On 09.06.2016 16:04, Fraser Tweedale wrote:
On Thu, Jun 09, 2016 at 03:07:34PM +0200, Martin Basti wrote:

On 09.06.2016 15:03, Martin Basti wrote:

On 09.06.2016 15:02, Stanislav Laznicka wrote:
On 06/09/2016 02:51 PM, Rob Crittenden wrote:
Stanislav Laznicka wrote:
Hello,

Please see the attached patch of
https://fedorahosted.org/freeipa/ticket/5797.

Standa



Just wondering out loud but should usercertificate be excluded
from the output if it is unparsable? Is there any value in
showing that a bogus value is in there?

rob
I think it is a good pointer that something has gone wrong with the
certificate. Another way would be to print 'Invalid certificate'
instead of it similar to what Apache LDAP Browser does.

We can return a warning message that something with certificates is
broken.

Martin^2

And you should log it at error log level, because it is error

Is the data from LDAP actually invalid?  It should not be possible
to store data that is not a syntactically valid X.509 cert in the
userCertificate attribute (if it is, we should file a ticket against
389).

Is there a full traceback for the original error of #5797?  What is
the datum that is the immediate cause of the error and what happens
to it between the database and the function that throws?

Could it be a python3 bytes/str problem originating in
x509.normalize_certificate?

Cheers,
Fraser

I was able to put an invalid certificate data there using ldif and ldapadd

I can try reproduce later or next week

Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to