Add sanity checks for use of --ca-subject and --subject-base

Print an error and terminate if --ca-subject or --subject-base are used when installing a CA-less master or when performing standalone installation of a CA replica. Part of: https://fedorahosted.org/freeipa/ticket/2614 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-01-27 00:26:33 -06:00 · 2016-12-20 20:21:10 +10:00 · 2016-12-20 20:21:10 +10:00 · 0c95a00147
commit 0c95a00147
parent 3f56609732
2 changed files with 12 additions and 0 deletions
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@ -122,6 +122,11 @@ def get_dirman_password():


 def install_replica(safe_options, options, filename):
+    if options.ca_subject:
+        sys.exit("--ca-subject cannot be used when installing a CA replica")
+    if options.subject_base:
+        sys.exit("--subject-base cannot be used when installing a CA replica")
+
    if options.promote:
        if filename is not None:
            sys.exit("Too many parameters provided. "
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@ -364,6 +364,13 @@ def install_check(installer):
        setup_ca = True
    options.setup_ca = setup_ca

+    if not setup_ca and options.ca_subject:
+        raise ScriptError(
+            "--ca-subject cannot be used with CA-less installation")
+    if not setup_ca and options.subject_base:
+        raise ScriptError(
+            "--subject-base cannot be used with CA-less installation")
+
    # first instance of KRA must be installed by ipa-kra-install
    options.setup_kra = False