From 17ba58aa4b6d59b159754351631165a9de61718a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 7 Mar 2012 16:36:52 -0500
Subject: Don't set dbdir in the connection until after the connection is
 created.

We were comparing the current connection with itself so were never
going to call nss_shutdown(). dbdir needs to be set after the connection
has been made.

This worked on single server installs because we don't do a ping so
NSS would never be pre-initialized. If multiple servers are available we
call ping() to find one that is up before submitting the request, this is
what would have pre-initialized NSS.

This was tripping up request-cert because it will intialize NSS with no DB
if it hasn't been initialized. We need to initialize it to validate the
CSR.

A non-working client was doing this when calling cert-request:
 - call load_certificate_request()
 - nss.nss_nodb_init()
 - load the CSR
 - create a connection, dbdir=/etc/pki/nssdb
 - the dbdir matches within the same connection, don't call nss_shutdown()
 - connect to remote server
 - fail, untrusted CA because we are still using db from nss_nodb_init.

Instead if we set dbdir afterward then this will properly be shutdown
and NSS re-initialized with correct dbdir.

https://fedorahosted.org/freeipa/ticket/2498
---
 ipalib/rpc.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 16c095cb7..04a3f3e35 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -229,7 +229,8 @@ class SSLTransport(LanguageAwareTransport):
                 continue
             if not isinstance(value.conn._ServerProxy__transport, SSLTransport):
                 continue
-            if value.conn._ServerProxy__transport.dbdir == dbdir:
+            if hasattr(value.conn._ServerProxy__transport, 'dbdir') and \
+              value.conn._ServerProxy__transport.dbdir == dbdir:
                 return True
         return False
 
@@ -241,13 +242,14 @@ class SSLTransport(LanguageAwareTransport):
         # If we an existing connection exists using the same NSS database
         # there is no need to re-initialize. Pass thsi into the NSS
         # connection creator.
-        self.dbdir='/etc/pki/nssdb'
-        no_init = self.__nss_initialized(self.dbdir)
+        dbdir = '/etc/pki/nssdb'
+        no_init = self.__nss_initialized(dbdir)
         (major, minor, micro, releaselevel, serial) = sys.version_info
         if major == 2 and minor < 7:
-            conn = NSSHTTPS(host, 443, dbdir=self.dbdir, no_init=no_init)
+            conn = NSSHTTPS(host, 443, dbdir=dbdir, no_init=no_init)
         else:
-            conn = NSSConnection(host, 443, dbdir=self.dbdir, no_init=no_init)
+            conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init)
+        self.dbdir=dbdir
         conn.connect()
         return conn
 
-- 
cgit