From 44a774c3cbb83d9ce19b26ca74a15900c571bbe5 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen <tjaalton@debian.org>
Date: Thu, 24 Sep 2015 06:10:10 +0300
Subject: [PATCH] freeipa-client: Add /etc/ipa/nssdb, rework /etc/pki/nssdb
 handling.

---
 debian/changelog               |  1 +
 debian/freeipa-client.dirs     |  1 +
 debian/freeipa-client.postinst | 13 +++++++++++--
 debian/freeipa-client.postrm   |  7 +++++++
 4 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 0e22f5a80..230e0b301 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -21,6 +21,7 @@ freeipa (4.1.4-1) UNRELEASED; urgency=medium
   * control: Server needs newer python-ldap, bump build-dep too.
   * control: Bump certmonger depends.
   * control: Bump python-nss depends.
+  * freeipa-client: Add /etc/ipa/nssdb, rework /etc/pki/nssdb handling.
 
  -- Timo Aaltonen <tjaalton@debian.org>  Thu, 02 Apr 2015 13:16:49 +0300
 
diff --git a/debian/freeipa-client.dirs b/debian/freeipa-client.dirs
index e5c26bf7f..7d94a8405 100644
--- a/debian/freeipa-client.dirs
+++ b/debian/freeipa-client.dirs
@@ -1,3 +1,4 @@
 etc/ipa
+etc/ipa/nssdb
 etc/pki/nssdb
 var/lib/ipa-client/sysrestore
diff --git a/debian/freeipa-client.postinst b/debian/freeipa-client.postinst
index 4451c3415..e4fdd53f4 100644
--- a/debian/freeipa-client.postinst
+++ b/debian/freeipa-client.postinst
@@ -2,14 +2,23 @@
 set -e
 
 if [ "$1" = configure ]; then
-    if [ ! -e /etc/pki/nssdb ]; then
+    if [ ! -f /etc/pki/nssdb/cert8.db ]; then
         tmp=$(mktemp) || exit
         printf "\n" > $tmp
-        mkdir -p /etc/pki/nssdb
         certutil -N -d /etc/pki/nssdb -f $tmp
         chmod 644 /etc/pki/nssdb/*
         rm $tmp
     fi
+    if [ ! -f /etc/ipa/nssdb/cert8.db ]; then
+        python2 -c 'from ipapython.certdb import create_ipa_nssdb; create_ipa_nssdb()' >/dev/null 2>&1
+        tmp=$(mktemp) || exit
+        if certutil -L -d /etc/pki/nssdb -n 'IPA CA' -a >"$tmp" 2>/var/log/ipaupgrade.log; then
+            certutil -A -d /etc/ipa/nssdb -n 'IPA CA' -t CT,C,C -a -i "$tmp" >/var/log/ipaupgrade.log 2>&1
+        elif certutil -L -d /etc/pki/nssdb -n 'External CA cert' -a >"$tmp" 2>/var/log/ipaupgrade.log; then
+            certutil -A -d /etc/ipa/nssdb -n 'External CA cert' -t C,, -a -i "$tmp" >/var/log/ipaupgrade.log 2>&1
+        fi
+        rm -f "$tmp"
+    fi
 fi
 
 if [ ! -e /run/ipa ]; then
diff --git a/debian/freeipa-client.postrm b/debian/freeipa-client.postrm
index 65d1d9ae6..a388898bc 100644
--- a/debian/freeipa-client.postrm
+++ b/debian/freeipa-client.postrm
@@ -7,6 +7,13 @@ if [ "$1" = purge ]; then
     rm -f /etc/pki/nssdb/cert8.db \
           /etc/pki/nssdb/key3.db \
           /etc/pki/nssdb/secmod.db
+    rm -f /etc/ipa/nssdb/cert8.db \
+          /etc/ipa/nssdb/key3.db \
+          /etc/ipa/nssdb/pwdfile.txt \
+          /etc/ipa/nssdb/secmod.db
+    rmdir /etc/pki/nssdb
+    rmdir /etc/ipa/nssdb
+    rmdir /etc/ipa
 fi
 
 #DEBHELPER#