Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1496562
We intend to change the default database format that NSS will use, if an application doesn't specify their preference. (Only on Fedora 28 and later.) The reason is that the old default (dbm) is old legacy code, which doesn't work with concurrent access, and the NSS developers would like to declare dbm as deprecated. The new default (sql) is based on sqlite. While doing some initial tests, Hubert Kario found that freeipa checks that the database files cert8.db (or key3.db, secmod.db) exist. Once bug 1496560 gets implemented, the filenames created by NSS will be cert9.db, key4.db, pkcs11.txt Could you please adjust freeipa to be tolerant for these new filesnames? Would you like to explain why you added a test for specific filenames, maybe this check isn't necessary?
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1496562
Metadata Update from @pvoborni: - Issue priority set to: critical - Issue set to the milestone: FreeIPA 4.7
Note that this is more complicated than just testing for file existence. We need to accommodate backup and restore as well, upgrade, etc.
Typically in the past IPA has not supported downgrade at all so perhaps that can be ignored.
If this is done in conjunction with switch from mod_nss to mod_ssl then there will/should be less work on the Apache side as a conversion will already be necessary there.
Duplicate of #7049?
Commit https://pagure.io/freeipa/c/007174492908db3e3e7f45f768df1cebb79738a6 took care of NSSDB SQL format support.
Hasn't been an update to the Fedora package since then, however, so this is still breaking FreeIPA in Rawhide.
We need to put FreeIPA 4.6.2 to Fedora F27 and rawhide. Anyway closing as dup of #7049
Metadata Update from @pvoborni: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.