diff options
| author | Simo Sorce <ssorce@redhat.com> | 2010-11-02 18:02:59 -0400 |
|---|---|---|
| committer | Simo Sorce <ssorce@redhat.com> | 2010-11-18 15:09:45 -0500 |
| commit | e05c2474904f56a5a385ed5008995e0f8a277322 (patch) | |
| tree | 1f3a81a6c8bf5302533611abf444601b117a9257 | |
| parent | 59cf6f86194c8bccc524d324a45b0e9b21b641f3 (diff) | |
| download | freeipa-e05c2474904f56a5a385ed5008995e0f8a277322.tar.gz freeipa-e05c2474904f56a5a385ed5008995e0f8a277322.tar.xz freeipa-e05c2474904f56a5a385ed5008995e0f8a277322.zip | |
anon-pkinit: add well known principal
leave it disabled for now
we can change this default once we will have some restriction on what services
this principal can get tickets for.
| -rw-r--r-- | ipaserver/install/krbinstance.py | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index bfcb86999..f6650d80c 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -195,6 +195,7 @@ class KrbInstance(service.Service): self.step("adding the kerberos master key to the directory", self.__add_master_key) if setup_pkinit: self.step("creating X509 Certificate for PKINIT", self.__setup_pkinit) + self.step("creating principal for anonymous PKINIT", self.__add_anonymous_pkinit_principal) self.__common_post_setup() @@ -521,6 +522,23 @@ class KrbInstance(service.Service): shutil.copyfile("/usr/share/ipa/html/ca.crt", "/var/kerberos/krb5kdc/cacert.pem") + def __add_anonymous_pkinit_principal(self): + princ = "WELLKNOWN/ANONYMOUS" + princ_realm = "%s@%s" % (princ, self.realm) + + # Create the special anonymous principal + installutils.kadmin_addprinc(princ_realm) + try: + conn = ipaldap.IPAdmin("127.0.0.1") + conn.simple_bind_s("cn=directory manager", self.admin_password) + except Exception, e: + logging.critical("Could not connect to the Directory Server on %s" % self.fqdn) + raise e + + dn = "krbprincipalname=%s,cn=%s,cn=kerberos,%s" % (princ_realm, self.realm, self.suffix) + conn.inactivateEntry(dn, False) + conn.unbind() + def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring %s" % self.service_name) |