Configure Anonymous PKINIT on server installkdc-pkinit

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce <simo@redhat.com>
author: Simo Sorce <simo@redhat.com> 2016-07-26 11:19:01 -0400
committer: Simo Sorce <simo@redhat.com> 2016-12-08 19:54:30 -0500
commit: e17438cca414b1bc7a5c21da502550a520f25a67 (patch)
tree: e387e32f96a2893a1729a738cf7350b4b5a7611b /ipapython
parent: fad87a9962ee33cfebc4fa59aba589e98b076cea (diff)
download: freeipa-kdc-pkinit.tar.gz
freeipa-kdc-pkinit.tar.xz
freeipa-kdc-pkinit.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index f4f1955eb..eb1f73eee 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -48,9 +48,13 @@ Profile = collections.namedtuple('Profile', ['profile_id', 'description', 'store
 INCLUDED_PROFILES = {
     Profile(u'caIPAserviceCert', u'Standard profile for network services', True),
     Profile(u'IECUserRoles', u'User profile that includes IECUserRoles extension from request', True),
+    Profile(u'KDCs_PKINIT_Certs',
+            u'Profile for PKINIT support by KDCs',
+            False),
     }
 
 DEFAULT_PROFILE = u'caIPAserviceCert'
+KDC_PROFILE = u'KDCs_PKINIT_Certs'
 
 
 def error_from_xml(doc, message_template):
author	Simo Sorce <simo@redhat.com>	2016-07-26 11:19:01 -0400
committer	Simo Sorce <simo@redhat.com>	2016-12-08 19:54:30 -0500
commit	e17438cca414b1bc7a5c21da502550a520f25a67 (patch)
tree	e387e32f96a2893a1729a738cf7350b4b5a7611b /ipapython
parent	fad87a9962ee33cfebc4fa59aba589e98b076cea (diff)
download	freeipa-kdc-pkinit.tar.gz freeipa-kdc-pkinit.tar.xz freeipa-kdc-pkinit.zip