On Thu, Jul 14, 2016 at 03:51:18PM +0530, Geetika Kapoor wrote: > > > On 07/14/2016 03:02 PM, Geetika Kapoor wrote: > > > > On 07/14/2016 01:53 PM, Fraser Tweedale wrote: > >> On Thu, Jul 14, 2016 at 06:01:51PM +1000, Fraser Tweedale wrote: > >>> On Thu, Jul 14, 2016 at 01:05:18PM +0530, Geetika Kapoor wrote: > >>>> On 07/14/2016 11:38 AM, Geetika Kapoor wrote: > >>>>> On 07/14/2016 10:06 AM, Fraser Tweedale wrote: > >>>>>> On Wed, Jul 13, 2016 at 04:36:26PM +0530, Geetika Kapoor wrote: > >>>>>>> Hi, > >>>>>>> > >>>>>>> Please review this patch.Below is a small summary about this fix and > >>>>>>> what we are trying to achieve. > >>>>>>> > >>>>>>> CLI : pki-server db-upgrade > >>>>>>> > >>>>>>> what it should be doing is if it sees that issuerName doesn't > >>>>>>> exist,NULL > >>>>>>> it will add it itself. > >>>>>>> > >>>>>>> Operation 1 : Search for the empty cn value for issuerName > >>>>>>> ------------------------------------------------------------------------------- > >>>>>>> > >>>>>>> Current : '(&(objectclass=certificateRecord)(issuerName=*)) -- I > >>>>>>> tried this it didn't show data even if i have record with empty > >>>>>>> issuerName > >>>>>>> > >>>>>> Hi Geetika, > >>>>>> > >>>>>> The current filter is actually: > >>>>>> > >>>>>> '(&(objectclass=certificateRecord)(!(issuerName=*)))', > >>>>>> > >>>>>> This should match entries missing the issuerName attribute. You > >>>>>> talk about an entry with "empty issuerName" but empty strings are > >>>>>> not allowed for the Directory String attribute type. Could you > >>>>>> please clarify exactly what data is in the offending entry/entries > >>>>>> and how it got there? > >>>>> Hi Fraser, > >>>>> > >>>>> If we disable syntax check in ldap dse.ldif , it will accept empty > >>>>> data as well.So if a end user disable syntax check,issuerName can be > >>>>> empty in that case.(a test case that i tried) > >>>>> So in that case db-update will never happen because that condition is > >>>>> not considered.This scenario can be reproduced using below ldif file. > >>>>> > >>>>> <file> > >>>>> > >>>>> dn: cn=106,ou=certificateRepository,ou=ca,o=pkitest-CA > >>>>> objectClass: certificateRecord > >>>>> objectClass: top > >>>>> cn: 106 > >>>>> algorithmId: 1.2.840.113549.1.1.1 > >>>>> autoRenew: ENABLED > >>>>> certStatus: VALID > >>>>> dateOfCreate: 20160712084443Z > >>>>> dateOfModify: 20160712084443Z > >>>>> duration: 1131536000000 > >>>>> issuedBy: geetika20 > >>>>> *issuerName: * > >>>>> metaInfo: requestId:100 > >>>>> notAfter: 20170712084205Z > >>>>> notBefore: 20160712084205Z > >>>>> publicKeyData:: > >>>>> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu0Hlk6SdMnyr0Igq > >>>>> serialno: 100 > >>>>> signingAlgorithmId: 1.2.840.113549.1.1.11 > >>>>> subjectName: CN=CS Administrator,C=US > >>>>> userCertificate;binary:: > >>>>> MIIC6DCCAdCgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBHMSQwIgY > >>>>> version: 2 > >>>>> > >>>>> </file> > >>>>> > >>>>> So in such a case using > >>>>> '(&(objectclass=certificateRecord)(!(issuerName=*)))',will not able to > >>>>> search for such entries.I tried and it gives me empty data .I believe > >>>>> using (&(objectclass=certificateRecord) > >>>>> (!(issuerName=*))(!(issuerName=cn*))) can solve that purpose. > >>>>> > >>>>> Thanks > >>>>> Geetika > >>>> Hi Frazer, > >>>> > >>>> I just did one quick round of testing .If we have > >>>> '(&(objectclass=certificateRecord)(!(issuerName=cn*)))', it will work in > >>>> both cases : > >>>> > >>>> 1. When issuerName doesn't exist. > >>>> 2. When issuserName field exist but has empty value. > >>>> > >>>> Thanks > >>>> Geetika > >>>> > >>> I still disagree that it is the right approach, because it may do > >>> unnecessary work for records that already have an issuerName that > >>> does not start with "cn". > >>> > >>> Is it even necessary to support cases where customer has disabled > >>> syntax checking? Nevertheless, let me disable syntax checking on > >>> one of my instances and see if I can find a better filter. > >>> > >> Please try this filter: > >> > >> (&(objectclass=certificaterecord)(|(!(issuername=*))(issuername=))) > >> > >> It will find only certificates with missing or empty issuername > >> attribute. Does it work as expected for you, Geetika? > > Let me try Frazer.. > > > > Thanks > > Thanks Frazer for helping in giving a better solution . > You're welcome. ACK, and pushed to master:
c3ff087bd07cde4cd272defad499fd4d8367e5c1 _______________________________________________ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel