|
 |
95ea96 |
From 42bb4ee747a2f22db756bd037b2b0044853bb41d Mon Sep 17 00:00:00 2001
|
|
|
95ea96 |
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
95ea96 |
Date: Tue, 21 Nov 2017 14:49:46 +0100
|
|
|
95ea96 |
Subject: [PATCH] Fix ipa-replica-install when key not protected by PIN
|
|
|
95ea96 |
|
|
|
95ea96 |
When ipa-replica-install is called in a CA-less environment, the certs,
|
|
|
95ea96 |
keys and pins need to be provided with --{http|dirsrv|pkinit}-cert-file and
|
|
|
95ea96 |
--{http|dirsrv|pkinit}-pin. If the pin is not provided in the CLI options,
|
|
|
95ea96 |
and in interactive mode, the installer prompts for the PIN.
|
|
|
95ea96 |
The issue happens when the keys are not protected by any PIN, the installer
|
|
|
95ea96 |
does not accept an empty string and keeps on asking for a PIN.
|
|
|
95ea96 |
|
|
|
95ea96 |
The fix makes sure that the installer accepts an empty PIN. A similar fix
|
|
|
95ea96 |
was done for ipa-server-install in
|
|
|
95ea96 |
https://pagure.io/freeipa/c/4ee426a68ec60370eee6f5aec917ecce444840c7
|
|
|
95ea96 |
|
|
|
95ea96 |
Fixes:
|
|
|
95ea96 |
https://pagure.io/freeipa/issue/7274
|
|
|
95ea96 |
|
|
|
95ea96 |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
95ea96 |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
95ea96 |
---
|
|
|
95ea96 |
ipaserver/install/server/replicainstall.py | 6 +++---
|
|
|
95ea96 |
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
95ea96 |
|
|
|
95ea96 |
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
|
|
95ea96 |
index 42c723b57699340d7dfa67f581ab7d4d4fdcf551..396d6089449225cc83aa28552a2009b9057e65ab 100644
|
|
|
95ea96 |
--- a/ipaserver/install/server/replicainstall.py
|
|
|
95ea96 |
+++ b/ipaserver/install/server/replicainstall.py
|
|
|
95ea96 |
@@ -1057,7 +1057,7 @@ def promote_check(installer):
|
|
|
95ea96 |
if options.http_pin is None:
|
|
|
95ea96 |
options.http_pin = installutils.read_password(
|
|
|
95ea96 |
"Enter Apache Server private key unlock",
|
|
|
95ea96 |
- confirm=False, validate=False)
|
|
|
95ea96 |
+ confirm=False, validate=False, retry=False)
|
|
|
95ea96 |
if options.http_pin is None:
|
|
|
95ea96 |
raise ScriptError(
|
|
|
95ea96 |
"Apache Server private key unlock password required")
|
|
|
95ea96 |
@@ -1073,7 +1073,7 @@ def promote_check(installer):
|
|
|
95ea96 |
if options.dirsrv_pin is None:
|
|
|
95ea96 |
options.dirsrv_pin = installutils.read_password(
|
|
|
95ea96 |
"Enter Directory Server private key unlock",
|
|
|
95ea96 |
- confirm=False, validate=False)
|
|
|
95ea96 |
+ confirm=False, validate=False, retry=False)
|
|
|
95ea96 |
if options.dirsrv_pin is None:
|
|
|
95ea96 |
raise ScriptError(
|
|
|
95ea96 |
"Directory Server private key unlock password required")
|
|
|
95ea96 |
@@ -1089,7 +1089,7 @@ def promote_check(installer):
|
|
|
95ea96 |
if options.pkinit_pin is None:
|
|
|
95ea96 |
options.pkinit_pin = installutils.read_password(
|
|
|
95ea96 |
"Enter Kerberos KDC private key unlock",
|
|
|
95ea96 |
- confirm=False, validate=False)
|
|
|
95ea96 |
+ confirm=False, validate=False, retry=False)
|
|
|
95ea96 |
if options.pkinit_pin is None:
|
|
|
95ea96 |
raise ScriptError(
|
|
|
95ea96 |
"Kerberos KDC private key unlock password required")
|
|
|
95ea96 |
--
|
|
|
95ea96 |
2.17.1
|
|
|
95ea96 |
|