From ebaad372cdeb941af1a390f81c8a4d90ea128f9f Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Thu, 14 Aug 2014 13:34:13 +0200 Subject: [PATCH] Hide pkinit functionality from production version Rebased from original patch from Jan Zeleny and Rob Crittenden. https://fedorahosted.org/freeipa/ticket/616 --- install/tools/ipa-replica-install | 5 +++-- install/tools/ipa-server-install | 10 ++++------ ipaserver/install/ipa_replica_prepare.py | 11 +++-------- 3 files changed, 10 insertions(+), 16 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 4418b41784313121e73b560ee84715ddeba8bc54..ff4cd70147abb2dc6e0486155fb179d4fb1b29e9 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -95,8 +95,6 @@ def parse_options(): parser.add_option_group(basic_group) cert_group = OptionGroup(parser, "certificate system options") - cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", - default=True, help="disables pkinit setup steps") cert_group.add_option("--skip-schema-check", dest="skip_schema_check", action="store_true", default=False, help="skip check for updated CA DS schema on the remote master") parser.add_option_group(cert_group) @@ -121,6 +119,9 @@ def parse_options(): options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) + # pkinit is disabled in production version + options.setup_pkinit = False + if len(args) != 1: parser.error("you must provide a file generated by ipa-replica-prepare") diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index feea616b089261bf46392d5514e6e3cc9e12fcac..5bd22bf18f2b00e26d674b6cbbf81989b4a030cb 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -179,20 +179,14 @@ def parse_options(): help="File containing the IPA CA certificate signed by the external CA in PEM format") cert_group.add_option("", "--external_ca_file", dest="external_ca_file", help="File containing the external CA certificate chain in PEM format") - cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", - default=True, help="disables pkinit setup steps") cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12", help="PKCS#12 file containing the Directory Server SSL certificate") cert_group.add_option("--http_pkcs12", dest="http_pkcs12", help="PKCS#12 file containing the Apache Server SSL certificate") - cert_group.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12", - help="PKCS#12 file containing the Kerberos KDC SSL certificate") cert_group.add_option("--dirsrv_pin", dest="dirsrv_pin", sensitive=True, help="The password of the Directory Server PKCS#12 file") cert_group.add_option("--http_pin", dest="http_pin", sensitive=True, help="The password of the Apache Server PKCS#12 file") - cert_group.add_option("--pkinit_pin", dest="pkinit_pin", - help="The password of the Kerberos KDC PKCS#12 file") cert_group.add_option("--root-ca-file", dest="root_ca_file", help="PEM file with root CA certificate(s) to trust") cert_group.add_option("--subject", action="callback", callback=subject_callback, @@ -229,6 +223,10 @@ def parse_options(): options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) + # pkinit is disabled in production version + options.pkinit_pin = False + options.pkinit_pkcs12 = False + if options.dm_password is not None: try: validate_dm_password(options.dm_password) diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 36d078a6b73562cb0047154f4bb7666ab25687b8..a3b89a8a739c6082aa7117cea470e2a9d8dba7f9 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -56,9 +56,6 @@ def add_options(cls, parser): parser.add_option("--no-reverse", dest="no_reverse", action="store_true", default=False, help="do not create reverse DNS zone") - parser.add_option("--no-pkinit", dest="setup_pkinit", - action="store_false", default=True, - help="disables pkinit setup steps") parser.add_option("--ca", dest="ca_file", default="/root/cacert.p12", metavar="FILE", help="location of CA PKCS#12 file, default /root/cacert.p12") @@ -71,15 +68,10 @@ def add_options(cls, parser): group.add_option("--http_pkcs12", dest="http_pkcs12", metavar="FILE", help="install certificate for the http server") - group.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12", - metavar="FILE", - help="install certificate for the KDC") group.add_option("--dirsrv_pin", dest="dirsrv_pin", metavar="PIN", help="PIN for the Directory Server PKCS#12 file") group.add_option("--http_pin", dest="http_pin", metavar="PIN", help="PIN for the Apache Server PKCS#12 file") - group.add_option("--pkinit_pin", dest="pkinit_pin", metavar="PIN", - help="PIN for the KDC pkinit PKCS#12 file") parser.add_option_group(group) def validate_options(self): @@ -99,7 +91,10 @@ def validate_options(self): "option together with --no-reverse") #Automatically disable pkinit w/ dogtag until that is supported + # pkinit is disabled in production version options.setup_pkinit = False + options.pkinit_pin = False + options.pkinit_pkcs12 = False # If any of the PKCS#12 options are selected, all are required. pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12) -- 1.9.3