[Freeipa-devel] [PATCH] 983 add subject key identifier
Rob Crittenden
rcritten at redhat.com
Wed Mar 14 21:31:03 UTC 2012
Martin Kosek wrote:
> On Wed, 2012-03-07 at 17:49 -0500, Rob Crittenden wrote:
>> Add subject key identifier to the dogtag server cert profile.
>>
>> This will add it on upgrades too and any new certs issued will have a
>> subject key identifier set.
>>
>> If the user has customized the profile themselves then this won't be
>> applied.
>>
>> rob
>
> NACK
>
> I found few issues with the patch:
>
> 1) There is an extraneous pdb statement:
> + import pdb; pdb.set_trace()
>
> 2) A name of config file should be put to some variable once and not
> created every time again in enable_subject_key_identifier. It would be
> much more readable and less error prone:
> + installutils.set_directive('/var/lib/%
> s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME,
> 'policyset.serverCertSet.list', '1,2,3,4,5,6,7,8,10', quotes=False,
> separator='=')
> + installutils.set_directive('/var/lib/%
> s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME,
> 'policyset.serverCertSet.10.constraint.class_id', 'noConstraintImpl',
> quotes=False, separator='=')
> ...
>
> 3) We do not handle gracefully missing config file. This is what happens
> when replica without CA is upgraded:
> # rpm -Uvh --force /home/mkosek/dist-review/rpms/freeipa-*
> Preparing... ########################################### [100%]
> 1:freeipa-python ########################################### [ 17%]
> 2:freeipa-client ########################################### [ 33%]
> 3:freeipa-admintools ########################################### [ 50%]
> 4:freeipa-server ########################################### [ 67%]
> Upgraded /etc/httpd/conf.d/ipa-pki-proxy.conf to version 1
> Traceback (most recent call last):
> File "/usr/sbin/ipa-upgradeconfig", line 301, in<module>
> sys.exit(main())
> File "/usr/sbin/ipa-upgradeconfig", line 297, in main
> upgrade_ipa_profile(krbctx.default_realm)
> File "/usr/sbin/ipa-upgradeconfig", line 243, in upgrade_ipa_profile
> if ca.enable_subject_key_identifier():
> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1079, in enable_subject_key_identifier
> setlist = installutils.get_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.list', separator='=')
> File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 429, in get_directive
> fd = open(filename, "r")
> IOError: [Errno 2] No such file or directory: '/var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg'
> 5:freeipa-server-selinux ########################################### [ 83%]
> 6:freeipa-debuginfo ########################################### [100%]
>
> 1. Martin
>
I think this should do it.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-983-2-dogtag.patch
Type: text/x-diff
Size: 6360 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120314/8cb4e9d3/attachment.bin>
More information about the Freeipa-devel
mailing list