Re: [Freeipa-devel] [PATCH] 0189 Remove option to use custom SSL certificates from ipa-server-install

2013-03-05 Thread Petr Viktorin

On 03/05/2013 11:32 AM, Jan Cholasta wrote:

Hi,

On 26.2.2013 15:50, Petr Viktorin wrote:

This removes the --{dirsrv,http,pkinit}-{pkcs12,pin} options.

https://fedorahosted.org/freeipa/ticket/3151


The same options are in ipa-replica-prepare. I think we should leave
those be, so people with existing servers with custom certs can install
replicas.



Should we keep them visible, or should we make them hidden and remove
them from documentation?

Honza



They have their own section in --help, with an explanation:

  SSL certificate options:
Only used if the server was installed using custom SSL certificates

I think that's enough.

--
PetrĀ³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 0189 Remove option to use custom SSL certificates from ipa-server-install

2013-03-05 Thread Jan Cholasta

On 5.3.2013 11:55, Petr Viktorin wrote:

On 03/05/2013 11:32 AM, Jan Cholasta wrote:

Hi,

On 26.2.2013 15:50, Petr Viktorin wrote:

This removes the --{dirsrv,http,pkinit}-{pkcs12,pin} options.

https://fedorahosted.org/freeipa/ticket/3151


The same options are in ipa-replica-prepare. I think we should leave
those be, so people with existing servers with custom certs can install
replicas.



Should we keep them visible, or should we make them hidden and remove
them from documentation?

Honza



They have their own section in --help, with an explanation:

   SSL certificate options:
 Only used if the server was installed using custom SSL certificates

I think that's enough.



OK, makes sense.

Please update ipa-server-install man page to reflect the changes.

I think you can remove the pkcs12_info argument of 
{Ds,Krb}Instance.create_instance, as the only place where it was used is 
ipa-server-install.


Honza

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] [PATCH] 0189 Remove option to use custom SSL certificates from ipa-server-install

2013-03-05 Thread Martin Kosek
On 03/05/2013 02:40 PM, Jan Cholasta wrote:
 On 5.3.2013 11:55, Petr Viktorin wrote:
 On 03/05/2013 11:32 AM, Jan Cholasta wrote:
 Hi,

 On 26.2.2013 15:50, Petr Viktorin wrote:
 This removes the --{dirsrv,http,pkinit}-{pkcs12,pin} options.

 https://fedorahosted.org/freeipa/ticket/3151


 The same options are in ipa-replica-prepare. I think we should leave
 those be, so people with existing servers with custom certs can install
 replicas.


 Should we keep them visible, or should we make them hidden and remove
 them from documentation?

 Honza


 They have their own section in --help, with an explanation:

SSL certificate options:
  Only used if the server was installed using custom SSL certificates

 I think that's enough.

 
 OK, makes sense.
 
 Please update ipa-server-install man page to reflect the changes.
 
 I think you can remove the pkcs12_info argument of
 {Ds,Krb}Instance.create_instance, as the only place where it was used is
 ipa-server-install.
 
 Honza
 

We had a discussion about this feature on a meeting today and we decided to not
retire this feature after all and fix it instead.

This decision retires patch 189 and 
https://fedorahosted.org/freeipa/ticket/3151.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


[Freeipa-devel] [PATCH] 0189 Remove option to use custom SSL certificates from ipa-server-install

2013-02-26 Thread Petr Viktorin

This removes the --{dirsrv,http,pkinit}-{pkcs12,pin} options.

https://fedorahosted.org/freeipa/ticket/3151


The same options are in ipa-replica-prepare. I think we should leave 
those be, so people with existing servers with custom certs can install 
replicas.


