mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
Require nss with fix for nickname bug
nss 3.36.1-1.1 addresses a bug in the shared SQL database layer. A nicknames
of certificates are no longer changed when a certificate is imported
multiple times under different name.
Partly revert commit ad2eb3d09b
with fix
for https://pagure.io/freeipa/issue/7498. The root cause for the bug has
been addressed by the NSS release.
See: https://pagure.io/freeipa/issue/7516
See: https://pagure.io/freeipa/issue/7498
See: https://bugzilla.redhat.com/show_bug.cgi?id=1568271
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
parent
648d7c0d38
commit
880d9b4134
@ -96,7 +96,11 @@
|
||||
%endif
|
||||
|
||||
# Require Dogtag PKI 10.6.0 with Python 3 and SQL NSSDB fixes
|
||||
%global pki_version 10.6.0-1
|
||||
%global pki_version 10.6.0-1.2
|
||||
|
||||
# NSS release with fix for CKA_LABEL import bug in shared SQL database.
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1568271
|
||||
%global nss_version 3.36.1-1.1
|
||||
|
||||
%define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
|
||||
|
||||
@ -157,7 +161,7 @@ BuildRequires: systemd
|
||||
# systemd-tmpfiles which is executed from make install requires apache user
|
||||
BuildRequires: httpd
|
||||
BuildRequires: nspr-devel
|
||||
BuildRequires: nss-devel
|
||||
BuildRequires: nss-devel >= %{nss_version}
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: libini_config-devel
|
||||
BuildRequires: cyrus-sasl-devel
|
||||
@ -338,8 +342,8 @@ Requires: python2-ldap >= %{python2_ldap_version}
|
||||
%endif
|
||||
Requires: 389-ds-base >= %{ds_version}
|
||||
Requires: openldap-clients > 2.4.35-4
|
||||
Requires: nss >= 3.14.3-12.0
|
||||
Requires: nss-tools >= 3.14.3-12.0
|
||||
Requires: nss >= %{nss_version}
|
||||
Requires: nss-tools >= %{nss_version}
|
||||
Requires(post): krb5-server >= %{krb5_version}
|
||||
Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100
|
||||
Requires: krb5-pkinit-openssl >= %{krb5_version}
|
||||
@ -604,7 +608,7 @@ Requires: libcurl >= 7.21.7-2
|
||||
Requires: xmlrpc-c >= 1.27.4
|
||||
Requires: sssd >= 1.14.0
|
||||
Requires: certmonger >= 0.79.5-1
|
||||
Requires: nss-tools
|
||||
Requires: nss-tools >= %{nss_version}
|
||||
Requires: bind-utils
|
||||
Requires: oddjob-mkhomedir
|
||||
Requires: libsss_autofs
|
||||
|
@ -5,15 +5,13 @@ from __future__ import print_function, absolute_import
|
||||
import enum
|
||||
import logging
|
||||
|
||||
from ipalib import api
|
||||
from ipalib.install.certstore import get_ca_certs_nss
|
||||
from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap
|
||||
from ipaserver.secrets.client import CustodiaClient
|
||||
from ipaplatform.paths import paths
|
||||
from ipaplatform.constants import constants
|
||||
from ipaserver.install.service import SimpleServiceInstance
|
||||
from ipapython import ipautil
|
||||
from ipapython.certdb import NSSDatabase, get_ca_nickname
|
||||
from ipapython.certdb import NSSDatabase
|
||||
from ipaserver.install import installutils
|
||||
from ipaserver.install import ldapupdate
|
||||
from ipaserver.install import sysupgrade
|
||||
@ -277,17 +275,8 @@ class CustodiaInstance(SimpleServiceInstance):
|
||||
'-w', pk12pwfile
|
||||
])
|
||||
|
||||
# Add CA certificates, but don't import the main CA cert. It's
|
||||
# already present as 'caSigningCert cert-pki-ca'. With SQL db
|
||||
# format, a second import would rename the certificate. See
|
||||
# https://pagure.io/freeipa/issue/7498 for more details.
|
||||
conn = api.Backend.ldap2
|
||||
suffix = ipautil.realm_to_suffix(self.realm)
|
||||
ca_certs = get_ca_certs_nss(conn, suffix, self.realm, True)
|
||||
for cert, nickname, trust_flags in ca_certs:
|
||||
if nickname == get_ca_nickname(self.realm):
|
||||
continue
|
||||
tmpdb.add_cert(cert, nickname, trust_flags)
|
||||
# Add CA certificates
|
||||
self.export_ca_certs_nssdb(tmpdb, True)
|
||||
|
||||
# Now that we gathered all certs, re-export
|
||||
ipautil.run([
|
||||
|
Loading…
Reference in New Issue
Block a user