From ceb26f5ac428cdbed8ec1fa89e9ed6f1d903a5a0 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Fri, 16 Dec 2016 14:19:00 +0100 Subject: [PATCH] ca: fix ca-find with --pkey-only Since commit 32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d, ca-find will fail with internal error if --pkey-only is specified, because the code to look up the CA certificate and certificate chain assumes that the ipaCAId attribute is always present in the result. Fix this by not attempting to lookup the certificate / chain at all when --pkey-only is specified. https://fedorahosted.org/freeipa/ticket/6178 Reviewed-By: Fraser Tweedale --- ipaserver/plugins/ca.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index 2510a7998..f02c1444f 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -162,7 +162,10 @@ class ca(LDAPObject): def set_certificate_attrs(entry, options, want_cert=True): - ca_id = entry['ipacaid'][0] + try: + ca_id = entry['ipacaid'][0] + except KeyError: + return full = options.get('all', False) want_chain = options.get('chain', False) @@ -192,8 +195,9 @@ class ca_find(LDAPSearch): def execute(self, *keys, **options): ca_enabled_check() result = super(ca_find, self).execute(*keys, **options) - for entry in result['result']: - set_certificate_attrs(entry, options, want_cert=False) + if not options.get('pkey_only', False): + for entry in result['result']: + set_certificate_attrs(entry, options, want_cert=False) return result