From ebaad372cdeb941af1a390f81c8a4d90ea128f9f Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Thu, 14 Aug 2014 13:34:13 +0200
Subject: [PATCH] Hide pkinit functionality from production version
Rebased from original patch from Jan Zeleny and Rob Crittenden.
https://fedorahosted.org/freeipa/ticket/616
---
install/tools/ipa-replica-install | 5 +++--
install/tools/ipa-server-install | 10 ++++------
ipaserver/install/ipa_replica_prepare.py | 11 +++--------
3 files changed, 10 insertions(+), 16 deletions(-)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 4418b41784313121e73b560ee84715ddeba8bc54..ff4cd70147abb2dc6e0486155fb179d4fb1b29e9 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -95,8 +95,6 @@ def parse_options():
parser.add_option_group(basic_group)
cert_group = OptionGroup(parser, "certificate system options")
- cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
- default=True, help="disables pkinit setup steps")
cert_group.add_option("--skip-schema-check", dest="skip_schema_check", action="store_true",
default=False, help="skip check for updated CA DS schema on the remote master")
parser.add_option_group(cert_group)
@@ -121,6 +119,9 @@ def parse_options():
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
+ # pkinit is disabled in production version
+ options.setup_pkinit = False
+
if len(args) != 1:
parser.error("you must provide a file generated by ipa-replica-prepare")
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index feea616b089261bf46392d5514e6e3cc9e12fcac..5bd22bf18f2b00e26d674b6cbbf81989b4a030cb 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -179,20 +179,14 @@ def parse_options():
help="File containing the IPA CA certificate signed by the external CA in PEM format")
cert_group.add_option("", "--external_ca_file", dest="external_ca_file",
help="File containing the external CA certificate chain in PEM format")
- cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
- default=True, help="disables pkinit setup steps")
cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
help="PKCS#12 file containing the Directory Server SSL certificate")
cert_group.add_option("--http_pkcs12", dest="http_pkcs12",
help="PKCS#12 file containing the Apache Server SSL certificate")
- cert_group.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12",
- help="PKCS#12 file containing the Kerberos KDC SSL certificate")
cert_group.add_option("--dirsrv_pin", dest="dirsrv_pin", sensitive=True,
help="The password of the Directory Server PKCS#12 file")
cert_group.add_option("--http_pin", dest="http_pin", sensitive=True,
help="The password of the Apache Server PKCS#12 file")
- cert_group.add_option("--pkinit_pin", dest="pkinit_pin",
- help="The password of the Kerberos KDC PKCS#12 file")
cert_group.add_option("--root-ca-file", dest="root_ca_file",
help="PEM file with root CA certificate(s) to trust")
cert_group.add_option("--subject", action="callback", callback=subject_callback,
@@ -229,6 +223,10 @@ def parse_options():
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
+ # pkinit is disabled in production version
+ options.pkinit_pin = False
+ options.pkinit_pkcs12 = False
+
if options.dm_password is not None:
try:
validate_dm_password(options.dm_password)
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index 36d078a6b73562cb0047154f4bb7666ab25687b8..a3b89a8a739c6082aa7117cea470e2a9d8dba7f9 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -56,9 +56,6 @@ def add_options(cls, parser):
parser.add_option("--no-reverse", dest="no_reverse",
action="store_true", default=False,
help="do not create reverse DNS zone")
- parser.add_option("--no-pkinit", dest="setup_pkinit",
- action="store_false", default=True,
- help="disables pkinit setup steps")
parser.add_option("--ca", dest="ca_file", default="/root/cacert.p12",
metavar="FILE",
help="location of CA PKCS#12 file, default /root/cacert.p12")
@@ -71,15 +68,10 @@ def add_options(cls, parser):
group.add_option("--http_pkcs12", dest="http_pkcs12",
metavar="FILE",
help="install certificate for the http server")
- group.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12",
- metavar="FILE",
- help="install certificate for the KDC")
group.add_option("--dirsrv_pin", dest="dirsrv_pin", metavar="PIN",
help="PIN for the Directory Server PKCS#12 file")
group.add_option("--http_pin", dest="http_pin", metavar="PIN",
help="PIN for the Apache Server PKCS#12 file")
- group.add_option("--pkinit_pin", dest="pkinit_pin", metavar="PIN",
- help="PIN for the KDC pkinit PKCS#12 file")
parser.add_option_group(group)
def validate_options(self):
@@ -99,7 +91,10 @@ def validate_options(self):
"option together with --no-reverse")
#Automatically disable pkinit w/ dogtag until that is supported
+ # pkinit is disabled in production version
options.setup_pkinit = False
+ options.pkinit_pin = False
+ options.pkinit_pkcs12 = False
# If any of the PKCS#12 options are selected, all are required.
pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12)
--
1.9.3