IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipa-client-install: Do not request host certificate if server is CA-less

Browse Source 
https://fedorahosted.org/freeipa/ticket/3536
This commit is contained in:
Petr Viktorin 2013-03-28 17:41:05 +01:00 committed by Martin Kosek
parent a4b88cad11
commit 67c7bd3060
1 changed files with 37 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
ipa-client/ipa-install/ipa-client-install
View File

@ -693,6 +693,20 @@ def configure_ipa_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server):
return 0 return 0
def disable_ra():
"""Set the enable_ra option in /etc/ipa/default.conf to False
Note that api.env will retain the old value (it is readonly).
"""
parser = RawConfigParser()
parser.read('/etc/ipa/default.conf')
parser.set('global', 'enable_ra', 'False')
fp = open('/etc/ipa/default.conf', 'w')
parser.write(fp)
fp.close()
def configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options, files): def configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options, files):
ldapconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer") ldapconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
ldapconf.setOptionAssignment(" ") ldapconf.setOptionAssignment(" ")
@ -894,7 +908,8 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
return 0 return 0
def configure_certmonger(fstore, subject_base, cli_realm, hostname, options): def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
remote_env):
started = True started = True
principal = 'host/%s@%s' % (hostname, cli_realm) principal = 'host/%s@%s' % (hostname, cli_realm)
@ -940,14 +955,21 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options):
"Automatic certificate management will not be available") "Automatic certificate management will not be available")
# Request our host cert # Request our host cert
if started: if remote_env['enable_ra']:
client_nss_nickname = client_nss_nickname_format % hostname if started:
subject = DN(('CN', hostname), subject_base) client_nss_nickname = client_nss_nickname_format % hostname
try: subject = DN(('CN', hostname), subject_base)
run(["ipa-getcert", "request", "-d", "/etc/pki/nssdb", "-n", client_nss_nickname, "-N", str(subject), "-K", principal]) try:
except Exception: run(["ipa-getcert", "request", "-d", "/etc/pki/nssdb",
root_logger.error( "-n", client_nss_nickname, "-N", str(subject),
"%s request for host certificate failed", cmonger.service_name) "-K", principal])
except Exception:
root_logger.error("%s request for host certificate failed",
cmonger.service_name)
else:
root_logger.warning(
"A RA is not configured on the server. "
"Not requesting host certificate.")
def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain, client_hostname): def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain, client_hostname):
try: try:
@ -2217,9 +2239,14 @@ def install(options, env, fstore, statestore):
'Cannot connect to the server due to generic error: %s', str(e)) 'Cannot connect to the server due to generic error: %s', str(e))
return CLIENT_INSTALL_ERROR return CLIENT_INSTALL_ERROR
remote_env = api.Command['env'](server=True)['result']
if not remote_env['enable_ra']:
disable_ra()
if not options.on_master: if not options.on_master:
client_dns(cli_server[0], hostname, options.dns_updates) client_dns(cli_server[0], hostname, options.dns_updates)
configure_certmonger(fstore, subject_base, cli_realm, hostname, options) configure_certmonger(fstore, subject_base, cli_realm, hostname,
options, remote_env)
update_ssh_keys(cli_server[0], hostname, ipaservices.knownservices.sshd.get_config_dir(), options.create_sshfp) update_ssh_keys(cli_server[0], hostname, ipaservices.knownservices.sshd.get_config_dir(), options.create_sshfp)