[Freeipa-devel] [freeipa PR#640][synchronized] Remove pkinit options from master/replica on DL0
URL: https://github.com/freeipa/freeipa/pull/640 Author: stlaz Title: #640: Remove pkinit options from master/replica on DL0 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/640/head:pr640 git checkout pr640 From 53cdc14d5e006634817a1cddfee8954db3434785 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 22 Mar 2017 17:10:56 +0100 Subject: [PATCH 1/4] Fix the order of cert-files check Without this patch, if either of dirsrv_cert_files, http_cert_files or pkinit_cert_files is set along with no-pkinit, the user is first requested to add the remaining options and when they do that, they are told that they are using 'no-pkinit' along with 'pkinit-cert-file'. https://pagure.io/freeipa/issue/6801 --- ipaserver/install/server/__init__.py | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 14f1ec4..117f51c 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -340,16 +340,16 @@ def __init__(self, **kwargs): cert_file_opt = (self.pkinit_cert_files,) if not self.no_pkinit: cert_file_req += cert_file_opt -if any(cert_file_req + cert_file_opt) and not all(cert_file_req): -raise RuntimeError( -"--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file " -"or --no-pkinit are required if any key file options are used." -) if self.no_pkinit and self.pkinit_cert_files: raise RuntimeError( "--no-pkinit and --pkinit-cert-file cannot be specified " "together" ) +if any(cert_file_req + cert_file_opt) and not all(cert_file_req): +raise RuntimeError( +"--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file " +"or --no-pkinit are required if any key file options are used." +) if not self.interactive: if self.dirsrv_cert_files and self.dirsrv_pin is None: From 6620562bc9ec874723ae32b54a53734666ec4271 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 22 Mar 2017 17:26:51 +0100 Subject: [PATCH 2/4] Don't allow setting pkinit-related options on DL0 pkinit is not supported on DL0, remove options that allow to set it from ipa-{server,replica}-install. https://pagure.io/freeipa/issue/6801 --- install/tools/man/ipa-replica-install.1 | 2 +- install/tools/man/ipa-server-install.1 | 2 +- ipaserver/install/server/__init__.py| 21 + 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index d63912c..7d24132 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -114,7 +114,7 @@ Install and configure a CA on this replica. If a CA is not configured then certificate operations will be forwarded to a master with a CA installed. .TP \fB\-\-no\-pkinit\fR -Disables pkinit setup steps +Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0. .TP \fB\-\-dirsrv\-cert\-file\fR=FILE File containing the Directory Server SSL certificate and private key diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index c48bdae..d5d28df 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -93,7 +93,7 @@ Type of the external CA. Possible values are "generic", "ms-cs". Default value i File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. .TP \fB\-\-no\-pkinit\fR -Disables pkinit setup steps +Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0. .TP \fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times. diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 117f51c..096cb01 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -332,9 +332,24 @@ def dirsrv_config_file(self, value): if not os.path.exists(value): raise ValueError("File %s does not exist." % value) +def _is_promote(self): +""" +:returns: True if domain level options correspond to domain level > 0 +""" +raise NotImplementedError() + def __init__(self, **kwargs): super(ServerInstallInterface, self).__init__(**kwargs) +# p
[Freeipa-devel] [freeipa PR#640][synchronized] Remove pkinit options from master/replica on DL0
URL: https://github.com/freeipa/freeipa/pull/640 Author: stlaz Title: #640: Remove pkinit options from master/replica on DL0 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/640/head:pr640 git checkout pr640 From 53cdc14d5e006634817a1cddfee8954db3434785 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 22 Mar 2017 17:10:56 +0100 Subject: [PATCH 1/4] Fix the order of cert-files check Without this patch, if either of dirsrv_cert_files, http_cert_files or pkinit_cert_files is set along with no-pkinit, the user is first requested to add the remaining options and when they do that, they are told that they are using 'no-pkinit' along with 'pkinit-cert-file'. https://pagure.io/freeipa/issue/6801 --- ipaserver/install/server/__init__.py | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 14f1ec4..117f51c 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -340,16 +340,16 @@ def __init__(self, **kwargs): cert_file_opt = (self.pkinit_cert_files,) if not self.no_pkinit: cert_file_req += cert_file_opt -if any(cert_file_req + cert_file_opt) and not all(cert_file_req): -raise RuntimeError( -"--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file " -"or --no-pkinit are required if any key file options are used." -) if self.no_pkinit and self.pkinit_cert_files: raise RuntimeError( "--no-pkinit and --pkinit-cert-file cannot be specified " "together" ) +if any(cert_file_req + cert_file_opt) and not all(cert_file_req): +raise RuntimeError( +"--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file " +"or --no-pkinit are required if any key file options are used." +) if not self.interactive: if self.dirsrv_cert_files and self.dirsrv_pin is None: From 835dbe9dbecfe02ec26a98d52bb4c8c9c2b4cb8a Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 