Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
author: Simo Sorce <simo@redhat.com> 2016-07-26 11:19:01 -0400
committer: Jan Cholasta <jcholast@redhat.com> 2016-12-12 13:39:44 +0100
commit: ca4e6c1fdfac9b545b26f885dc4865f22ca36ae6 (patch)
tree: 92b2245b68b343440591e47f82e4898d48c07c2e /ipalib
parent: 32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d (diff)
download: freeipa-ca4e6c1fdfac9b545b26f885dc4865f22ca36ae6.tar.gz
freeipa-ca4e6c1fdfac9b545b26f885dc4865f22ca36ae6.tar.xz
freeipa-ca4e6c1fdfac9b545b26f885dc4865f22ca36ae6.zip
1 files changed, 28 insertions, 15 deletions
diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py
index c79cf9383..951ca9ab8 100644
--- a/ipalib/install/certmonger.py
+++ b/ipalib/install/certmonger.py
@@ -299,17 +299,17 @@ def add_subject(request_id, subject):
 
 
 def request_and_wait_for_cert(
-        nssdb, nickname, subject, principal, passwd_fname=None,
+        certpath, nickname, subject, principal, passwd_fname=None,
         dns=None, ca='IPA', profile=None,
-        pre_command=None, post_command=None):
+        pre_command=None, post_command=None, storage='NSSDB'):
     """
     Execute certmonger to request a server certificate.
 
     The method also waits for the certificate to be available.
     """
-    reqId = request_cert(nssdb, nickname, subject, principal,
+    reqId = request_cert(certpath, nickname, subject, principal,
                          passwd_fname, dns, ca, profile,
-                         pre_command, post_command)
+                         pre_command, post_command, storage)
     state = wait_for_request(reqId, api.env.startup_timeout)
     ca_error = get_request_value(reqId, 'ca-error')
     if state != 'MONITORING' or ca_error:
@@ -318,23 +318,29 @@ def request_and_wait_for_cert(
 
 
 def request_cert(
-        nssdb, nickname, subject, principal, passwd_fname=None,
-        dns=None, ca='IPA', profile=None, pre_command=None, post_command=None):
+        certpath, nickname, subject, principal, passwd_fname=None,
+        dns=None, ca='IPA', profile=None,
+        pre_command=None, post_command=None, storage='NSSDB'):
     """
     Execute certmonger to request a server certificate.
 
     ``dns``
         A sequence of DNS names to appear in SAN request extension.
     """
+    if storage == 'FILE':
+        certfile, keyfile = certpath
+    else:
+        certfile = certpath
+        keyfile = certpath
+
     cm = _certmonger()
     ca_path = cm.obj_if.find_ca_by_nickname(ca)
     if not ca_path:
         raise RuntimeError('{} CA not found'.format(ca))
-    request_parameters = dict(KEY_STORAGE='NSSDB', CERT_STORAGE='NSSDB',
-                              CERT_LOCATION=nssdb, CERT_NICKNAME=nickname,
-                              KEY_LOCATION=nssdb, KEY_NICKNAME=nickname,
-                              SUBJECT=subject,
-                              CA=ca_path)
+    request_parameters = dict(KEY_STORAGE=storage, CERT_STORAGE=storage,
+                              CERT_LOCATION=certfile, CERT_NICKNAME=nickname,
+                              KEY_LOCATION=keyfile, KEY_NICKNAME=nickname,
+                              SUBJECT=subject, CA=ca_path)
     if principal:
         request_parameters['PRINCIPAL'] = [principal]
     if dns is not None and len(dns) > 0:
@@ -409,20 +415,27 @@ def start_tracking(nickname, secdir, password_file=None, command=None):
     return request.prop_if.Get(DBUS_CM_REQUEST_IF, 'nickname')
 
 
-def stop_tracking(secdir, request_id=None, nickname=None):
+def stop_tracking(secdir=None, request_id=None, nickname=None, certfile=None):
     """
     Stop tracking the current request using either the request_id or nickname.
 
     Returns True or False
     """
-    if request_id is None and nickname is None:
-        raise RuntimeError('Both request_id and nickname are missing.')
+    if request_id is None and nickname is None and certfile is None:
+        raise RuntimeError('One of request_id, nickname and certfile is'
+                           ' required.')
+    if secdir is not None and certfile is not None:
+        raise RuntimeError("Can't specify both secdir and certfile.")
 
-    criteria = {'cert-database': secdir}
+    criteria = dict()
+    if secdir:
+        criteria['cert-database'] = secdir
     if request_id:
         criteria['nickname'] = request_id
     if nickname:
         criteria['cert-nickname'] = nickname
+    if certfile:
+        criteria['cert-file'] = certfile
     try:
         request = _get_request(criteria)
     except RuntimeError as e:
author	Simo Sorce <simo@redhat.com>	2016-07-26 11:19:01 -0400
committer	Jan Cholasta <jcholast@redhat.com>	2016-12-12 13:39:44 +0100
commit	ca4e6c1fdfac9b545b26f885dc4865f22ca36ae6 (patch)
tree	92b2245b68b343440591e47f82e4898d48c07c2e /ipalib
parent	32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d (diff)
download	freeipa-ca4e6c1fdfac9b545b26f885dc4865f22ca36ae6.tar.gz freeipa-ca4e6c1fdfac9b545b26f885dc4865f22ca36ae6.tar.xz freeipa-ca4e6c1fdfac9b545b26f885dc4865f22ca36ae6.zip