From ca4e6c1fdfac9b545b26f885dc4865f22ca36ae6 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce Reviewed-By: Alexander Bokovoy Reviewed-By: Martin Babinsky --- ipalib/install/certmonger.py | 43 ++++++++++++++++++++++++++++--------------- 1 file changed, 28 insertions(+), 15 deletions(-) (limited to 'ipalib') diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py index c79cf9383..951ca9ab8 100644 --- a/ipalib/install/certmonger.py +++ b/ipalib/install/certmonger.py @@ -299,17 +299,17 @@ def add_subject(request_id, subject): def request_and_wait_for_cert( - nssdb, nickname, subject, principal, passwd_fname=None, + certpath, nickname, subject, principal, passwd_fname=None, dns=None, ca='IPA', profile=None, - pre_command=None, post_command=None): + pre_command=None, post_command=None, storage='NSSDB'): """ Execute certmonger to request a server certificate. The method also waits for the certificate to be available. """ - reqId = request_cert(nssdb, nickname, subject, principal, + reqId = request_cert(certpath, nickname, subject, principal, passwd_fname, dns, ca, profile, - pre_command, post_command) + pre_command, post_command, storage) state = wait_for_request(reqId, api.env.startup_timeout) ca_error = get_request_value(reqId, 'ca-error') if state != 'MONITORING' or ca_error: @@ -318,23 +318,29 @@ def request_and_wait_for_cert( def request_cert( - nssdb, nickname, subject, principal, passwd_fname=None, - dns=None, ca='IPA', profile=None, pre_command=None, post_command=None): + certpath, nickname, subject, principal, passwd_fname=None, + dns=None, ca='IPA', profile=None, + pre_command=None, post_command=None, storage='NSSDB'): """ Execute certmonger to request a server certificate. ``dns`` A sequence of DNS names to appear in SAN request extension. """ + if storage == 'FILE': + certfile, keyfile = certpath + else: + certfile = certpath + keyfile = certpath + cm = _certmonger() ca_path = cm.obj_if.find_ca_by_nickname(ca) if not ca_path: raise RuntimeError('{} CA not found'.format(ca)) - request_parameters = dict(KEY_STORAGE='NSSDB', CERT_STORAGE='NSSDB', - CERT_LOCATION=nssdb, CERT_NICKNAME=nickname, - KEY_LOCATION=nssdb, KEY_NICKNAME=nickname, - SUBJECT=subject, - CA=ca_path) + request_parameters = dict(KEY_STORAGE=storage, CERT_STORAGE=storage, + CERT_LOCATION=certfile, CERT_NICKNAME=nickname, + KEY_LOCATION=keyfile, KEY_NICKNAME=nickname, + SUBJECT=subject, CA=ca_path) if principal: request_parameters['PRINCIPAL'] = [principal] if dns is not None and len(dns) > 0: @@ -409,20 +415,27 @@ def start_tracking(nickname, secdir, password_file=None, command=None): return request.prop_if.Get(DBUS_CM_REQUEST_IF, 'nickname') -def stop_tracking(secdir, request_id=None, nickname=None): +def stop_tracking(secdir=None, request_id=None, nickname=None, certfile=None): """ Stop tracking the current request using either the request_id or nickname. Returns True or False """ - if request_id is None and nickname is None: - raise RuntimeError('Both request_id and nickname are missing.') + if request_id is None and nickname is None and certfile is None: + raise RuntimeError('One of request_id, nickname and certfile is' + ' required.') + if secdir is not None and certfile is not None: + raise RuntimeError("Can't specify both secdir and certfile.") - criteria = {'cert-database': secdir} + criteria = dict() + if secdir: + criteria['cert-database'] = secdir if request_id: criteria['nickname'] = request_id if nickname: criteria['cert-nickname'] = nickname + if certfile: + criteria['cert-file'] = certfile try: request = _get_request(criteria) except RuntimeError as e: -- cgit