From 372c2fc99021c037f00a6819baa44b64900de479 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 22 Nov 2018 18:31:38 +0100
Subject: [PATCH] ipaldap.py: fix method creating a ldap filter for
 IPACertificate

ipa user-find --certificate and ipa host-find --certificate
fail to return matching entries, because the method transforming
the attribute into a LDAP filter does not properly handle
IPACertificate objects.
Directory Server logs show a filter with
(usercertificate=ipalib.x509.IPACertificate object at 0x7fc0a5575b90>)

When the attribute contains a cryptography.x509.Certificate,
the method needs to extract the public bytes instead of calling str(value).

Fixes https://pagure.io/freeipa/issue/7770

Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 ipapython/ipaldap.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 48988b017..066f65dc4 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -33,6 +33,7 @@ from urllib.parse import urlparse
 import warnings
 
 from cryptography import x509 as crypto_x509
+from cryptography.hazmat.primitives import serialization
 
 import ldap
 import ldap.sasl
@@ -1289,6 +1290,8 @@ class LDAPClient:
             ]
             return cls.combine_filters(flts, rules)
         elif value is not None:
+            if isinstance(value, crypto_x509.Certificate):
+                value = value.public_bytes(serialization.Encoding.DER)
             if isinstance(value, bytes):
                 value = binascii.hexlify(value).decode('ascii')
                 # value[-2:0] is empty string for the initial '\\'