[Freeipa-devel] [PATCHES] 152-158 ipa-server-certinstall fixes

Jan Cholasta jcholast at redhat.com
Tue Aug 20 07:10:23 UTC 2013 

On 19.8.2013 17:53, Petr Viktorin wrote:
> On 08/19/2013 03:50 PM, Jan Cholasta wrote:
>> On 19.8.2013 14:02, Petr Viktorin wrote:
>>> Thanks!
>>> I've read the patches and have some initial comments; I'll get to
>>> functional testing (and writing related CA-less tests) right away.
>>>
>>> The patches need a small rebase (attached since I did it anyway).
>>>
>>> Patch 152: OK (I saw some issues but they're fixed later on)
>>> Patch 153: You can use log_file_name = '/var/log/ipa/default.log' on the
>>> ServerCertInstall class to keep the default log file.
>>
>> What is the benefit in doing this? All ipa-server-certinstall did when
>> using this file was complain about /var/log/ipa being non-existent.
>
> Ah, okay. If it was a deliberate change, please mention it in the commit
> message.

OK.

>
>>> Patch 154: OK
>>> Patch 155: All this is removed by patch 157, please squash them
>>> together.

Done.

>>> Patch 156: OK
>>> Patch 157: Please add the delete_cert method to the NSSDatabase class,
>>> and have CertDB call it (see e.g. run_certutil, find_server_certs,
>>> import_pkcs12). The CertDB is only meant for IPA-specific functionality.

Done.

>>> Patch 158: OK
>
>
> The usage looks a bit strange to me.

Yes, it definitely is strange.

> Having the --dirsrv_pin and
> --http_pin options doesn't make sense if there's only one certificate.
> Should we add a --pin option, and make these deprecated aliases of it?

I think we should. Added (patch 162).

> Or make the -d and -w options take individual arguments (which would be
> backwards incompatible)?

I would rather not introduce backward incompatibility.

> Also, it should be possible to enter the pin(s) and DM password
> interactively.

Added (patch 163).

Updated patches attached.

Honza

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-152.1-Make-PKCS-12-handling-in-ipa-server-certinstall-clos.patch
Type: text/x-patch
Size: 4000 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130820/90fd849d/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-153.1-Port-ipa-server-certinstall-to-the-admintool-framewo.patch
Type: text/x-patch
Size: 12090 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130820/90fd849d/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-154.1-Remove-unused-NSSDatabase-and-CertDB-method-find_roo.patch
Type: text/x-patch
Size: 2956 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130820/90fd849d/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-156.1-Ignore-empty-mod-error-when-updating-DS-SSL-config-i.patch
Type: text/x-patch
Size: 1415 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130820/90fd849d/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-157.1-Replace-only-the-cert-instead-of-the-whole-NSS-DB-in.patch
Type: text/x-patch
Size: 4359 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130820/90fd849d/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-158.1-Untrack-old-and-track-new-cert-with-certmonger-in-ip.patch
Type: text/x-patch
Size: 2719 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130820/90fd849d/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-162.1-Add-pin-option-to-ipa-server-certinstall.patch
Type: text/x-patch
Size: 3864 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130820/90fd849d/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-163.1-Ask-for-PKCS-12-password-interactively-in-ipa-server.patch
Type: text/x-patch
Size: 1719 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130820/90fd849d/attachment-0007.bin>

More information about the Freeipa-devel mailing list