URL:
https://github.com/freeipa/freeipa/pull/774
Title: #774: Deprecate pkinit-anonymous command
abbra commented:
"""
Just remove the command completely. FreeIPA prior to 4.5 never supported PKINIT operations
and never allowed using anonymous PKINIT. Disabling/enabling it was left for admins that
knew what they wanted. However, with FreeIPA 4.5 we require anonymous PKINIT to be enabled
all time -- be it with a local self-signed cert or with some other certificate issued by a
proper CA. An anonymous principal can only be used to create a FAST channel, nothing
else.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/774#issuecomment-303363619