URL: https://github.com/freeipa/freeipa/pull/5946 Author: rcritten Title: #5946: [Backport][ipa-4-9] ipa-advise: if p11-kit provides opensc, don't add to NSS db Action: opened
PR body: """ This PR was opened automatically because PR #5923 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5946/head:pr5946 git checkout pr5946
From bc2ae66788fd046c16c872e8bf82940f86cf6a52 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Fri, 23 Jul 2021 18:17:19 -0400 Subject: [PATCH 1/2] ipa-advise: if p11-kit provides opensc, don't add to NSS db p11-kit-proxy in newer distributions handles loading the OpenSC PKCS#11 library so don't try to add it to the NSS database in /etc/pki/nssdb if it is already available in order to avoid a potentially confusing error message. https://pagure.io/freeipa/issue/8934 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- ipaserver/advise/plugins/smart_card_auth.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py index a067f366c8d..4a3a96c1bfa 100644 --- a/ipaserver/advise/plugins/smart_card_auth.py +++ b/ipaserver/advise/plugins/smart_card_auth.py @@ -306,8 +306,9 @@ def add_pkcs11_module_to_systemwide_db(self): shared_lib = self.pkcs11_shared_lib self.log.commands_on_predicate( - 'modutil -dbdir {} -list | grep -q {}'.format( - nssdb, module_name), + 'modutil -dbdir {nssdb} -list | grep -q {module_name} || ' + 'p11-kit list-modules | grep -i {module_name} -q'.format( + nssdb=nssdb, module_name=module_name), [ 'echo "{} PKCS#11 module already configured"'.format( module_name) From c988d306fe3dca3b033cb5691c72f34942b76c0c Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Mon, 26 Jul 2021 12:06:12 -0400 Subject: [PATCH 2/2] ipa-advise: Define the domain used when looking up ipa-ca The error message if ipa-ca can't be resolved included the undefined variable ${domain_name}. Since this is static anyway change to a python format string and hardcode the string in the resulting script as api.env.domain. Discovered while working on https://pagure.io/freeipa/issue/8934 Related: https://pagure.io/freeipa/issue/8934 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- ipaserver/advise/plugins/smart_card_auth.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py index 4a3a96c1bfa..b79797dcaee 100644 --- a/ipaserver/advise/plugins/smart_card_auth.py +++ b/ipaserver/advise/plugins/smart_card_auth.py @@ -149,7 +149,7 @@ def resolve_ipaca_records(self): self.log.exit_on_predicate( '[ -z "$ipaca_records" ]', [ - 'Can not resolve ipa-ca records for ${domain_name}', + f'Can not resolve ipa-ca records for {ipa_domain_name}', 'Please make sure to update your DNS infrastructure with ', 'ipa-ca record pointing to IP addresses of IPA CA masters' ])
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
