rpms/ipa
6
0
Fork 0
Code Issues Pull Requests Releases Activity
fc525ba5be
ipa/0095-DNS-detect-when-OpenSSL-engine-should-be-removed-on-.patch
Florence Blanc-Renaud fc525ba5be ipa-4.12.2-18 
- Resolves: RHEL-89979 Support OpenSSL provider API
- Resolves: RHEL-25007 [RFE] Give warning when adding user with UID out of any ID range
- Resolves: RHEL-93484 Unable to modify IPA config; --ipaconfigstring="" causes internal error
- Resolves: RHEL-89834 Include latest fixes in python3-ipatests package
- Resolves: RHEL-88833 kdb: ipadb_get_connection() succeeds but returns null LDAP context
- Resolves: RHEL-79072 ipa idrange-add --help should be more clear about required options
- Resolves: RHEL-68803 ipa-migrate with LDIF file from backup of remote server, fails with error 'change collided with another change'
- Resolves: RHEL-30825 IDM - When creating an ID range, should require a RID

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
2025-06-04 16:39:13 +02:00

51 lines
2.2 KiB
Diff
Raw Blame History

From 3094ef83b898bb7b7a3e835084e444fd403c6ee8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 1 Apr 2025 14:53:24 +0300
Subject: [PATCH] DNS: detect when OpenSSL engine should be removed on upgrade
For OpenSSL Provider API use we don't need 'named -E engine-name'
anymore, it has to be removed. The removal process is slightly
complicated because we need to detect '-E engine-name' and compare it
with the engine we know about (pkcs11) but if we are upgrading to the
build that supports OpenSSL Provider API, we don't know the engine name
anymore.
Fixes: https://pagure.io/freeipa/issue/9696
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/install/dnskeysyncinstance.py | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 1979a472dd882a70cb0a41d782689debc66017a9..ae8a67a007cab36f81bf931e24755d3744265b8c 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -149,7 +149,19 @@ class DNSKeySyncInstance(service.Service):
if options:
pattern = r"[ ]*-[a-zA-Z46]*E[ ]*(.*?)(?: |$)"
engines = re.findall(pattern, options)
- if engines and engines[-1] == constants.NAMED_OPENSSL_ENGINE:
+
+ # if no '-E <engine-name>' and we switched to the provider API,
+ # just exist, no named configuration to adjust
+ if len(engines) == 0 and constants.NAMED_OPENSSL_ENGINE is None:
+ return False
+
+ # Something is configured in '-E <engine-name>' but we don't have
+ # an engine name to compare because we already switched to the
+ # provider API, we only need to ensure old engine ref is removed.
+ if constants.NAMED_OPENSSL_ENGINE is None:
+ return True
+
+ if engines[-1] == constants.NAMED_OPENSSL_ENGINE:
return True
return False
--
2.49.0
Reference in New Issue View Git Blame Copy Permalink