22 Mar 2017 17:26:51 +0100 Subject: [PATCH 2/4] Don't allow setting pkinit-related options on DL0 pkinit is not supported on DL0, remove options that allow to set it from ipa-{server,replica}-install. https://pagure.io/freeipa/issue/6801 --- install/tools/man/ipa-replica-install.1 | 2 +- install/tools/man/ipa-server-install.1 | 2 +- ipaserver/install/server/__init__.py| 16 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index d63912c..7d24132 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -114,7 +114,7 @@ Install and configure a CA on this replica. If a CA is not configured then certificate operations will be forwarded to a master with a CA installed. .TP \fB\-\-no\-pkinit\fR -Disables pkinit setup steps +Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0. .TP \fB\-\-dirsrv\-cert\-file\fR=FILE File containing the Directory Server SSL certificate and private key diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index c48bdae..d5d28df 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -93,7 +93,7 @@ Type of the external CA. Possible values are "generic", "ms-cs". Default value i File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. .TP \fB\-\-no\-pkinit\fR -Disables pkinit setup steps +Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0. .TP \fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times. diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 117f51c..6fd4957 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -335,6 +335,22 @@ def dirsrv_config_file(self, value): def __init__(self, **kwargs): super(ServerInstallInterface, self).__init__(**kwargs) +is_dl0 = ( +# in server-install, we have the domain_level option +(hasattr(self, 'domain_level') and + self.domain_level == constants.DOMAIN_LEVEL_0) or +# on replica we have to decide depending on replica_file appearance +(ha
[Freeipa-devel] [freeipa PR#640][synchronized] Remove pkinit options from master/replica on DL0
URL: https://github.com/freeipa/freeipa/pull/640 Author: stlaz Title: #640: Remove pkinit options from master/replica on DL0 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/640/head:pr640 git checkout pr640 From 1869c6ee53550fb6b8dbf8618ae0f47eba7c6b20 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 22 Mar 2017 17:10:56 +0100 Subject: [PATCH 1/3] Fix the order of cert-files check Without this patch, if either of dirsrv_cert_files, http_cert_files or pkinit_cert_files is set along with no-pkinit, the user is first requested to add the remaining options and when they do that, they are told that they are using 'no-pkinit' along with 'pkinit-cert-file'. https://pagure.io/freeipa/issue/6801 --- ipaserver/install/server/__init__.py | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 14f1ec4..117f51c 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -340,16 +340,16 @@ def __init__(self, **kwargs): cert_file_opt = (self.pkinit_cert_files,) if not self.no_pkinit: cert_file_req += cert_file_opt -if any(cert_file_req + cert_file_opt) and not all(cert_file_req): -raise RuntimeError( -"--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file " -"or --no-pkinit are required if any key file options are used." -) if self.no_pkinit and self.pkinit_cert_files: raise RuntimeError( "--no-pkinit and --pkinit-cert-file cannot be specified " "together" ) +if any(cert_file_req + cert_file_opt) and not all(cert_file_req): +raise RuntimeError( +"--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file " +"or --no-pkinit are required if any key file options are used." +) if not self.interactive: if self.dirsrv_cert_files and self.dirsrv_pin is None: From 93628f3b744dfb42988b07020dad42cac76e0cd4 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 22 Mar 2017 17:26:51 +0100 Subject: [PATCH 2/3] Don't allow setting pkinit-related options on DL0 pkinit is not supported on DL0, remove options that allow to set it from ipa-{server,replica}-install. https://pagure.io/freeipa/issue/6801 --- install/tools/man/ipa-replica-install.1 | 2 +- install/tools/man/ipa-server-install.1 | 2 +- ipaserver/install/server/__init__.py| 8 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index d63912c..7d24132 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -114,7 +114,7 @@ Install and configure a CA on this replica. If a CA is not configured then certificate operations will be forwarded to a master with a CA installed. .TP \fB\-\-no\-pkinit\fR -Disables pkinit setup steps +Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0. .TP \fB\-\-dirsrv\-cert\-file\fR=FILE File containing the Directory Server SSL certificate and private key diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index c48bdae..d5d28df 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -93,7 +93,7 @@ Type of the external CA. Possible values are "generic", "ms-cs". Default value i File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. .TP \fB\-\-no\-pkinit\fR -Disables pkinit setup steps +Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0. .TP \fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times. diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 117f51c..aac2236 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -335,6 +335,14 @@ def dirsrv_config_file(self, value): def __init__(self, **kwargs): super(ServerInstallInterface, self).__init__(**kwargs) +if self.domain_level == constants.DOMAIN_LEVEL_0: +if (self.no_pkinit or self.pkinit_cert_files is not None or +self.pkinit_pin is not None): +raise RuntimeError( +"pkinit on domain level 0 is not supported. Please don't " +