|
 |
ac7d03 |
From 60b57639295ab94949986ec59de3c8e6c92bee7d Mon Sep 17 00:00:00 2001
|
|
|
ac7d03 |
From: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
ac7d03 |
Date: Wed, 22 Mar 2017 17:26:51 +0100
|
|
|
ac7d03 |
Subject: [PATCH] Don't allow setting pkinit-related options on DL0
|
|
|
ac7d03 |
|
|
|
ac7d03 |
pkinit is not supported on DL0, remove options that allow to set it
|
|
|
ac7d03 |
from ipa-{server,replica}-install.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
https://pagure.io/freeipa/issue/6801
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
ac7d03 |
---
|
|
|
ac7d03 |
install/tools/man/ipa-replica-install.1 | 2 +-
|
|
|
ac7d03 |
install/tools/man/ipa-server-install.1 | 2 +-
|
|
|
ac7d03 |
ipaserver/install/server/__init__.py | 21 +++++++++++++++++++++
|
|
|
ac7d03 |
3 files changed, 23 insertions(+), 2 deletions(-)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
|
|
|
ac7d03 |
index d63912c7018bd09a8567688a1f8d4db0c698ac3f..7d241324818dd3a5294da5e84b67a19d0d9a31b6 100644
|
|
|
ac7d03 |
--- a/install/tools/man/ipa-replica-install.1
|
|
|
ac7d03 |
+++ b/install/tools/man/ipa-replica-install.1
|
|
|
ac7d03 |
@@ -114,7 +114,7 @@ Install and configure a CA on this replica. If a CA is not configured then
|
|
|
ac7d03 |
certificate operations will be forwarded to a master with a CA installed.
|
|
|
ac7d03 |
.TP
|
|
|
ac7d03 |
\fB\-\-no\-pkinit\fR
|
|
|
ac7d03 |
-Disables pkinit setup steps
|
|
|
ac7d03 |
+Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0.
|
|
|
ac7d03 |
.TP
|
|
|
ac7d03 |
\fB\-\-dirsrv\-cert\-file\fR=FILE
|
|
|
ac7d03 |
File containing the Directory Server SSL certificate and private key
|
|
|
ac7d03 |
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
|
|
|
ac7d03 |
index c48bdae7485a34d72381188191d6423ca2d16044..d5d28df8e72295296a9ac321623ead49fe4692a3 100644
|
|
|
ac7d03 |
--- a/install/tools/man/ipa-server-install.1
|
|
|
ac7d03 |
+++ b/install/tools/man/ipa-server-install.1
|
|
|
ac7d03 |
@@ -93,7 +93,7 @@ Type of the external CA. Possible values are "generic", "ms-cs". Default value i
|
|
|
ac7d03 |
File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
|
|
|
ac7d03 |
.TP
|
|
|
ac7d03 |
\fB\-\-no\-pkinit\fR
|
|
|
ac7d03 |
-Disables pkinit setup steps
|
|
|
ac7d03 |
+Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0.
|
|
|
ac7d03 |
.TP
|
|
|
ac7d03 |
\fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR
|
|
|
ac7d03 |
File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times.
|
|
|
ac7d03 |
diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
|
|
|
ac7d03 |
index 117f51c4ebfaeba51d3c85625cda0d0eee305696..096cb0142fc7fe70fdc3d2ad1e5caedf0f65b643 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/server/__init__.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/server/__init__.py
|
|
|
ac7d03 |
@@ -332,9 +332,24 @@ class ServerInstallInterface(ServerCertificateInstallInterface,
|
|
|
ac7d03 |
if not os.path.exists(value):
|
|
|
ac7d03 |
raise ValueError("File %s does not exist." % value)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
+ def _is_promote(self):
|
|
|
ac7d03 |
+ """
|
|
|
ac7d03 |
+ :returns: True if domain level options correspond to domain level > 0
|
|
|
ac7d03 |
+ """
|
|
|
ac7d03 |
+ raise NotImplementedError()
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
def __init__(self, **kwargs):
|
|
|
ac7d03 |
super(ServerInstallInterface, self).__init__(**kwargs)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
+ # pkinit is not supported on DL0, don't allow related options
|
|
|
ac7d03 |
+ if not self._is_promote():
|
|
|
ac7d03 |
+ if (self.no_pkinit or self.pkinit_cert_files is not None or
|
|
|
ac7d03 |
+ self.pkinit_pin is not None):
|
|
|
ac7d03 |
+ raise RuntimeError(
|
|
|
ac7d03 |
+ "pkinit on domain level 0 is not supported. Please "
|
|
|
ac7d03 |
+ "don't use any pkinit-related options.")
|
|
|
ac7d03 |
+ self.no_pkinit = True
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
# If any of the key file options are selected, all are required.
|
|
|
ac7d03 |
cert_file_req = (self.dirsrv_cert_files, self.http_cert_files)
|
|
|
ac7d03 |
cert_file_opt = (self.pkinit_cert_files,)
|
|
|
ac7d03 |
@@ -557,6 +572,9 @@ class ServerMasterInstall(ServerMasterInstallInterface):
|
|
|
ac7d03 |
add_sids = True
|
|
|
ac7d03 |
add_agents = False
|
|
|
ac7d03 |
|
|
|
ac7d03 |
+ def _is_promote(self):
|
|
|
ac7d03 |
+ return self.domain_level > constants.DOMAIN_LEVEL_0
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
def __init__(self, **kwargs):
|
|
|
ac7d03 |
super(ServerMasterInstall, self).__init__(**kwargs)
|
|
|
ac7d03 |
master_init(self)
|
|
|
ac7d03 |
@@ -590,6 +608,9 @@ class ServerReplicaInstall(ServerReplicaInstallInterface):
|
|
|
ac7d03 |
description="Kerberos password for the specified admin principal",
|
|
|
ac7d03 |
)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
+ def _is_promote(self):
|
|
|
ac7d03 |
+ return self.replica_file is None
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
def __init__(self, **kwargs):
|
|
|
ac7d03 |
super(ServerReplicaInstall, self).__init__(**kwargs)
|
|
|
ac7d03 |
replica_init(self)
|
|
|
ac7d03 |
--
|
|
|
ac7d03 |
2.12.2
|
|
|
ac7d03 |
|