URL: https://github.com/freeipa/freeipa/pull/687 Author: stlaz Title: #687: Add pki_pin only when needed Action: opened
PR body: """ If both the pki-tomcat NSS database and its password.conf have been created, don't try to override the password.conf file. https://pagure.io/freeipa/issue/6839 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/687/head:pr687 git checkout pr687
From 189749e0c7d306d9d393c02e8c20618b4c9e67a1 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Mon, 3 Apr 2017 14:08:46 +0200 Subject: [PATCH] Add pki_pin only when needed If both the pki-tomcat NSS database and its password.conf have been created, don't try to override the password.conf file. https://pagure.io/freeipa/issue/6839 --- ipaserver/install/cainstance.py | 10 +++++++--- ipaserver/install/krainstance.py | 10 +++++++--- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 2d33a97..0f3e258 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -541,9 +541,13 @@ def __spawn_instance(self): # CA key algorithm config.set("CA", "pki_ca_signing_key_algorithm", self.ca_signing_algorithm) - # generate pin which we know can be used for FIPS NSS database - pki_pin = ipautil.ipa_generate_password() - config.set("CA", "pki_pin", pki_pin) + if not (os.path.exists(paths.PKI_TOMCAT_ALIAS_DIR) and + os.path.exists(paths.PKI_TOMCAT_PASSWORD_CONF)): + # generate pin which we know can be used for FIPS NSS database + pki_pin = ipautil.ipa_generate_password() + config.set("CA", "pki_pin", pki_pin) + else: + pki_pin = None if self.clone: diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index 6fa4f0f..521b80b 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -235,9 +235,13 @@ def __spawn_instance(self): "KRA", "pki_share_dbuser_dn", str(DN(('uid', 'pkidbuser'), ('ou', 'people'), ('o', 'ipaca')))) - # generate pin which we know can be used for FIPS NSS database - pki_pin = ipautil.ipa_generate_password() - config.set("KRA", "pki_pin", pki_pin) + if not (os.path.exists(paths.PKI_TOMCAT_ALIAS_DIR) and + os.path.exists(paths.PKI_TOMCAT_PASSWORD_CONF)): + # generate pin which we know can be used for FIPS NSS database + pki_pin = ipautil.ipa_generate_password() + config.set("KRA", "pki_pin", pki_pin) + else: + pki_pin = None _p12_tmpfile_handle, p12_tmpfile_name = tempfile.mkstemp(dir=paths.TMP)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
