ipaldap.py: fix method creating a ldap filter for IPACertificate

ipa user-find --certificate and ipa host-find --certificate fail to return matching entries, because the method transforming the attribute into a LDAP filter does not properly handle IPACertificate objects. Directory Server logs show a filter with (usercertificate=ipalib.x509.IPACertificate object at 0x7fc0a5575b90>) When the attribute contains a cryptography.x509.Certificate, the method needs to extract the public bytes instead of calling str(value). Fixes https://pagure.io/freeipa/issue/7770 Reviewed-By: Christian Heimes <cheimes@redhat.com>
2025-02-25 18:55:28 -06:00 · 2018-11-22 18:31:38 +01:00
parent 3243498faa
commit 372c2fc990
1 changed files with 3 additions and 0 deletions
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -33,6 +33,7 @@ from urllib.parse import urlparse
 import warnings

 from cryptography import x509 as crypto_x509
+from cryptography.hazmat.primitives import serialization

 import ldap
 import ldap.sasl
@@ -1289,6 +1290,8 @@ class LDAPClient:
            ]
            return cls.combine_filters(flts, rules)
        elif value is not None:
+            if isinstance(value, crypto_x509.Certificate):
+                value = value.public_bytes(serialization.Encoding.DER)
            if isinstance(value, bytes):
                value = binascii.hexlify(value).decode('ascii')
                # value[-2:0] is empty string for the initial '\\'