[389-devel] lib389: please review some tickets

[William Brown]

These are all small, looking at Simon to review as he's familar with all of 
them:

https://fedorahosted.org/389/ticket/48764

https://fedorahosted.org/389/ticket/48431

Thanks!

-- 
Sincerely,

William Brown
Software Engineer
Red Hat, Brisbane



signature.asc
Description: This is a digitally signed message part
--
389-devel mailing list
389-devel@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-devel@lists.fedoraproject.org

[389-devel] Please advice: [389 Project] #48760: NSS -- switching to the sql db

[Noriko Hosoi]

Hello,

We hear quite often that the key/cert db's RHDS is using are in the old 
format and have been suggested to switch to the sql db.  It turned out 
it is quite easy although there is one minor issue I described in the 
comment in the patch *[*]*. But as long as we use "sql:path" to access 
the db's, there is no problem.


Also, we need to find out the upgrade scenario, which should not be hard 
since, e.g., lots of mozilla products have gone through the path.


My biggest question is we should do this or not... :)  Please share your 
thoughts.


Thanks!
--noriko

https://fedorahosted.org/389/ticket/48760

https://fedorahosted.org/389/attachment/ticket/48760/0001-Ticket-48760-NSS-switching-to-the-sql-db.patch
git patch file (master)

   Description: 389-ds-base and 389-admin are using the old format of key/cert
   db. NSS recommends to switch to the sql format having the shared DB feature.

   The current version of NSS (3.22.0 and older) takes ordinary paths to access
   the cert db, while it requires the prefix "sql:" for the sql db.

   By setting the environment variable 'NSS_DEFAULT_DB_TYPE="sql"', the default
   path setting is supposed to be swtiched.

   This patch tries these 2 cases.
   1) #define ENABLE_SQL_PREFIX 1
   This enables generating "sql:/path/to/certdir".
   2) /* #define ENABLE_SQL_PREFIX 1 */
   This depends upon the NSS_DEFAULT_DB_TYPE="sql" and use the ordinary
   path to access the cert db.

   Both works fine with the test script. The case (1) generates just the new
   key/cert db's.
  $ ls slapd-master_1/*.db
  slapd-master_1/cert9.db slapd-master_1/key4.db
   *[*]*  But in the case (2), the server creates 2 sets of key/cert db's:
  $ ls slapd-master_1/*.db
  slapd-master_1/key3.db slapd-master_1/cert8.db slapd-master_1/secmod.db
  slapd-master_1/key4.db slapd-master_1/cert9.db
  $ cerrtutil -L -d sql:slapd-master_1
Certificate Nickname   Trust Attributes
   SSL,S/MIME,JAR/XPI
CAcertificate  CTu,u,u
Server-Cert1   u,u,u
Server-Cert2   u,u,u
  $ cerrtutil -L -d slapd-master_1
returns nothing.

   To reduce the confusion, we should choose the case (1).

https://fedorahosted.org/389/attachment/ticket/48760/0002-Ticket-48760-CI-test-test-cases-for-47536-and-48760.patch
git patch file (master) -- CI test
--
389-devel mailing list
389-devel@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-devel@lists.fedoraproject.org