diff options
author | Simo Sorce <ssorce@redhat.com> | 2010-11-02 18:02:59 -0400 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2010-11-18 15:09:45 -0500 |
commit | e05c2474904f56a5a385ed5008995e0f8a277322 (patch) | |
tree | 1f3a81a6c8bf5302533611abf444601b117a9257 /ipaserver/install/krbinstance.py | |
parent | 59cf6f86194c8bccc524d324a45b0e9b21b641f3 (diff) | |
download | freeipa-e05c2474904f56a5a385ed5008995e0f8a277322.tar.gz freeipa-e05c2474904f56a5a385ed5008995e0f8a277322.tar.xz freeipa-e05c2474904f56a5a385ed5008995e0f8a277322.zip |
anon-pkinit: add well known principal
leave it disabled for now
we can change this default once we will have some restriction on what services
this principal can get tickets for.
Diffstat (limited to 'ipaserver/install/krbinstance.py')
-rw-r--r-- | ipaserver/install/krbinstance.py | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index bfcb86999..f6650d80c 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -195,6 +195,7 @@ class KrbInstance(service.Service): self.step("adding the kerberos master key to the directory", self.__add_master_key) if setup_pkinit: self.step("creating X509 Certificate for PKINIT", self.__setup_pkinit) + self.step("creating principal for anonymous PKINIT", self.__add_anonymous_pkinit_principal) self.__common_post_setup() @@ -521,6 +522,23 @@ class KrbInstance(service.Service): shutil.copyfile("/usr/share/ipa/html/ca.crt", "/var/kerberos/krb5kdc/cacert.pem") + def __add_anonymous_pkinit_principal(self): + princ = "WELLKNOWN/ANONYMOUS" + princ_realm = "%s@%s" % (princ, self.realm) + + # Create the special anonymous principal + installutils.kadmin_addprinc(princ_realm) + try: + conn = ipaldap.IPAdmin("127.0.0.1") + conn.simple_bind_s("cn=directory manager", self.admin_password) + except Exception, e: + logging.critical("Could not connect to the Directory Server on %s" % self.fqdn) + raise e + + dn = "krbprincipalname=%s,cn=%s,cn=kerberos,%s" % (princ_realm, self.realm, self.suffix) + conn.inactivateEntry(dn, False) + conn.unbind() + def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring %s" % self.service_name) |