From e05c2474904f56a5a385ed5008995e0f8a277322 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 2 Nov 2010 18:02:59 -0400 Subject: anon-pkinit: add well known principal leave it disabled for now we can change this default once we will have some restriction on what services this principal can get tickets for. --- ipaserver/install/krbinstance.py | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'ipaserver/install') diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index bfcb86999..f6650d80c 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -195,6 +195,7 @@ class KrbInstance(service.Service): self.step("adding the kerberos master key to the directory", self.__add_master_key) if setup_pkinit: self.step("creating X509 Certificate for PKINIT", self.__setup_pkinit) + self.step("creating principal for anonymous PKINIT", self.__add_anonymous_pkinit_principal) self.__common_post_setup() @@ -521,6 +522,23 @@ class KrbInstance(service.Service): shutil.copyfile("/usr/share/ipa/html/ca.crt", "/var/kerberos/krb5kdc/cacert.pem") + def __add_anonymous_pkinit_principal(self): + princ = "WELLKNOWN/ANONYMOUS" + princ_realm = "%s@%s" % (princ, self.realm) + + # Create the special anonymous principal + installutils.kadmin_addprinc(princ_realm) + try: + conn = ipaldap.IPAdmin("127.0.0.1") + conn.simple_bind_s("cn=directory manager", self.admin_password) + except Exception, e: + logging.critical("Could not connect to the Directory Server on %s" % self.fqdn) + raise e + + dn = "krbprincipalname=%s,cn=%s,cn=kerberos,%s" % (princ_realm, self.realm, self.suffix) + conn.inactivateEntry(dn, False) + conn.unbind() + def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring %s" % self.service_name) -- cgit