Hello,

Please see the attached patch of https://fedorahosted.org/freeipa/ticket/5797.


Standa

From 5f59311092d7f2205287d8c2945325d1017c866a Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Thu, 9 Jun 2016 13:13:24 +0200
Subject: [PATCH] host/service-show/find shouldn't fail on invalid certificate

host/service-show/find methods would have failed if the first
certificate they had in userCertificate attribute were invalid.
Expected behavior is that they just show the rest of the reqested
attributes.

https://fedorahosted.org/freeipa/ticket/5797
---
 ipaserver/plugins/host.py    | 13 +++++++++++--
 ipaserver/plugins/service.py | 14 ++++++++++++--
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index e59e0fa93c9fc0b9c6fccc36421d3489678a0eb2..83393e3952dc043dd7ce5c1659cfc753f481b17b 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -1023,7 +1023,12 @@ class host_find(LDAPSearch):
         if options.get('pkey_only', False):
             return truncated
         for entry_attrs in entries:
-            set_certificate_attrs(entry_attrs)
+            try:
+                set_certificate_attrs(entry_attrs)
+            except errors.CertificateFormatError as e:
+                self.log.debug(e)
+                del(entry_attrs['usercertificate'])
+
             set_kerberos_attrs(entry_attrs, options)
             rename_ipaallowedtoperform_from_ldap(entry_attrs, options)
             self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
@@ -1065,8 +1070,12 @@ class host_show(LDAPRetrieve):
             # If an OTP is set there is no keytab, at least not one
             # fetched anywhere.
             entry_attrs['has_keytab'] = False
+        try:
+            set_certificate_attrs(entry_attrs)
+        except errors.CertificateFormatError as e:
+            self.log.debug(e)
+            del(entry_attrs['usercertificate'])
 
-        set_certificate_attrs(entry_attrs)
         set_kerberos_attrs(entry_attrs, options)
         rename_ipaallowedtoperform_from_ldap(entry_attrs, options)
 
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 7b8f2a7aa8711bc8bf6f2e42c5794c8cf358f252..2b82b8fd4a65766f6e0ebe1a6c6516a622e67c28 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -698,7 +698,12 @@ class service_find(LDAPSearch):
             return truncated
         for entry_attrs in entries:
             self.obj.get_password_attributes(ldap, entry_attrs.dn, entry_attrs)
-            set_certificate_attrs(entry_attrs)
+            try:
+                set_certificate_attrs(entry_attrs)
+            except errors.CertificateFormatError as e:
+                self.log.debug(e)
+                del(entry_attrs['usercertificate'])
+
             set_kerberos_attrs(entry_attrs, options)
             rename_ipaallowedtoperform_from_ldap(entry_attrs, options)
         return truncated
@@ -721,7 +726,12 @@ class service_show(LDAPRetrieve):
         assert isinstance(dn, DN)
         self.obj.get_password_attributes(ldap, dn, entry_attrs)
 
-        set_certificate_attrs(entry_attrs)
+        try:
+            set_certificate_attrs(entry_attrs)
+        except errors.CertificateFormatError as e:
+            self.log.debug(e)
+            del(entry_attrs['usercertificate'])
+
         set_kerberos_attrs(entry_attrs, options)
         rename_ipaallowedtoperform_from_ldap(entry_attrs, options)
 
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to