URL: https://github.com/freeipa/freeipa/pull/5923
Author: rcritten
Title: #5923: ipa-advise: if p11-kit provides opensc, don't add to NSS db
Action: opened
PR body:
"""
p11-kit-proxy in newer distributions handles loading the OpenSC
PKCS#11 library so don't try to add it to the NSS database in
/etc/pki/nssdb if it is already available in order to avoid a
potentially confusing error message.
https://pagure.io/freeipa/issue/8934
Signed-off-by: Rob Crittenden <rcrit...@redhat.com>
NOTE:
1. A second patch fixes script error I noticed while working on the ticket.
2. There are no tests because it relies completely on the OS release and state
of the client and we don't have that capacity in CI. I propose manual tests.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5923/head:pr5923
git checkout pr5923
From a8afc13e2a7b512a2aa3ebd7fab336eec0bba9cd Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Fri, 23 Jul 2021 18:17:19 -0400
Subject: [PATCH 1/2] ipa-advise: if p11-kit provides opensc, don't add to NSS
db
p11-kit-proxy in newer distributions handles loading the OpenSC
PKCS#11 library so don't try to add it to the NSS database in
/etc/pki/nssdb if it is already available in order to avoid a
potentially confusing error message.
https://pagure.io/freeipa/issue/8934
Signed-off-by: Rob Crittenden <rcrit...@redhat.com>
---
ipaserver/advise/plugins/smart_card_auth.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
index a067f366c8d..4a3a96c1bfa 100644
--- a/ipaserver/advise/plugins/smart_card_auth.py
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -306,8 +306,9 @@ def add_pkcs11_module_to_systemwide_db(self):
shared_lib = self.pkcs11_shared_lib
self.log.commands_on_predicate(
- 'modutil -dbdir {} -list | grep -q {}'.format(
- nssdb, module_name),
+ 'modutil -dbdir {nssdb} -list | grep -q {module_name} || '
+ 'p11-kit list-modules | grep -i {module_name} -q'.format(
+ nssdb=nssdb, module_name=module_name),
[
'echo "{} PKCS#11 module already configured"'.format(
module_name)
From e75eb9fb71e081effd6bb9d8db17407871d5f2c0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Mon, 26 Jul 2021 12:06:12 -0400
Subject: [PATCH 2/2] ipa-advise: Define the domain used when looking up ipa-ca
The error message if ipa-ca can't be resolved included the
undefined variable ${domain_name}. Since this is static anyway
change to a python format string and hardcode the string in
the resulting script as api.env.domain.
Discovered while working on https://pagure.io/freeipa/issue/8934
Related: https://pagure.io/freeipa/issue/8934
Signed-off-by: Rob Crittenden <rcrit...@redhat.com>
---
ipaserver/advise/plugins/smart_card_auth.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
index 4a3a96c1bfa..b79797dcaee 100644
--- a/ipaserver/advise/plugins/smart_card_auth.py
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -149,7 +149,7 @@ def resolve_ipaca_records(self):
self.log.exit_on_predicate(
'[ -z "$ipaca_records" ]',
[
- 'Can not resolve ipa-ca records for ${domain_name}',
+ f'Can not resolve ipa-ca records for {ipa_domain_name}',
'Please make sure to update your DNS infrastructure with ',
'ipa-ca record pointing to IP addresses of IPA CA masters'
])
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
