Remove pkinit-anonymous command #774
Conversation
stlaz
force-pushed
the
pkinit_deprecate
branch
2 times, most recently
from
09bc1fe
to
02e9b01
Compare
ipaserver/plugins/pkinit.py
Outdated
| For more information on anonymous pkinit see: | ||
|
|
||
| http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit | ||
| This module is deprecated since FreeIPA 4.5.1 |
There was a problem hiding this comment.
I would write that the whole module is deprecated (as there will probably be the pkinit-status command in this module, see #790. You can rather write that the pkinit-anonymous commands are deprecated and I will then re-write the module docstring in my PR.
ipaserver/plugins/pkinit.py
Outdated
|
|
||
| takes_args = ( | ||
| Str('action', valid_arg), | ||
| Str('action?'), |
There was a problem hiding this comment.
Why is action turned into a optional argument? is this required?
There was a problem hiding this comment.
I don't want users to be bothered by error messages that action is required or whatever is printed there should action not be provided, given that the output stays the same no matter what.
There was a problem hiding this comment.
True if it is deprecated and no-op, then we should not bother users about required options. Do you agree @HonzaCholasta ?
There was a problem hiding this comment.
We should remove the command completely, as it never really worked.
|
Just remove the command completely. FreeIPA prior to 4.5 never supported PKINIT operations and never allowed using anonymous PKINIT. Disabling/enabling it was left for admins that knew what they wanted. However, with FreeIPA 4.5 we require anonymous PKINIT to be enabled all time -- be it with a local self-signed cert or with some other certificate issued by a proper CA. An anonymous principal can only be used to create a FAST channel, nothing else. |
Ever since from v4.5, FreeIPA expects at least some kind of anonymous PKINIT to work. The pkinit-anonymous command was supposed to enable/disable anonymous pkinit by locking/unlocking the anonymous principal. We can't allow this for FreeIPA to work so we are removing the command as it was never supported anyway. https://pagure.io/freeipa/issue/6936
|
Thanks, pruned the file a bit. |
stlaz
changed the title
martbab
added
ack
|
master:
|
|
ipa-4-5 needs a separate PR due to merge conflicts. |
Ever since from v4.5, FreeIPA expects at least some kind of
anonymous PKINIT to work. Deprecate the command which is
capable of turning this feature off.
https://pagure.io/freeipa/issue/6936