From 0c95a00147b1dd508736dacc847873ddddafb504 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 20 Dec 2016 20:21:10 +1000 Subject: [PATCH] Add sanity checks for use of --ca-subject and --subject-base Print an error and terminate if --ca-subject or --subject-base are used when installing a CA-less master or when performing standalone installation of a CA replica. Part of: https://fedorahosted.org/freeipa/ticket/2614 Reviewed-By: Jan Cholasta --- install/tools/ipa-ca-install | 5 +++++ ipaserver/install/server/install.py | 7 +++++++ 2 files changed, 12 insertions(+) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 42906d440..0952d0088 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -122,6 +122,11 @@ def get_dirman_password(): def install_replica(safe_options, options, filename): + if options.ca_subject: + sys.exit("--ca-subject cannot be used when installing a CA replica") + if options.subject_base: + sys.exit("--subject-base cannot be used when installing a CA replica") + if options.promote: if filename is not None: sys.exit("Too many parameters provided. " diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index db765d60b..c26982769 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -364,6 +364,13 @@ def install_check(installer): setup_ca = True options.setup_ca = setup_ca + if not setup_ca and options.ca_subject: + raise ScriptError( + "--ca-subject cannot be used with CA-less installation") + if not setup_ca and options.subject_base: + raise ScriptError( + "--subject-base cannot be used with CA-less installation") + # first instance of KRA must be installed by ipa-kra-install options.setup_kra = False