Re: [SSSD] [PATCH] Switch ldap_user_certificate default to userCertificate; binary
On Fri, 2015-08-21 at 09:50 +0200, Jan Cholasta wrote: Hi, On 10.8.2015 12:59, Jakub Hrozek wrote: Hi, the attached patches fix #2742. The first one makes sure we can print the certificate (or any binary attribute, really) safely. We only need to make sure to escape the attribute values before saving them to sysdb, because then ldb guarantees terminating them. The second just switches the attribute value. I tested using this howto: http://www.freeipa.org/page/V4/User_Certificates#How_to_Test You'll also want to use a recent enough IPA version, one that fixes: https://fedorahosted.org/freeipa/ticket/5173 Then, on the client, call: dbus-send --print-reply \ --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.FindByCertificate \ string:$( openssl x509 cert.pem ) The result will be an object path. LGTM, but I would think userCertificate;binary should be the default everywhere, i.e. generic LDAP, as that is the correct attribute name according to RFC 4523. IMHO when someone uses the standard name in generic LDAP, they should not be forced to change SSSD configuration because of it. +1 Simo -- Simo Sorce * Red Hat, Inc * New York ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Switch ldap_user_certificate default to userCertificate; binary
Hi, On 10.8.2015 12:59, Jakub Hrozek wrote: Hi, the attached patches fix #2742. The first one makes sure we can print the certificate (or any binary attribute, really) safely. We only need to make sure to escape the attribute values before saving them to sysdb, because then ldb guarantees terminating them. The second just switches the attribute value. I tested using this howto: http://www.freeipa.org/page/V4/User_Certificates#How_to_Test You'll also want to use a recent enough IPA version, one that fixes: https://fedorahosted.org/freeipa/ticket/5173 Then, on the client, call: dbus-send --print-reply \ --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.FindByCertificate \ string:$( openssl x509 cert.pem ) The result will be an object path. LGTM, but I would think userCertificate;binary should be the default everywhere, i.e. generic LDAP, as that is the correct attribute name according to RFC 4523. IMHO when someone uses the standard name in generic LDAP, they should not be forced to change SSSD configuration because of it. Honza -- Jan Cholasta ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Switch ldap_user_certificate default to userCertificate; binary
On Thu, Aug 13, 2015 at 12:43:35PM +0200, Pavel Březina wrote: On 08/10/2015 12:59 PM, Jakub Hrozek wrote: Hi, the attached patches fix #2742. The first one makes sure we can print the certificate (or any binary attribute, really) safely. We only need to make sure to escape the attribute values before saving them to sysdb, because then ldb guarantees terminating them. The second just switches the attribute value. I tested using this howto: http://www.freeipa.org/page/V4/User_Certificates#How_to_Test You'll also want to use a recent enough IPA version, one that fixes: https://fedorahosted.org/freeipa/ticket/5173 Then, on the client, call: dbus-send --print-reply \ --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.FindByCertificate \ string:$( openssl x509 cert.pem ) The result will be an object path. Ack. Thanks for the patience during the tmate.io review :-) Pushed to master: 32445affe3612428eddde043cdc672a01c189714 619e21ed9c7a71e35e53f38867b53ed974f1d36a ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Switch ldap_user_certificate default to userCertificate; binary
On 08/10/2015 12:59 PM, Jakub Hrozek wrote: Hi, the attached patches fix #2742. The first one makes sure we can print the certificate (or any binary attribute, really) safely. We only need to make sure to escape the attribute values before saving them to sysdb, because then ldb guarantees terminating them. The second just switches the attribute value. I tested using this howto: http://www.freeipa.org/page/V4/User_Certificates#How_to_Test You'll also want to use a recent enough IPA version, one that fixes: https://fedorahosted.org/freeipa/ticket/5173 Then, on the client, call: dbus-send --print-reply \ --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.FindByCertificate \ string:$( openssl x509 cert.pem ) The result will be an object path. Ack. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Switch ldap_user_certificate default to userCertificate; binary
On Mon, Aug 10, 2015 at 12:59:24PM +0200, Jakub Hrozek wrote: Hi, the attached patches fix #2742. The first one makes sure we can print the certificate (or any binary attribute, really) safely. We only need to make sure to escape the attribute values before saving them to sysdb, because then ldb guarantees terminating them. The second just switches the attribute value. I tested using this howto: http://www.freeipa.org/page/V4/User_Certificates#How_to_Test You'll also want to use a recent enough IPA version, one that fixes: https://fedorahosted.org/freeipa/ticket/5173 Then, on the client, call: dbus-send --print-reply \ --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.FindByCertificate \ string:$( openssl x509 cert.pem ) The result will be an object path. Jan, any chance you can test these patches if I build you a package? (Sorry, Sumit is on vacation) ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