--
PetrĀ³
From 664fdd8278144caecb756acda0e6a92db40d4898 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Fri, 22 Feb 2013 09:55:05 -0500
Subject: [PATCH] Remove option to use custom SSL certificates from
 ipa-server-install

Remove the --{dirsrv,http,pkinit}-{pkcs12,pin} options and code that
handles them.

https://fedorahosted.org/freeipa/ticket/3151
---
 install/tools/ipa-server-install |  111 +++--
 1 files changed, 21 insertions(+), 90 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 15591071b0983511394a2cba3d829e1b84fe328e..3ce139e6cfb66d9d17329a36c90756d448914d0c 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -70,7 +70,6 @@ from ipapython.dn import DN
 
 import ipaclient.ntpconf
 
-pw_name = None
 uninstalling = False
 installation_cleanup = True
 
@@ -168,18 +167,6 @@ def parse_options():
   help=File containing PKCS#10 of the external CA chain)
 cert_group.add_option(--no-pkinit, dest=setup_pkinit, action=store_false,
   default=True, help=disables pkinit setup steps)
-cert_group.add_option(--dirsrv_pkcs12, dest=dirsrv_pkcs12,
-  help=PKCS#12 file containing the Directory Server SSL certificate)
-cert_group.add_option(--http_pkcs12, dest=http_pkcs12,
-  help=PKCS#12 file containing the Apache Server SSL certificate)
-cert_group.add_option(--pkinit_pkcs12, dest=pkinit_pkcs12,
-  help=PKCS#12 file containing the Kerberos KDC SSL certificate)
-cert_group.add_option(--dirsrv_pin, dest=dirsrv_pin, sensitive=True,
-  help=The password of the Directory Server PKCS#12 file)
-cert_group.add_option(--http_pin, dest=http_pin, sensitive=True,
-  help=The password of the Apache Server PKCS#12 file)
-cert_group.add_option(--pkinit_pin, dest=pkinit_pin,
-  help=The password of the Kerberos KDC PKCS#12 file)
 cert_group.add_option(--subject, action=callback, callback=subject_callback,
   type=string,
   help=The certificate subject base (default O=realm-name))
@@ -270,14 +257,6 @@ def parse_options():
 if not options.forwarders and not options.no_forwarders:
 parser.error(You must specify at least one --forwarder option or --no-forwarders option)
 
-# If any of the PKCS#12 options are selected, all are required. Create a
-# list of the options and count it to enforce that all are required without
-# having a huge set of it blocks.
-pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin]
-cnt = pkcs12.count(None)
-if cnt  0 and cnt  4:
-parser.error(All PKCS#12 options are required if any are used.)
-
 if (options.external_cert_file or options.external_ca_file) and options.selfsign:
 parser.error(--selfsign cannot be used with the external CA options.)
 
@@ -304,7 +283,7 @@ def parse_options():
 (options.idmax, options.idstart))
 
 #Automatically disable pkinit w/ dogtag until that is supported
-if not options.pkinit_pkcs12 and not options.selfsign:
+if not options.selfsign:
 options.setup_pkinit = False
 
 if options.zone_refresh  0:
@@ -561,7 +540,6 @@ def set_subject_in_config(realm_name, dm_password, suffix, subject_base):
 
 def main():
 global ds
-global pw_name
 global uninstalling
 global installation_cleanup
 ds = None
@@ -931,26 +909,11 @@ def main():
 # Create a directory server instance
 ds = dsinstance.DsInstance(fstore=fstore)
 
-if options.dirsrv_pin:
-[pw_fd, pw_name] = tempfile.mkstemp()
-os.write(pw_fd, options.dirsrv_pin)
-os.close(pw_fd)
-
-if options.dirsrv_pkcs12:
-pkcs12_info = (options.dirsrv_pkcs12, pw_name)
-try:
-ds.create_instance(realm_name, host_name, domain_name,
-   dm_password, pkcs12_info,
-   subject_base=options.subject,
-   hbac_allow=not options.hbac_allow)
-finally:
-os.remove(pw_name)
-else:
-ds.create_instance(realm_name, host_name, domain_name,
-   dm_password, self_signed_ca=options.selfsign,
-   idstart=options.idstart, idmax=options.idmax,
-   subject_base=options.subject,
-   hbac_allow=not options.hbac_allow)
+ds.create_instance(realm_name, host_name, domain_name,
+