f65af0
From 42bb4ee747a2f22db756bd037b2b0044853bb41d Mon Sep 17 00:00:00 2001
f65af0
From: Florence Blanc-Renaud <flo@redhat.com>
f65af0
Date: Tue, 21 Nov 2017 14:49:46 +0100
f65af0
Subject: [PATCH] Fix ipa-replica-install when key not protected by PIN
f65af0
f65af0
When ipa-replica-install is called in a CA-less environment, the certs,
f65af0
keys and pins need to be provided with --{http|dirsrv|pkinit}-cert-file and
f65af0
--{http|dirsrv|pkinit}-pin. If the pin is not provided in the CLI options,
f65af0
and in interactive mode, the installer prompts for the PIN.
f65af0
The issue happens when the keys are not protected by any PIN, the installer
f65af0
does not accept an empty string and keeps on asking for a PIN.
f65af0
f65af0
The fix makes sure that the installer accepts an empty PIN. A similar fix
f65af0
was done for ipa-server-install in
f65af0
https://pagure.io/freeipa/c/4ee426a68ec60370eee6f5aec917ecce444840c7
f65af0
f65af0
Fixes:
f65af0
https://pagure.io/freeipa/issue/7274
f65af0
f65af0
Reviewed-By: Christian Heimes <cheimes@redhat.com>
f65af0
Reviewed-By: Christian Heimes <cheimes@redhat.com>
f65af0
---
f65af0
 ipaserver/install/server/replicainstall.py | 6 +++---
f65af0
 1 file changed, 3 insertions(+), 3 deletions(-)
f65af0
f65af0
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
f65af0
index 42c723b57699340d7dfa67f581ab7d4d4fdcf551..396d6089449225cc83aa28552a2009b9057e65ab 100644
f65af0
--- a/ipaserver/install/server/replicainstall.py
f65af0
+++ b/ipaserver/install/server/replicainstall.py
f65af0
@@ -1057,7 +1057,7 @@ def promote_check(installer):
f65af0
         if options.http_pin is None:
f65af0
             options.http_pin = installutils.read_password(
f65af0
                 "Enter Apache Server private key unlock",
f65af0
-                confirm=False, validate=False)
f65af0
+                confirm=False, validate=False, retry=False)
f65af0
             if options.http_pin is None:
f65af0
                 raise ScriptError(
f65af0
                     "Apache Server private key unlock password required")
f65af0
@@ -1073,7 +1073,7 @@ def promote_check(installer):
f65af0
         if options.dirsrv_pin is None:
f65af0
             options.dirsrv_pin = installutils.read_password(
f65af0
                 "Enter Directory Server private key unlock",
f65af0
-                confirm=False, validate=False)
f65af0
+                confirm=False, validate=False, retry=False)
f65af0
             if options.dirsrv_pin is None:
f65af0
                 raise ScriptError(
f65af0
                     "Directory Server private key unlock password required")
f65af0
@@ -1089,7 +1089,7 @@ def promote_check(installer):
f65af0
         if options.pkinit_pin is None:
f65af0
             options.pkinit_pin = installutils.read_password(
f65af0
                 "Enter Kerberos KDC private key unlock",
f65af0
-                confirm=False, validate=False)
f65af0
+                confirm=False, validate=False, retry=False)
f65af0
             if options.pkinit_pin is None:
f65af0
                 raise ScriptError(
f65af0
                     "Kerberos KDC private key unlock password required")
f65af0
-- 
f65af0
2.17.1
f65af0