From 403b09ab980c02ef36095973349a13e0181c794a Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Thu, 03 Nov 2016 06:01:28 +0000
Subject: [PATCH] import ipa-4.4.0-12.el7

---
 SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch |  172 +++++++++++++++++++++++++++++++++++++++-----------------
 1 files changed, 119 insertions(+), 53 deletions(-)

diff --git a/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch
index 6cb68b1..949554b 100644
--- a/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch
+++ b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch
@@ -1,4 +1,4 @@
-From b30152e2225fed9a991423c35506f3aa62b38350 Mon Sep 17 00:00:00 2001
+From 4651261af43a311d23efa759e61143a6413c5dc5 Mon Sep 17 00:00:00 2001
 From: Martin Kosek <mkosek@redhat.com>
 Date: Fri, 5 Sep 2014 11:24:27 +0200
 Subject: [PATCH] Hide pkinit functionality from production version
@@ -7,26 +7,27 @@
 
 https://fedorahosted.org/freeipa/ticket/616
 ---
- ipaserver/install/ipa_replica_prepare.py   | 20 +++-----------------
- ipaserver/install/server/install.py        |  4 ++++
- ipaserver/install/server/replicainstall.py |  1 +
- 3 files changed, 8 insertions(+), 17 deletions(-)
+ ipaserver/install/ipa_replica_prepare.py   | 21 ++++-----------------
+ ipaserver/install/server/common.py         | 30 ++++++++----------------------
+ ipaserver/install/server/install.py        | 11 -----------
+ ipaserver/install/server/replicainstall.py |  1 -
+ 4 files changed, 12 insertions(+), 51 deletions(-)
 
 diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
-index b9ae60e9bc9d40be5f86e312980846b2ad80f67d..62cc8368abd999bec07154dc2c715431ff0c3b1a 100644
+index 80813086c6a7212bdb6ef9d54202b28808b80076..9ba536163bf5c2882d8fc593457dab78a08e849a 100644
 --- a/ipaserver/install/ipa_replica_prepare.py
 +++ b/ipaserver/install/ipa_replica_prepare.py
-@@ -65,9 +65,6 @@ class ReplicaPrepare(admintool.AdminTool):
-         parser.add_option("--no-reverse", dest="no_reverse",
-             action="store_true", default=False,
-             help="do not create reverse DNS zone")
+@@ -85,9 +85,6 @@ class ReplicaPrepare(admintool.AdminTool):
+         parser.add_option("--allow-zone-overlap", dest="allow_zone_overlap",
+             action="store_true", default=False, help="create DNS "
+             "zone even if it already exists")
 -        parser.add_option("--no-pkinit", dest="setup_pkinit",
 -            action="store_false", default=True,
 -            help="disables pkinit setup steps")
          parser.add_option("--ca", dest="ca_file", default=paths.CACERT_P12,
              metavar="FILE",
              help="location of CA PKCS#12 file, default /root/cacert.p12")
-@@ -89,12 +86,6 @@ class ReplicaPrepare(admintool.AdminTool):
+@@ -109,12 +106,6 @@ class ReplicaPrepare(admintool.AdminTool):
          group.add_option("--http_pkcs12", dest="http_cert_files",
              action="append",
              help=SUPPRESS_HELP)
@@ -39,7 +40,7 @@
          group.add_option("--dirsrv-pin", dest="dirsrv_pin", sensitive=True,
              metavar="PIN",
              help="The password to unlock the Directory Server private key")
-@@ -105,20 +96,12 @@ class ReplicaPrepare(admintool.AdminTool):
+@@ -125,20 +116,12 @@ class ReplicaPrepare(admintool.AdminTool):
              help="The password to unlock the Apache Server private key")
          group.add_option("--http_pin", dest="http_pin", sensitive=True,
              help=SUPPRESS_HELP)
@@ -60,65 +61,130 @@
          parser.add_option_group(group)
  
      def validate_options(self):
-@@ -138,7 +121,10 @@ class ReplicaPrepare(admintool.AdminTool):
+@@ -158,7 +141,11 @@ class ReplicaPrepare(admintool.AdminTool):
                  "option together with --no-reverse")
  
          #Automatically disable pkinit w/ dogtag until that is supported
 +        # pkinit is disabled in production version
          options.setup_pkinit = False
-+        options.pkinit_pin = False
-+        options.pkinit_cert_files = False
++        options.pkinit_cert_files = None
++        options.pkinit_pin = None
++        options.pkinit_cert_name = None
  
          # If any of the PKCS#12 options are selected, all are required.
          cert_file_req = (options.dirsrv_cert_files, options.http_cert_files)
-diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
-index 01dffd08d4c929ebc5ecb6e6b0a8b685c1320dbd..a2a22c6334edf442e07ff3a1b4b9b309de2bc8a5 100644
---- a/ipaserver/install/server/install.py
-+++ b/ipaserver/install/server/install.py
-@@ -1172,6 +1172,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
- 
-     no_pkinit = Knob(
-         bool, False,
-+        initializable=False,
-         description="disables pkinit setup steps",
+diff --git a/ipaserver/install/server/common.py b/ipaserver/install/server/common.py
+index e6093d15cd1067a83ed89945c4a9c983c66ec06f..a64a0938f3829ce58e22b5b9043373aa7eb7dfe2 100644
+--- a/ipaserver/install/server/common.py
++++ b/ipaserver/install/server/common.py
+@@ -72,13 +72,7 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
+         cli_metavar='FILE',
      )
  
