freeipa/ipapython
Rob Crittenden ba526c5cb0 Don't store entries with a usercertificate in the LDAP cache
usercertificate often has a subclass and both the plain and
subclassed (binary) values are queried. I'm concerned that
they are used more or less interchangably in places so not
caching these entries is the safest path forward for now until
we can dedicate the time to find all usages, determine their
safety and/or perhaps handle this gracefully within the cache
now.

What we see in this bug is that usercertificate;binary holds the
first certificate value but a user-mod is done with
setattr usercertificate=<new_cert>. Since there is no
usercertificate value (remember, it's usercertificate;binary)
a replace is done and 389-ds wipes the existing value as we've
asked it to.

I'm not comfortable with simply treating them the same because
in LDAP they are not.

https://pagure.io/freeipa/issue/8986

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2021-09-16 13:16:17 -04:00
..
install pylint: Fix several warnings 2021-03-30 09:58:42 +02:00
__init__.py Rename ipa-python directory to ipapython so it is a real python library 2009-02-09 14:35:15 -05:00
admintool.py Treat container subplatforms like main platform 2020-08-07 17:54:06 +03:00
certdb.py When loading certificates verify that it is X.509 v3 2021-06-14 15:19:42 -04:00
config.py Unify access to FQDN 2020-10-26 17:11:19 +11:00
cookie.py handle Y2038 in timestamp to datetime conversions 2020-06-25 09:18:02 +03:00
directivesetter.py Grammar: whitespace is a word 2020-06-23 10:16:29 +02:00
dn_ctypes.py Load libldap_r-*.so.2 2019-05-14 12:27:55 +02:00
dn.py Removes several pylint warnings. 2019-09-27 09:38:32 +02:00
dnsutil.py dnsutil: Improvements for IPA DNS Resolver 2021-05-25 10:45:49 +03:00
dogtag.py Parse cert chain as JSON not XML 2021-08-09 08:44:52 +02:00
errors.py Replace StandardError with Exception 2015-09-30 10:51:36 +02:00
fqdn.py Easier to use ipa_gethostfqdn() 2020-10-26 17:11:19 +11:00
graph.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
ipa_log_manager.py Remove deprecated object logger 2019-04-23 12:55:35 +02:00
ipachangeconf.py Fixed errors newly exposed by pylint 2.4.0 2019-09-25 20:14:06 +10:00
ipaldap.py Don't store entries with a usercertificate in the LDAP cache 2021-09-16 13:16:17 -04:00
ipautil.py trust-fetch-domains: use custom krb5.conf overlay for all trust operations 2021-01-22 12:21:33 -05:00
ipavalidate.py Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
kerberos.py Py3: Replace six.bytes_type with bytes 2018-09-27 16:11:18 +02:00
kernel_keyring.py Don't configure KEYRING ccache in containers 2019-01-18 11:33:11 +01:00
Makefile.am ipapython: fix DEFAULT_PLUGINS in version.py 2017-03-09 18:39:48 +01:00
nsslib.py Remove ipapython.nsslib as it is not used anymore 2017-03-01 09:43:41 +00:00
README Replace DNS client based on acutil with python-dns 2012-05-24 13:55:56 +02:00
session_storage.py Fix pylint warnings inconsistent-return-statements 2017-12-18 11:51:14 +01:00
setup.cfg Port all setup.py to setuptools 2016-10-20 18:43:37 +02:00
setup.py Add helpers for resolve1 and nameservers 2020-09-23 16:44:26 +02:00
ssh.py Allow multiple permitopen/permitlisten in SSH keys 2021-03-29 10:06:07 +03:00
version.py.in Manually reformat ipapython/version.py.in 2020-05-05 10:42:46 +02:00

This is a set of libraries common to IPA clients and servers though mostly
geared currently towards command-line tools.

A brief overview:

config.py - identify the IPA server domain and realm. It uses python-dns to
            try to detect this information first and will fall back to
            /etc/ipa/default.conf if that fails.

ipautil.py - helper functions

entity.py - entity is the main data type. User and Group extend this class
            (but don't add anything currently).

ipavalidate.py - basic data validation routines