Do not allow installation in FIPS mode

https://fedorahosted.org/freeipa/ticket/5761

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

2 files changed, 10 insertions, 1 deletions

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index c28c095fb..c0c676b87 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -22,7 +22,8 @@ from ipapython.install.common import step
 from ipapython.install.core import Knob
 from ipapython.ipa_log_manager import root_logger
 from ipapython.ipautil import (
-    decrypt_file, format_netloc, ipa_generate_password, run, user_input)
+    decrypt_file, format_netloc, ipa_generate_password, run, user_input,
+    is_fips_enabled)
 from ipaplatform import services
 from ipaplatform.paths import paths
 from ipaplatform.tasks import tasks
@@ -319,6 +320,10 @@ def install_check(installer):
     external_ca_file = installer._external_ca_file
     http_ca_cert = installer._ca_cert
 
+    if is_fips_enabled():
+        raise RuntimeError(
+            "Installing IPA server in FIPS mode is not supported")
+
     tasks.check_selinux_status()
 
     if options.master_password:
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 0277d324a..9e5bc0aa8 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -483,6 +483,10 @@ def install_check(installer):
     options = installer
     filename = installer.replica_file
 
+    if ipautil.is_fips_enabled():
+        raise RuntimeError(
+            "Installing IPA server in FIPS mode is not supported")
+
     tasks.check_selinux_status()
 
     if is_ipa_configured():