IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipaldap.py: fix method creating a ldap filter for IPACertificate

Browse Source 
ipa user-find --certificate and ipa host-find --certificate
fail to return matching entries, because the method transforming
the attribute into a LDAP filter does not properly handle
IPACertificate objects.
Directory Server logs show a filter with
(usercertificate=ipalib.x509.IPACertificate object at 0x7fc0a5575b90>)

When the attribute contains a cryptography.x509.Certificate,
the method needs to extract the public bytes instead of calling str(value).

Fixes https://pagure.io/freeipa/issue/7770

Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
Florence Blanc-Renaud
2018-11-22 18:31:38 +01:00
committed by Rob Crittenden
parent 3243498faa
commit 372c2fc990
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ipapython/ipaldap.py
View File

@@ -33,6 +33,7 @@ from urllib.parse import urlparse
import warnings import warnings
from cryptography import x509 as crypto_x509 from cryptography import x509 as crypto_x509
from cryptography.hazmat.primitives import serialization
import ldap import ldap
import ldap.sasl import ldap.sasl
@@ -1289,6 +1290,8 @@ class LDAPClient:
] ]
return cls.combine_filters(flts, rules) return cls.combine_filters(flts, rules)
elif value is not None: elif value is not None:
if isinstance(value, crypto_x509.Certificate):
value = value.public_bytes(serialization.Encoding.DER)
if isinstance(value, bytes): if isinstance(value, bytes):
value = binascii.hexlify(value).decode('ascii') value = binascii.hexlify(value).decode('ascii')
# value[-2:0] is empty string for the initial '\\' # value[-2:0] is empty string for the initial '\\'