Remove pkinit options from master/replica on DL0 #640
Conversation
stlaz
changed the title
ipaserver/install/server/__init__.py
Outdated
| if (self.no_pkinit or self.pkinit_cert_files is not None or | ||
| self.pkinit_pin is not None): | ||
| raise RuntimeError( | ||
| "pkinit on domain level 0 is not supported. Please don't " |
There was a problem hiding this comment.
Can you please edit man page as well do describe this change ?
There was a problem hiding this comment.
Sure, I will put the behavior of no-pkinit on domain level 0 to the correct man pages.
The reasoning to why this certain change was done is to be found in the commit message.
stlaz
force-pushed
the
master_replica_dl0
branch
from
8662e66
to
8bcbe05
Compare
|
@abbra I believe these changes are in line with our recent discussion regarding pkinit availability on DL0. Do you agree? |
ipaserver/install/server/__init__.py
Outdated
| @@ -335,6 +335,14 @@ def dirsrv_config_file(self, value): | |||
| def __init__(self, **kwargs): | |||
| super(ServerInstallInterface, self).__init__(**kwargs) | |||
|
|
|||
| if self.domain_level == constants.DOMAIN_LEVEL_0: | |||
| if (self.no_pkinit or self.pkinit_cert_files is not None or | |||
There was a problem hiding this comment.
I'd drop self.no_pkinit from expression.
There was a problem hiding this comment.
If we allow --no-pkinit to be specified on DL0 the user might think that not-using it may change something for them IMO.
There was a problem hiding this comment.
But it is contradicting, user specifies --no-pkinit and get error pkinit on domain level 0 is not supported
There was a problem hiding this comment.
That's why there's the part not to use any pkinit-related options.
|
Good question. I think we should remove all mentioning of PKINIT options for DL0 and explicitly configure local CA there. On DL1 we already require to provide pkinit cert for CA-less setup. However, there we should treat --no-pkinit as use of local CA (certmonger's one). |
|
|
Ah, right, replica does not have |
|
With this PR applied I cannot use webUI with DL0 |
Without this patch, if either of dirsrv_cert_files, http_cert_files or pkinit_cert_files is set along with no-pkinit, the user is first requested to add the remaining options and when they do that, they are told that they are using 'no-pkinit' along with 'pkinit-cert-file'. https://pagure.io/freeipa/issue/6801
stlaz
force-pushed
the
master_replica_dl0
branch
from
8bcbe05
to
5a2e0cb
Compare
|
@MartinBasti Even though this patchset basically breaks the behavior, it's not in its scope to fix it, it's somehow intended to break it, actually. It will be fixed elsewhere. I fixed the issue with running this on replica and removed one redundant check as well. I also noticed that DL0 replica has a usability issue where it checks for either |
pkinit is not supported on DL0, remove options that allow to set it
from ipa-{server,replica}-install.
https://pagure.io/freeipa/issue/6801
Remove the references to the pkinit options which was forgotten about in 46d4d53 https://pagure.io/freeipa/issue/6801
There was a redundant check for CA-less install certificate files for replicas but the same check is done for all installers before that. https://pagure.io/freeipa/issue/6801
stlaz
force-pushed
the
master_replica_dl0
branch
from
5a2e0cb
to
fc5315b
Compare
|
Pushed a cleaner version of the previous changes, thanks @HonzaCholasta for the suggestion. |
|
@MartinBasti WebUI not working in DL0/--no-pkinit is beyond the scope of this PR. I am working on fixing that in a separate PR. |
MartinBasti
added
ack
This patchset removes the ability of setting pkinit options on domain level 0 for server/replica installs. Also fixes a usability issue with
--no-pkinitI noticed and did not care creating ticket for.