[Freeipa-users] Use SQLite format NSS database?

[David Kupka]

On Sat, Mar 18, 2017 at 11:58:35AM -0500, Ian Pilcher wrote:
> Can IPA 4.4 (on CentOS 7) use a SQLite format NSS database in
> /etc/httpd/alias?
> 
> I would presumably have to prepend "sql:" to the NSSCertificateDatabase
> setting in nss.conf.
> 
> Anything else?
> 
> -- 
> ========================================================================
> Ian Pilcher                                         arequipeno at gmail.com
> -------- "I grew up before Mark Zuckerberg invented friendship" --------
> ========================================================================
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

Hello Ian,
I'm not sure but I guess there will be surprises on the way.

First of all you need to migrate the DB to SQL format (1). Then you will have
two DBs in alias directory one in old and one in new format. This is probably
not what you want because then you can easily end up with two different sets of
certificates and hard to find errors. So it's probably better to remove old DB
(cert8.db, key3.db and secmod.db). But then you'll break ipa-certupdate,
ipa-server-certinstall and probably others because they use the old format.
Prefixing 'sql:' to HTTPD_ALIAS_DIR in
/usr/lib/ptyhon2.7/site-packages/ipaplatform/base/paths.py might help but I
never tried.

Generally I would not recommend touching this on production system. Why do you
want to change the database format?

(1) certutil -d sql:HTTPD_ALIAS_DIR --upgrade-merge --source-dir
HTTPD_ALIAS_DIR --upgrade-id 1

-- 
David Kupka
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170320/224a902b/attachment.sig>