diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2012-03-07 16:36:52 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-03-13 22:42:12 -0400 |
| commit | 17ba58aa4b6d59b159754351631165a9de61718a (patch) | |
| tree | cbf567e88865dc44be96a2d3353e159bc3f62fe4 /ipalib | |
| parent | 0425d09fac4e52feba309642c3d165c1916fc29c (diff) | |
| download | freeipa-17ba58aa4b6d59b159754351631165a9de61718a.tar.gz freeipa-17ba58aa4b6d59b159754351631165a9de61718a.tar.xz freeipa-17ba58aa4b6d59b159754351631165a9de61718a.zip | |
Don't set dbdir in the connection until after the connection is created.
We were comparing the current connection with itself so were never
going to call nss_shutdown(). dbdir needs to be set after the connection
has been made.
This worked on single server installs because we don't do a ping so
NSS would never be pre-initialized. If multiple servers are available we
call ping() to find one that is up before submitting the request, this is
what would have pre-initialized NSS.
This was tripping up request-cert because it will intialize NSS with no DB
if it hasn't been initialized. We need to initialize it to validate the
CSR.
A non-working client was doing this when calling cert-request:
- call load_certificate_request()
- nss.nss_nodb_init()
- load the CSR
- create a connection, dbdir=/etc/pki/nssdb
- the dbdir matches within the same connection, don't call nss_shutdown()
- connect to remote server
- fail, untrusted CA because we are still using db from nss_nodb_init.
Instead if we set dbdir afterward then this will properly be shutdown
and NSS re-initialized with correct dbdir.
https://fedorahosted.org/freeipa/ticket/2498
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/rpc.py | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 16c095cb7..04a3f3e35 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -229,7 +229,8 @@ class SSLTransport(LanguageAwareTransport): continue if not isinstance(value.conn._ServerProxy__transport, SSLTransport): continue - if value.conn._ServerProxy__transport.dbdir == dbdir: + if hasattr(value.conn._ServerProxy__transport, 'dbdir') and \ + value.conn._ServerProxy__transport.dbdir == dbdir: return True return False @@ -241,13 +242,14 @@ class SSLTransport(LanguageAwareTransport): # If we an existing connection exists using the same NSS database # there is no need to re-initialize. Pass thsi into the NSS # connection creator. - self.dbdir='/etc/pki/nssdb' - no_init = self.__nss_initialized(self.dbdir) + dbdir = '/etc/pki/nssdb' + no_init = self.__nss_initialized(dbdir) (major, minor, micro, releaselevel, serial) = sys.version_info if major == 2 and minor < 7: - conn = NSSHTTPS(host, 443, dbdir=self.dbdir, no_init=no_init) + conn = NSSHTTPS(host, 443, dbdir=dbdir, no_init=no_init) else: - conn = NSSConnection(host, 443, dbdir=self.dbdir, no_init=no_init) + conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init) + self.dbdir=dbdir conn.connect() return conn |