IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Configure Anonymous PKINIT on server install

Browse Source 
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
Simo Sorce
2016-07-26 11:19:01 -04:00
committed by Jan Cholasta
parent 32b1743e5f
commit ca4e6c1fdf
18 changed files with 325 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
ipalib/install/certmonger.py
View File

@@ -299,17 +299,17 @@ def add_subject(request_id, subject):
def request_and_wait_for_cert(
nssdb, nickname, subject, principal, passwd_fname=None,
certpath, nickname, subject, principal, passwd_fname=None,
dns=None, ca='IPA', profile=None,
pre_command=None, post_command=None):
pre_command=None, post_command=None, storage='NSSDB'):
"""
Execute certmonger to request a server certificate.
The method also waits for the certificate to be available.
"""
reqId = request_cert(nssdb, nickname, subject, principal,
reqId = request_cert(certpath, nickname, subject, principal,
passwd_fname, dns, ca, profile,
pre_command, post_command)
pre_command, post_command, storage)
state = wait_for_request(reqId, api.env.startup_timeout)
ca_error = get_request_value(reqId, 'ca-error')
if state != 'MONITORING' or ca_error:
@@ -318,23 +318,29 @@ def request_and_wait_for_cert(
def request_cert(
nssdb, nickname, subject, principal, passwd_fname=None,
dns=None, ca='IPA', profile=None, pre_command=None, post_command=None):
certpath, nickname, subject, principal, passwd_fname=None,
dns=None, ca='IPA', profile=None,
pre_command=None, post_command=None, storage='NSSDB'):
"""
Execute certmonger to request a server certificate.
``dns``
A sequence of DNS names to appear in SAN request extension.
"""
if storage == 'FILE':
certfile, keyfile = certpath
else:
certfile = certpath
keyfile = certpath
cm = _certmonger()
ca_path = cm.obj_if.find_ca_by_nickname(ca)
if not ca_path:
raise RuntimeError('{} CA not found'.format(ca))
request_parameters = dict(KEY_STORAGE='NSSDB', CERT_STORAGE='NSSDB',
CERT_LOCATION=nssdb, CERT_NICKNAME=nickname,
KEY_LOCATION=nssdb, KEY_NICKNAME=nickname,
SUBJECT=subject,
CA=ca_path)
request_parameters = dict(KEY_STORAGE=storage, CERT_STORAGE=storage,
CERT_LOCATION=certfile, CERT_NICKNAME=nickname,
KEY_LOCATION=keyfile, KEY_NICKNAME=nickname,
SUBJECT=subject, CA=ca_path)
if principal:
request_parameters['PRINCIPAL'] = [principal]
if dns is not None and len(dns) > 0:
@@ -409,20 +415,27 @@ def start_tracking(nickname, secdir, password_file=None, command=None):
return request.prop_if.Get(DBUS_CM_REQUEST_IF, 'nickname')
def stop_tracking(secdir, request_id=None, nickname=None):
def stop_tracking(secdir=None, request_id=None, nickname=None, certfile=None):
"""
Stop tracking the current request using either the request_id or nickname.
Returns True or False
"""
if request_id is None and nickname is None:
raise RuntimeError('Both request_id and nickname are missing.')
if request_id is None and nickname is None and certfile is None:
raise RuntimeError('One of request_id, nickname and certfile is'
' required.')
if secdir is not None and certfile is not None:
raise RuntimeError("Can't specify both secdir and certfile.")
criteria = {'cert-database': secdir}
criteria = dict()
if secdir:
criteria['cert-database'] = secdir
if request_id:
criteria['nickname'] = request_id
if nickname:
criteria['cert-nickname'] = nickname
if certfile:
criteria['cert-file'] = certfile
try:
request = _get_request(criteria)
except RuntimeError as e: