[Freeipa-devel] Trying to update nss.conf during install time
Rob Crittenden
rcritten at redhat.com
Fri Aug 19 13:08:50 UTC 2011
Adam Young wrote:
> Here's a segment from my patch. All it shoudl be doing is switching
> NSSRenegotiation from off to on, but it doesn't have any effect. Am I
> missing something conceptually here?
>
>
> +++ b/ipaserver/install/httpinstance.py
> @@ -160,6 +160,9 @@ class HTTPInstance(service.Service):
> def __set_mod_nss_nickname(self, nickname):
> installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
>
> + def __enable_mod_nss_renegotiate(self):
> + installutils.set_directive(NSS_CONF, 'NSSRenegotiation', 'on')
> +
> def __set_mod_nss_passwordfile(self):
> installutils.set_directive(NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/
>
> @@ -189,6 +192,7 @@ class HTTPInstance(service.Service):
> db.track_server_cert(nickname, self.principal, db.passwd_fname)
>
> self.__set_mod_nss_nickname(nickname)
> + self.__enable_mod_nss_renegotiate()
> else:
> if self.self_signed_ca:
> db.create_from_cacert(ca_db.cacert_fname)
> diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
> index d1234a0..23d06ab 100644
This is only called when a user provides their own PKCS#12 files (and
replica installations)
We don't set the nickname on most installations because we assume a
vanilla server therefore the nickname is already set to Server-Cert
(probably not the best assumption these days).
You'll want to set this in a step in create_instance() instead.
rob
More information about the Freeipa-devel
mailing list