URL: https://github.com/freeipa/freeipa/pull/774
Title: #774: Deprecate pkinit-anonymous command

abbra commented:
Just remove the command completely. FreeIPA prior to 4.5 never supported PKINIT 
operations and never allowed using anonymous PKINIT. Disabling/enabling it was 
left for admins that knew what they wanted. However, with FreeIPA 4.5 we 
require anonymous PKINIT to be enabled all time -- be it with a local 
self-signed cert or with some other certificate issued by a proper CA. An 
anonymous principal can only be used to create a FAST channel, nothing else.

See the full comment at 
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to