From 7b9f8b3ba5c2768879906227e4f526b2675337ea Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Wed, 22 May 2013 09:38:50 +0200
Subject: [PATCH 1001/1006] Hide pkinit functionality from production version
Rebased from original patch from Jan Zeleny and Rob Crittenden.
https://fedorahosted.org/freeipa/ticket/616
---
install/tools/ipa-replica-install | 5 +++--
install/tools/ipa-server-install | 10 ++++------
ipaserver/install/ipa_replica_prepare.py | 11 +++--------
3 files changed, 10 insertions(+), 16 deletions(-)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 79f8a7ab48f75ac2d9cd5149df6eda4784b3854a..36bf492946d5e4873827d7d3149be659447065aa 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -96,8 +96,6 @@ def parse_options():
parser.add_option_group(basic_group)
cert_group = OptionGroup(parser, "certificate system options")
- cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
- default=True, help="disables pkinit setup steps")
cert_group.add_option("--skip-schema-check", dest="skip_schema_check", action="store_true",
default=False, help="skip check for updated CA DS schema on the remote master")
parser.add_option_group(cert_group)
@@ -122,6 +120,9 @@ def parse_options():
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
+ # pkinit is disabled in production version
+ options.setup_pkinit = False
+
if len(args) != 1:
parser.error("you must provide a file generated by ipa-replica-prepare")
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index fafa14ea18195546b160c175d7fd656a066327b5..00aed1953f58c7f7c6a3c9bae8dcab8b8a669b62 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -173,20 +173,14 @@ def parse_options():
help="PEM file containing a certificate signed by the external CA")
cert_group.add_option("", "--external_ca_file", dest="external_ca_file",
help="PEM file containing the external CA chain")
- cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
- default=True, help="disables pkinit setup steps")
cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
help="PKCS#12 file containing the Directory Server SSL certificate")
cert_group.add_option("--http_pkcs12", dest="http_pkcs12",
help="PKCS#12 file containing the Apache Server SSL certificate")
- cert_group.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12",
- help="PKCS#12 file containing the Kerberos KDC SSL certificate")
cert_group.add_option("--dirsrv_pin", dest="dirsrv_pin", sensitive=True,
help="The password of the Directory Server PKCS#12 file")
cert_group.add_option("--http_pin", dest="http_pin", sensitive=True,
help="The password of the Apache Server PKCS#12 file")
- cert_group.add_option("--pkinit_pin", dest="pkinit_pin",
- help="The password of the Kerberos KDC PKCS#12 file")
cert_group.add_option("--root-ca-file", dest="root_ca_file",
help="PEM file with root CA certificate(s) to trust")
cert_group.add_option("--subject", action="callback", callback=subject_callback,
@@ -236,6 +230,10 @@ def parse_options():
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
+ # pkinit is disabled in production version
+ options.pkinit_pin = False
+ options.pkinit_pkcs12 = False
+
if options.dm_password is not None:
try:
validate_dm_password(options.dm_password)
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index 83bf2b28c370c77c5e901dfd0627ea7140b4cf0a..606c3e607682d3dca8d31ed25cce006b17683f51 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -57,9 +57,6 @@ def add_options(cls, parser):
parser.add_option("--no-reverse", dest="no_reverse",
action="store_true", default=False,
help="do not create reverse DNS zone")
- parser.add_option("--no-pkinit", dest="setup_pkinit",
- action="store_false", default=True,
- help="disables pkinit setup steps")
parser.add_option("--ca", dest="ca_file", default="/root/cacert.p12",
metavar="FILE",
help="location of CA PKCS#12 file, default /root/cacert.p12")
@@ -72,15 +69,10 @@ def add_options(cls, parser):
group.add_option("--http_pkcs12", dest="http_pkcs12",
metavar="FILE",
help="install certificate for the http server")
- group.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12",
- metavar="FILE",
- help="install certificate for the KDC")
group.add_option("--dirsrv_pin", dest="dirsrv_pin", metavar="PIN",
help="PIN for the Directory Server PKCS#12 file")
group.add_option("--http_pin", dest="http_pin", metavar="PIN",
help="PIN for the Apache Server PKCS#12 file")
- group.add_option("--pkinit_pin", dest="pkinit_pin", metavar="PIN",
- help="PIN for the KDC pkinit PKCS#12 file")
parser.add_option_group(group)
def validate_options(self):
@@ -100,7 +92,10 @@ def validate_options(self):
"option together with --no-reverse")
#Automatically disable pkinit w/ dogtag until that is supported
+ # pkinit is disabled in production version
options.setup_pkinit = False
+ options.pkinit_pin = False
+ options.pkinit_pkcs12 = False
# If any of the PKCS#12 options are selected, all are required.
pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12)
--
1.8.3.1