Hello,
Please see the attached patch of
https://fedorahosted.org/freeipa/ticket/5797.
Standa
From 5f59311092d7f2205287d8c2945325d1017c866a Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Thu, 9 Jun 2016 13:13:24 +0200
Subject: [PATCH] host/service-show/find shouldn't fail on invalid certificate
host/service-show/find methods would have failed if the first
certificate they had in userCertificate attribute were invalid.
Expected behavior is that they just show the rest of the reqested
attributes.
https://fedorahosted.org/freeipa/ticket/5797
---
ipaserver/plugins/host.py | 13 +++++++++++--
ipaserver/plugins/service.py | 14 ++++++++++++--
2 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index e59e0fa93c9fc0b9c6fccc36421d3489678a0eb2..83393e3952dc043dd7ce5c1659cfc753f481b17b 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -1023,7 +1023,12 @@ class host_find(LDAPSearch):
if options.get('pkey_only', False):
return truncated
for entry_attrs in entries:
- set_certificate_attrs(entry_attrs)
+ try:
+ set_certificate_attrs(entry_attrs)
+ except errors.CertificateFormatError as e:
+ self.log.debug(e)
+ del(entry_attrs['usercertificate'])
+
set_kerberos_attrs(entry_attrs, options)
rename_ipaallowedtoperform_from_ldap(entry_attrs, options)
self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
@@ -1065,8 +1070,12 @@ class host_show(LDAPRetrieve):
# If an OTP is set there is no keytab, at least not one
# fetched anywhere.
entry_attrs['has_keytab'] = False
+ try:
+ set_certificate_attrs(entry_attrs)
+ except errors.CertificateFormatError as e:
+ self.log.debug(e)
+ del(entry_attrs['usercertificate'])
- set_certificate_attrs(entry_attrs)
set_kerberos_attrs(entry_attrs, options)
rename_ipaallowedtoperform_from_ldap(entry_attrs, options)
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 7b8f2a7aa8711bc8bf6f2e42c5794c8cf358f252..2b82b8fd4a65766f6e0ebe1a6c6516a622e67c28 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -698,7 +698,12 @@ class service_find(LDAPSearch):
return truncated
for entry_attrs in entries:
self.obj.get_password_attributes(ldap, entry_attrs.dn, entry_attrs)
- set_certificate_attrs(entry_attrs)
+ try:
+ set_certificate_attrs(entry_attrs)
+ except errors.CertificateFormatError as e:
+ self.log.debug(e)
+ del(entry_attrs['usercertificate'])
+
set_kerberos_attrs(entry_attrs, options)
rename_ipaallowedtoperform_from_ldap(entry_attrs, options)
return truncated
@@ -721,7 +726,12 @@ class service_show(LDAPRetrieve):
assert isinstance(dn, DN)
self.obj.get_password_attributes(ldap, dn, entry_attrs)
- set_certificate_attrs(entry_attrs)
+ try:
+ set_certificate_attrs(entry_attrs)
+ except errors.CertificateFormatError as e:
+ self.log.debug(e)
+ del(entry_attrs['usercertificate'])
+
set_kerberos_attrs(entry_attrs, options)
rename_ipaallowedtoperform_from_ldap(entry_attrs, options)
--
2.5.5
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code