diff options
author | John Dennis <jdennis@redhat.com> | 2012-11-15 14:57:52 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2013-01-23 14:26:42 -0500 |
commit | a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9 (patch) | |
tree | 1832274281bcb92cd933b2262b2be221efd031f5 /ipa-client/man | |
parent | 91f4af7e6af53e1c6bf17ed36cb2161863eddae4 (diff) | |
download | freeipa-a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9.tar.gz freeipa-a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9.tar.xz freeipa-a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9.zip |
Use secure method to acquire IPA CA certificate
Major changes ipa-client-install:
* Use GSSAPI connection to LDAP server to download CA cert (now
the default method)
* Add --ca-cert-file option to load the CA cert from a disk file.
Validate the file. If this option is used the supplied CA cert
is considered definitive.
* The insecure HTTP retrieval method is still supported but it must be
explicitly forced and a warning will be emitted.
* Remain backward compatible with unattended case (except for aberrant
condition when preexisting /etc/ipa/ca.crt differs from securely
obtained CA cert, see below)
* If /etc/ipa/ca.crt CA cert preexists the validate it matches the
securely acquired CA cert, if not:
- If --unattended and not --force abort with error
- If interactive query user to accept new CA cert, if not abort
In either case warn user.
* If interactive and LDAP retrieval fails prompt user if they want to
proceed with insecure HTTP method
* If not interactive and LDAP retrieval fails abort unless --force
* Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution,
if ipa-client-install fails it will be restored.
Other changes:
* Add new exception class CertificateInvalidError
* Add utility convert_ldap_error() to ipalib.ipautil
* Replace all hardcoded instances of /etc/ipa/ca.crt in
ipa-client-install with CACERT constant (matches existing practice
elsewhere).
* ipadiscovery no longer retrieves CA cert via HTTP.
* Handle LDAP minssf failures during discovery, treat failure to check
ldap server as a warninbg in absebce of a provided CA certificate via
--ca-cert-file or though existing /etc/ipa/ca.crt file.
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'ipa-client/man')
-rw-r--r-- | ipa-client/man/ipa-client-install.1 | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index abd74666e..35aea4e4a 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -97,6 +97,14 @@ Print debugging information to stdout .TP \fB\-U\fR, \fB\-\-unattended\fR Unattended installation. The user will not be prompted. +.TP +\fB\-\-ca-cert-file\fR=\fICA_FILE\fR +Do not attempt to acquire the IPA CA certificate via automated means, +instead use the CA certificate found locally in in \fICA_FILE\fR. The +\fICA_FILE\fR must be an absolute path to a PEM formatted certificate +file. The CA certificate found in \fICA_FILE\fR is considered +authoritative and will be installed without checking to see if it's +valid for the IPA domain. .SS "SSSD OPTIONS" .TP |