URL: https://github.com/freeipa/freeipa/pull/640 Author: stlaz Title: #640: Remove pkinit options from master/replica on DL0 Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/640/head:pr640 git checkout pr640
From 53cdc14d5e006634817a1cddfee8954db3434785 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 22 Mar 2017 17:10:56 +0100 Subject: [PATCH 1/4] Fix the order of cert-files check Without this patch, if either of dirsrv_cert_files, http_cert_files or pkinit_cert_files is set along with no-pkinit, the user is first requested to add the remaining options and when they do that, they are told that they are using 'no-pkinit' along with 'pkinit-cert-file'. https://pagure.io/freeipa/issue/6801 --- ipaserver/install/server/__init__.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 14f1ec4..117f51c 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -340,16 +340,16 @@ def __init__(self, **kwargs): cert_file_opt = (self.pkinit_cert_files,) if not self.no_pkinit: cert_file_req += cert_file_opt - if any(cert_file_req + cert_file_opt) and not all(cert_file_req): - raise RuntimeError( - "--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file " - "or --no-pkinit are required if any key file options are used." - ) if self.no_pkinit and self.pkinit_cert_files: raise RuntimeError( "--no-pkinit and --pkinit-cert-file cannot be specified " "together" ) + if any(cert_file_req + cert_file_opt) and not all(cert_file_req): + raise RuntimeError( + "--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file " + "or --no-pkinit are required if any key file options are used." + ) if not self.interactive: if self.dirsrv_cert_files and self.dirsrv_pin is None: From 6620562bc9ec874723ae32b54a53734666ec4271 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 22 Mar 2017 17:26:51 +0100 Subject: [PATCH 2/4] Don't allow setting pkinit-related options on DL0 pkinit is not supported on DL0, remove options that allow to set it from ipa-{server,replica}-install. https://pagure.io/freeipa/issue/6801 --- install/tools/man/ipa-replica-install.1 | 2 +- install/tools/man/ipa-server-install.1 | 2 +- ipaserver/install/server/__init__.py | 21 +++++++++++++++++++++ 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index d63912c..7d24132 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -114,7 +114,7 @@ Install and configure a CA on this replica. If a CA is not configured then certificate operations will be forwarded to a master with a CA installed. .TP \fB\-\-no\-pkinit\fR -Disables pkinit setup steps +Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0. .TP \fB\-\-dirsrv\-cert\-file\fR=FILE File containing the Directory Server SSL certificate and private key diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index c48bdae..d5d28df 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -93,7 +93,7 @@ Type of the external CA. Possible values are "generic", "ms-cs". Default value i File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. .TP \fB\-\-no\-pkinit\fR -Disables pkinit setup steps +Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0. .TP \fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times. diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 117f51c..096cb01 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -332,9 +332,24 @@ def dirsrv_config_file(self, value): if not os.path.exists(value): raise ValueError("File %s does not exist." % value) + def _is_promote(self): + """ + :returns: True if domain level options correspond to domain level > 0 + """ + raise NotImplementedError() + def __init__(self, **kwargs): super(ServerInstallInterface, self).__init__(**kwargs) + # pkinit is not supported on DL0, don't allow related options + if not self._is_promote(): + if (self.no_pkinit or self.pkinit_cert_files is not None or + self.pkinit_pin is not None): + raise RuntimeError( + "pkinit on domain level 0 is not supported. Please " + "don't use any pkinit-related options.") + self.no_pkinit = True + # If any of the key file options are selected, all are required. cert_file_req = (self.dirsrv_cert_files, self.http_cert_files) cert_file_opt = (self.pkinit_cert_files,) @@ -557,6 +572,9 @@ def admin_password(self, value): add_sids = True add_agents = False + def _is_promote(self): + return self.domain_level > constants.DOMAIN_LEVEL_0 + def __init__(self, **kwargs): super(ServerMasterInstall, self).__init__(**kwargs) master_init(self) @@ -590,6 +608,9 @@ class ServerReplicaInstall(ServerReplicaInstallInterface): description="Kerberos password for the specified admin principal", ) + def _is_promote(self): + return self.replica_file is None + def __init__(self, **kwargs): super(ServerReplicaInstall, self).__init__(**kwargs) replica_init(self) From b9d9a738871b30ba377215f78f913f665f45653d Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 24 Mar 2017 12:29:53 +0100 Subject: [PATCH 3/4] replica-prepare man: remove pkinit option refs Remove the references to the pkinit options which was forgotten about in 46d4d534c0 https://pagure.io/freeipa/issue/6801 --- install/tools/man/ipa-replica-prepare.1 | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/install/tools/man/ipa-replica-prepare.1 b/install/tools/man/ipa-replica-prepare.1 index 2063657..afc5408 100644 --- a/install/tools/man/ipa-replica-prepare.1 +++ b/install/tools/man/ipa-replica-prepare.1 @@ -43,27 +43,18 @@ File containing the Directory Server SSL certificate and private key. The files \fB\-\-http\-cert\-file\fR=\fIFILE\fR File containing the Apache Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times. .TP -\fB\-\-pkinit\-cert\-file\fR=\fIFILE\fR -File containing the Kerberos KDC SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times. -.TP \fB\-\-dirsrv\-pin\fR=\fIPIN\fR The password to unlock the Directory Server private key .TP \fB\-\-http\-pin\fR=\fIPIN\fR The password to unlock the Apache Server private key .TP -\fB\-\-pkinit\-pin\fR=\fIPIN\fR -The password to unlock the Kerberos KDC private key -.TP \fB\-\-dirsrv\-cert\-name\fR=\fINAME\fR Name of the Directory Server SSL certificate to install .TP \fB\-\-http\-cert\-name\fR=\fINAME\fR Name of the Apache Server SSL certificate to install .TP -\fB\-\-pkinit\-cert\-name\fR=\fINAME\fR -Name of the Kerberos KDC SSL certificate to install -.TP \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR Directory Manager (existing master) password .TP @@ -81,9 +72,6 @@ Do not create reverse DNS zone \fB\-\-ca\fR=\fICA_FILE\fR Location of CA PKCS#12 file, default /root/cacert.p12 .TP -\fB\-\-no\-pkinit\fR -Disables pkinit setup steps -.TP \fB\-\-debug\fR Prints info log messages to the output .SH "EXIT STATUS" From fc5315bd732d834fd7994cddc003981a1b336abe Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Wed, 29 Mar 2017 09:00:09 +0200 Subject: [PATCH 4/4] Remove redundant option check for cert files There was a redundant check for CA-less install certificate files for replicas but the same check is done for all installers before that. https://pagure.io/freeipa/issue/6801 --- ipaserver/install/server/__init__.py | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 096cb01..89444f2 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -470,16 +470,8 @@ def __init__(self, **kwargs): "idmax (%s) cannot be smaller than idstart (%s)" % (self.idmax, self.idstart)) else: - cert_file_req = (self.dirsrv_cert_files, self.http_cert_files) - cert_file_opt = (self.pkinit_cert_files,) - + # replica installers if self.replica_file is None: - # If any of the PKCS#12 options are selected, all are required. - if any(cert_file_req + cert_file_opt) and not all(cert_file_req): - raise RuntimeError( - "--dirsrv-cert-file and --http-cert-file are required " - "if any PKCS#12 options are used") - if self.servers and not self.domain_name: raise RuntimeError( "The --server option cannot be used without providing "
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code