Currently only the "subject base" of the IPA CA subject DN can be
customised, via the installer's --subject-base option. The RDN
"CN=Certificate Authority" is appended to form the subject DN, and
this composition is widely assumed.
Some administrators need more control over the CA subject DN,
especially to satisfy expectations of external CAs when the IPA CA
is to be externally signed.
This patch adds full customisability of the CA subject DN.
Specifically:
- Add the --ca-subject option for specifying the full IPA CA subject
DN. Defaults to "CN=Certificate Authority, O=$SUBJECT_BASE".
- ipa-ca-install, when installing a CA in a previous CA-less
topology, updates DS certmap.conf with the new new CA subject DN.
- DsInstance.find_subject_base no longer looks in certmap.conf,
because the CA subject DN can be unrelated to the subject base.
Fixes: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.
https://fedorahosted.org/freeipa/ticket/5678
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Replace the dual definitions of domain_name, dm_password and admin_password
knobs in server install with single definitions using the original names
without the 'new_' prefix.
This fixes the options read from the installer option cache in step 2 of
external CA install to use the correct knob names.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Migrate ipa-server-install and ipa-replica-install from the old installer
classes to the new installer class hierarchy classes.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add class hierarchy which allows inherting knob definitions between the
various client and server install scripts.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Martin Basti <mbasti@redhat.com>
Until ipa-server-install, ipa-replica-install and ipa-server-upgrade are merged
into a single code base, keep their respective bits in separate modules in the
package.
https://fedorahosted.org/freeipa/ticket/4468
Reviewed-By: Martin Basti <mbasti@redhat.com>
