[Freeipa-devel] [freeipa PR#687][synchronized] Add pki_pin only when needed

Tue, 04 Apr 2017 00:04:51 -0700 

   URL: https://github.com/freeipa/freeipa/pull/687
Author: stlaz
 Title: #687: Add pki_pin only when needed
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/687/head:pr687
git checkout pr687

From 429f8dae4ea3b53894068d37e49ae2a5a05c29a0 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Mon, 3 Apr 2017 14:08:46 +0200
Subject: [PATCH] Add pki_pin only when needed

If both the pki-tomcat NSS database and its password.conf have been
created, don't try to override the password.conf file.

https://pagure.io/freeipa/issue/6839
---
 ipaserver/install/cainstance.py  | 10 +++++++---
 ipaserver/install/krainstance.py | 10 +++++++---
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 2d33a97..1d44c0d 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -541,9 +541,13 @@ def __spawn_instance(self):
         # CA key algorithm
         config.set("CA", "pki_ca_signing_key_algorithm", self.ca_signing_algorithm)
 
-        # generate pin which we know can be used for FIPS NSS database
-        pki_pin = ipautil.ipa_generate_password()
-        config.set("CA", "pki_pin", pki_pin)
+        if not (os.path.isdir(paths.PKI_TOMCAT_ALIAS_DIR) and
+                os.path.isfile(paths.PKI_TOMCAT_PASSWORD_CONF)):
+            # generate pin which we know can be used for FIPS NSS database
+            pki_pin = ipautil.ipa_generate_password()
+            config.set("CA", "pki_pin", pki_pin)
+        else:
+            pki_pin = None
 
         if self.clone:
 
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 6fa4f0f..c39d687 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -235,9 +235,13 @@ def __spawn_instance(self):
             "KRA", "pki_share_dbuser_dn",
             str(DN(('uid', 'pkidbuser'), ('ou', 'people'), ('o', 'ipaca'))))
 
-        # generate pin which we know can be used for FIPS NSS database
-        pki_pin = ipautil.ipa_generate_password()
-        config.set("KRA", "pki_pin", pki_pin)
+        if not (os.path.isdir(paths.PKI_TOMCAT_ALIAS_DIR) and
+                os.path.isfile(paths.PKI_TOMCAT_PASSWORD_CONF)):
+            # generate pin which we know can be used for FIPS NSS database
+            pki_pin = ipautil.ipa_generate_password()
+            config.set("KRA", "pki_pin", pki_pin)
+        else:
+            pki_pin = None
 
         _p12_tmpfile_handle, p12_tmpfile_name = tempfile.mkstemp(dir=paths.TMP)
 

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to