summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/krbinstance.py
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2010-11-02 18:02:59 -0400
committerSimo Sorce <ssorce@redhat.com>2010-11-18 15:09:45 -0500
commite05c2474904f56a5a385ed5008995e0f8a277322 (patch)
tree1f3a81a6c8bf5302533611abf444601b117a9257 /ipaserver/install/krbinstance.py
parent59cf6f86194c8bccc524d324a45b0e9b21b641f3 (diff)
downloadfreeipa-e05c2474904f56a5a385ed5008995e0f8a277322.tar.gz
freeipa-e05c2474904f56a5a385ed5008995e0f8a277322.tar.xz
freeipa-e05c2474904f56a5a385ed5008995e0f8a277322.zip
anon-pkinit: add well known principal
leave it disabled for now we can change this default once we will have some restriction on what services this principal can get tickets for.
Diffstat (limited to 'ipaserver/install/krbinstance.py')
-rw-r--r--ipaserver/install/krbinstance.py18
1 files changed, 18 insertions, 0 deletions
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index bfcb86999..f6650d80c 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -195,6 +195,7 @@ class KrbInstance(service.Service):
self.step("adding the kerberos master key to the directory", self.__add_master_key)
if setup_pkinit:
self.step("creating X509 Certificate for PKINIT", self.__setup_pkinit)
+ self.step("creating principal for anonymous PKINIT", self.__add_anonymous_pkinit_principal)
self.__common_post_setup()
@@ -521,6 +522,23 @@ class KrbInstance(service.Service):
shutil.copyfile("/usr/share/ipa/html/ca.crt",
"/var/kerberos/krb5kdc/cacert.pem")
+ def __add_anonymous_pkinit_principal(self):
+ princ = "WELLKNOWN/ANONYMOUS"
+ princ_realm = "%s@%s" % (princ, self.realm)
+
+ # Create the special anonymous principal
+ installutils.kadmin_addprinc(princ_realm)
+ try:
+ conn = ipaldap.IPAdmin("127.0.0.1")
+ conn.simple_bind_s("cn=directory manager", self.admin_password)
+ except Exception, e:
+ logging.critical("Could not connect to the Directory Server on %s" % self.fqdn)
+ raise e
+
+ dn = "krbprincipalname=%s,cn=%s,cn=kerberos,%s" % (princ_realm, self.realm, self.suffix)
+ conn.inactivateEntry(dn, False)
+ conn.unbind()
+
def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring %s" % self.service_name)