mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
Don't allow setting pkinit-related options on DL0
pkinit is not supported on DL0, remove options that allow to set it from ipa-{server,replica}-install. https://pagure.io/freeipa/issue/6801 Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit is contained in:
parent
6cda1509a6
commit
9e3ae785ac
@ -114,7 +114,7 @@ Install and configure a CA on this replica. If a CA is not configured then
|
||||
certificate operations will be forwarded to a master with a CA installed.
|
||||
.TP
|
||||
\fB\-\-no\-pkinit\fR
|
||||
Disables pkinit setup steps
|
||||
Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0.
|
||||
.TP
|
||||
\fB\-\-dirsrv\-cert\-file\fR=FILE
|
||||
File containing the Directory Server SSL certificate and private key
|
||||
|
@ -93,7 +93,7 @@ Type of the external CA. Possible values are "generic", "ms-cs". Default value i
|
||||
File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
|
||||
.TP
|
||||
\fB\-\-no\-pkinit\fR
|
||||
Disables pkinit setup steps
|
||||
Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0.
|
||||
.TP
|
||||
\fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR
|
||||
File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times.
|
||||
|
@ -332,9 +332,24 @@ class ServerInstallInterface(ServerCertificateInstallInterface,
|
||||
if not os.path.exists(value):
|
||||
raise ValueError("File %s does not exist." % value)
|
||||
|
||||
def _is_promote(self):
|
||||
"""
|
||||
:returns: True if domain level options correspond to domain level > 0
|
||||
"""
|
||||
raise NotImplementedError()
|
||||
|
||||
def __init__(self, **kwargs):
|
||||
super(ServerInstallInterface, self).__init__(**kwargs)
|
||||
|
||||
# pkinit is not supported on DL0, don't allow related options
|
||||
if not self._is_promote():
|
||||
if (self.no_pkinit or self.pkinit_cert_files is not None or
|
||||
self.pkinit_pin is not None):
|
||||
raise RuntimeError(
|
||||
"pkinit on domain level 0 is not supported. Please "
|
||||
"don't use any pkinit-related options.")
|
||||
self.no_pkinit = True
|
||||
|
||||
# If any of the key file options are selected, all are required.
|
||||
cert_file_req = (self.dirsrv_cert_files, self.http_cert_files)
|
||||
cert_file_opt = (self.pkinit_cert_files,)
|
||||
@ -557,6 +572,9 @@ class ServerMasterInstall(ServerMasterInstallInterface):
|
||||
add_sids = True
|
||||
add_agents = False
|
||||
|
||||
def _is_promote(self):
|
||||
return self.domain_level > constants.DOMAIN_LEVEL_0
|
||||
|
||||
def __init__(self, **kwargs):
|
||||
super(ServerMasterInstall, self).__init__(**kwargs)
|
||||
master_init(self)
|
||||
@ -590,6 +608,9 @@ class ServerReplicaInstall(ServerReplicaInstallInterface):
|
||||
description="Kerberos password for the specified admin principal",
|
||||
)
|
||||
|
||||
def _is_promote(self):
|
||||
return self.replica_file is None
|
||||
|
||||
def __init__(self, **kwargs):
|
||||
super(ServerReplicaInstall, self).__init__(**kwargs)
|
||||
replica_init(self)
|
||||
|
Loading…
Reference in New Issue
Block a user