URL: https://github.com/freeipa/freeipa/pull/687 Author: stlaz Title: #687: Add pki_pin only when needed Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/687/head:pr687 git checkout pr687
From 429f8dae4ea3b53894068d37e49ae2a5a05c29a0 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Mon, 3 Apr 2017 14:08:46 +0200 Subject: [PATCH] Add pki_pin only when needed If both the pki-tomcat NSS database and its password.conf have been created, don't try to override the password.conf file. https://pagure.io/freeipa/issue/6839 --- ipaserver/install/cainstance.py | 10 +++++++--- ipaserver/install/krainstance.py | 10 +++++++--- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 2d33a97..1d44c0d 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -541,9 +541,13 @@ def __spawn_instance(self): # CA key algorithm config.set("CA", "pki_ca_signing_key_algorithm", self.ca_signing_algorithm) - # generate pin which we know can be used for FIPS NSS database - pki_pin = ipautil.ipa_generate_password() - config.set("CA", "pki_pin", pki_pin) + if not (os.path.isdir(paths.PKI_TOMCAT_ALIAS_DIR) and + os.path.isfile(paths.PKI_TOMCAT_PASSWORD_CONF)): + # generate pin which we know can be used for FIPS NSS database + pki_pin = ipautil.ipa_generate_password() + config.set("CA", "pki_pin", pki_pin) + else: + pki_pin = None if self.clone: diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index 6fa4f0f..c39d687 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -235,9 +235,13 @@ def __spawn_instance(self): "KRA", "pki_share_dbuser_dn", str(DN(('uid', 'pkidbuser'), ('ou', 'people'), ('o', 'ipaca')))) - # generate pin which we know can be used for FIPS NSS database - pki_pin = ipautil.ipa_generate_password() - config.set("KRA", "pki_pin", pki_pin) + if not (os.path.isdir(paths.PKI_TOMCAT_ALIAS_DIR) and + os.path.isfile(paths.PKI_TOMCAT_PASSWORD_CONF)): + # generate pin which we know can be used for FIPS NSS database + pki_pin = ipautil.ipa_generate_password() + config.set("KRA", "pki_pin", pki_pin) + else: + pki_pin = None _p12_tmpfile_handle, p12_tmpfile_name = tempfile.mkstemp(dir=paths.TMP)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code