dfd0627ea7140b4cf0a..606c3e607682d3dca8d31ed25cce006b17683f51 100644
|
|
|
99b6f7 |
--- a/ipaserver/install/ipa_replica_prepare.py
|
|
|
99b6f7 |
+++ b/ipaserver/install/ipa_replica_prepare.py
|
|
|
99b6f7 |
@@ -57,9 +57,6 @@ def add_options(cls, parser):
|
|
|
99b6f7 |
parser.add_option("--no-reverse", dest="no_reverse",
|
|
|
99b6f7 |
action="store_true", default=False,
|
|
|
99b6f7 |
help="do not create reverse DNS zone")
|
|
|
99b6f7 |
- parser.add_option("--no-pkinit", dest="setup_pkinit",
|
|
|
99b6f7 |
- action="store_false", default=True,
|
|
|
99b6f7 |
- help="disables pkinit setup steps")
|
|
|
99b6f7 |
parser.add_option("--ca", dest="ca_file", default="/root/cacert.p12",
|
|
|
99b6f7 |
metavar="FILE",
|
|
|
99b6f7 |
help="location of CA PKCS#12 file, default /root/cacert.p12")
|
|
|
99b6f7 |
@@ -72,15 +69,10 @@ def add_options(cls, parser):
|
|
|
99b6f7 |
group.add_option("--http_pkcs12", dest="http_pkcs12",
|
|
|
99b6f7 |
metavar="FILE",
|
|
|
99b6f7 |
help="install certificate for the http server")
|
|
|
99b6f7 |
- group.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12",
|
|
|
99b6f7 |
- metavar="FILE",
|
|
|
99b6f7 |
- help="install certificate for the KDC")
|
|
|
99b6f7 |
group.add_option("--dirsrv_pin", dest="dirsrv_pin", metavar="PIN",
|
|
|
99b6f7 |
help="PIN for the Directory Server PKCS#12 file")
|
|
|
99b6f7 |
group.add_option("--http_pin", dest="http_pin", metavar="PIN",
|
|
|
99b6f7 |
help="PIN for the Apache Server PKCS#12 file")
|
|
|
99b6f7 |
- group.add_option("--pkinit_pin", dest="pkinit_pin", metavar="PIN",
|
|
|
99b6f7 |
- help="PIN for the KDC pkinit PKCS#12 file")
|
|
|
99b6f7 |
parser.add_option_group(group)
|
|
|
99b6f7 |
|
|
|
99b6f7 |
def validate_options(self):
|
|
|
99b6f7 |
@@ -100,7 +92,10 @@ def validate_options(self):
|
|
|
99b6f7 |
"option together with --no-reverse")
|
|
|
99b6f7 |
|
|
|
99b6f7 |
#Automatically disable pkinit w/ dogtag until that is supported
|
|
|
99b6f7 |
+ # pkinit is disabled in production version
|
|
|
99b6f7 |
options.setup_pkinit = False
|
|
|
99b6f7 |
+ options.pkinit_pin = False
|
|
|
99b6f7 |
+ options.pkinit_pkcs12 = False
|
|
|
99b6f7 |
|
|
|
99b6f7 |
# If any of the PKCS#12 options are selected, all are required.
|
|
|
99b6f7 |
pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12)
|
|
|
99b6f7 |
--
|
|
|
99b6f7 |
1.8.3.1
|
|
|
99b6f7 |
|