-@@ -1195,6 +1196,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
+-    pkinit_cert_files = Knob(
+-        (list, str), None,
+-        description=("File containing the Kerberos KDC SSL certificate and "
+-                     "private key"),
+-        cli_name='pkinit-cert-file',
+-        cli_metavar='FILE',
+-    )
++    pkinit_cert_files = None
  
-     pkinit_cert_files = Knob(
-         (list, str), None,
-+        initializable=False,
-         description=("File containing the Kerberos KDC SSL certificate and "
-                      "private key"),
-         cli_name='pkinit-cert-file',
-@@ -1220,6 +1222,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
- 
-     pkinit_pin = Knob(
+     dirsrv_pin = Knob(
          str, None,
-+        initializable=False,
-         sensitive=True,
-         description="The password to unlock the Kerberos KDC private key",
-         cli_aliases=['pkinit_pin'],
-@@ -1240,6 +1243,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
+@@ -94,12 +88,7 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
+         cli_metavar='PIN',
+     )
  
-     pkinit_cert_name = Knob(
+-    pkinit_pin = Knob(
+-        str, None,
+-        sensitive=True,
+-        description="The password to unlock the Kerberos KDC private key",
+-        cli_metavar='PIN',
+-    )
++    pkinit_pin = None
+ 
+     dirsrv_cert_name = Knob(
          str, None,
-+        initializable=False,
-         description="Name of the Kerberos KDC SSL certificate to install",
+@@ -113,11 +102,7 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
          cli_metavar='NAME',
      )
-diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
-index 2ab95add90d33eb191d4e75b62cb4eceac40551b..b000e8ce84df3cb2a6bc90520cb4713ab416f4da 100644
---- a/ipaserver/install/server/replicainstall.py
-+++ b/ipaserver/install/server/replicainstall.py
-@@ -690,6 +690,7 @@ class ReplicaCA(common.Installable, core.Group, core.Composite):
  
-     no_pkinit = Knob(
-         bool, False,
-+        initializable=False,
-         description="disables pkinit setup steps",
+-    pkinit_cert_name = Knob(
+-        str, None,
+-        description="Name of the Kerberos KDC SSL certificate to install",
+-        cli_metavar='NAME',
+-    )
++    pkinit_cert_name = None
+ 
+     ca_cert_files = Knob(
+         (list, str), None,
+@@ -341,10 +326,7 @@ class BaseServer(common.Installable, common.Interactive, core.Composite):
+         cli_short_name='N',
      )
  
+-    no_pkinit = Knob(
+-        bool, False,
+-        description="disables pkinit setup steps",
+-    )
++    no_pkinit = False
+ 
+     no_ui_redirect = Knob(
+         bool, False,
+@@ -384,6 +366,10 @@ class BaseServer(common.Installable, common.Interactive, core.Composite):
+         if not os.path.exists(value):
+             raise ValueError("File %s does not exist." % value)
+ 
++    pkinit_cert_files = None
++    pkinit_pin = None
++    pkinit_cert_name = None
++    no_pkinit = False
+ 
+     def __init__(self, **kwargs):
+         super(BaseServer, self).__init__(**kwargs)
+diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
+index b33b0243d4d909a561b59d93f0014c390146b333..c292c4d24bfde1484769698ee2a7ef59a6fcc52c 100644
+--- a/ipaserver/install/server/install.py
++++ b/ipaserver/install/server/install.py
+@@ -1169,11 +1169,6 @@ class ServerCA(BaseServerCA):
+         cli_aliases=['http_pkcs12'],
+     )
+ 
+-    pkinit_cert_files = Knob(
+-        BaseServerCA.pkinit_cert_files,
+-        cli_aliases=['pkinit_pkcs12'],
+-    )
+-
+     dirsrv_pin = Knob(
+         BaseServerCA.dirsrv_pin,
+         cli_aliases=['dirsrv_pin'],
+@@ -1184,14 +1179,8 @@ class ServerCA(BaseServerCA):
+         cli_aliases=['http_pin'],
+     )
+ 
+-    pkinit_pin = Knob(
+-        BaseServerCA.pkinit_pin,
+-        cli_aliases=['pkinit_pin'],
+-    )
+-
+     dirsrv_cert_name = Knob(BaseServerCA.dirsrv_cert_name)
+     http_cert_name = Knob(BaseServerCA.http_cert_name)
+-    pkinit_cert_name = Knob(BaseServerCA.pkinit_cert_name)
+     ca_cert_files = Knob(BaseServerCA.ca_cert_files)
+     subject = Knob(BaseServerCA.subject)
+     ca_signing_algorithm = Knob(BaseServerCA.ca_signing_algorithm)
+diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
+index f54ff7da06c57b9c8251429cbdacc5c300805f84..7695adf0d537237b24660e8871011f04f242e744 100644
+--- a/ipaserver/install/server/replicainstall.py
++++ b/ipaserver/install/server/replicainstall.py
+@@ -1587,7 +1587,6 @@ class Replica(BaseServer):
+     mkhomedir = Knob(BaseServer.mkhomedir)
+     no_host_dns = Knob(BaseServer.no_host_dns)
+     no_ntp = Knob(BaseServer.no_ntp)
+-    no_pkinit = Knob(BaseServer.no_pkinit)
+     no_ui_redirect = Knob(BaseServer.no_ui_redirect)
+     ssh_trust_dns = Knob(BaseServer.ssh_trust_dns)
+     no_ssh = Knob(BaseServer.no_ssh)
 -- 
-2.5.0
+2.9.3
 

--
Gitblit v1.8.0