<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 11/13/2013 02:57 PM, Tomas Babej
wrote:<br>
</div>
<blockquote cite="mid:52838561.7090701@redhat.com" type="cite">On
09/27/2013 10:14 AM, Martin Kosek wrote:
<br>
<blockquote type="cite">On 09/26/2013 04:46 PM, Jan Cholasta
wrote:
<br>
<blockquote type="cite">On 26.9.2013 12:59, Tomas Babej wrote:
<br>
<blockquote type="cite">On 09/26/2013 12:54 PM, Jan Cholasta
wrote:
<br>
<blockquote type="cite">On 24.9.2013 18:14, Nalin Dahyabhai
wrote:
<br>
<blockquote type="cite">On Tue, Sep 24, 2013 at 01:30:10PM
+0200, Jan Cholasta wrote:
<br>
<blockquote type="cite">We discussed this with Tomáš
off-line and it turns out that
<br>
ipa-client-install fails if the CA cert is not added
to
<br>
/etc/pki/nssdb.
<br>
<br>
However, according to p11-kit docs it should work:
<br>
<a class="moz-txt-link-rfc2396E" href="http://p11-glue.freedesktop.org/doc/p11-kit/trust-nss.html"><http://p11-glue.freedesktop.org/doc/p11-kit/trust-nss.html></a>.
I
<br>
wonder what needs to be done to make it work in IPA...
<br>
</blockquote>
<br>
On my system, there's no symlink to libnssckbi.so (or
the right location
<br>
in the link farm under /etc/alternatives) in
/etc/pki/nssdb, so that
<br>
database isn't going to automatically pull in the list
of trusted CAs
<br>
that p11-kit maintains.
<br>
<br>
Whether the database under /etc/pki/nssdb should
automatically include
<br>
the usual set of trust anchors is probably a different
conversation.
<br>
</blockquote>
<br>
Thanks for the info.
<br>
<br>
Tomáš, the patch is fine then. I have one more nitpick
though: why did
<br>
you change "the default NSS database" to "the NSS
database"? The
<br>
database in /etc/pki/nssdb *is* the default NSS database,
so please
<br>
change it back. Also I think "systemwide CA trust
database" is better
<br>
than "systemwide CA store".
<br>
<br>
Honza
<br>
<br>
</blockquote>
I fixed the descriptions. Updated patch attached.
<br>
<br>
Tomas
<br>
<br>
</blockquote>
<br>
Thanks.
<br>
<br>
There's one more thing: we should probably check if
/usr/bin/update-ca-trust
<br>
exists before using it, for the sake of cross-distro
compatibility.
<br>
<br>
</blockquote>
<br>
Right. I am also thinking if this functionality should not be
somehow integrated into the platform files so that it can be
overriden in platforms that do not have the systemwide storage.
<br>
<br>
Martin
<br>
</blockquote>
<br>
Updated patch attached, requires my patch 130.
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
</blockquote>
<br>
The patch works fine; a couple of nitpicks:<br>
<br>
1) The import of root_logger in services.py.in is unused.<br>
<br>
2) In ipa-client-install, you log the return values of functions
insert_ca_cert_into_systemwide_ca_store() and
remove_ca_cert_from_systemwide_ca_store(). But these functions do
not return any values, so you will always be logging `None`.<br>
<br>
<pre class="moz-signature" cols="80">--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.</pre>
</body>
</html>