From e17438cca414b1bc7a5c21da502550a520f25a67 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 ipapython/dogtag.py | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'ipapython')

diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index f4f1955eb..eb1f73eee 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -48,9 +48,13 @@ Profile = collections.namedtuple('Profile', ['profile_id', 'description', 'store
 INCLUDED_PROFILES = {
     Profile(u'caIPAserviceCert', u'Standard profile for network services', True),
     Profile(u'IECUserRoles', u'User profile that includes IECUserRoles extension from request', True),
+    Profile(u'KDCs_PKINIT_Certs',
+            u'Profile for PKINIT support by KDCs',
+            False),
     }
 
 DEFAULT_PROFILE = u'caIPAserviceCert'
+KDC_PROFILE = u'KDCs_PKINIT_Certs'
 
 
 def error_from_xml(doc, message_template):
-- 
cgit