Since FreeIPA 4.5 framework relies on some form of anonymous PKINIT to obtain FAST armor tickets during password auth requests, some form of PKINIT is always configured during install/upgrade.
Thus it does not make sense to maintain pkinit-anonymous subcommand. We should mark it as deprecated and make it a no-op, since locking anonymous principal can completely break password-based auth on the masters (e.g. WebUI logins).
Metadata Update from @pvoborni: - Issue priority set to: blocker - Issue set to the milestone: FreeIPA 4.5.1
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1449522
Issue linked to bug 1449522
Metadata Update from @stlaz: - Issue assigned to stlaz
Metadata Update from @mbasti: - Issue set to the milestone: FreeIPA 4.5.2 (was: FreeIPA 4.5.1)
FreeIPA 4.5.1 has been released, moving to FreeIPA 4.5.2 milestone
master:
ipa-4-5:
Metadata Update from @mbabinsk: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.