[Freeipa-devel] [freeipa PR#5114][opened] Duplicate CA CRT: ignore expected cert

Thu, 17 Sep 2020 01:07:42 -0700 

   URL: https://github.com/freeipa/freeipa/pull/5114
Author: tiran
 Title: #5114: Duplicate CA CRT: ignore expected cert
Action: opened

PR body:
"""
When search for duplicate CA certs ignore the one expected entry.

Related: https://pagure.io/freeipa/issue/7125
Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5114/head:pr5114
git checkout pr5114

From 870ab4ea99f83f6e71587a0fa77ac7938e191f31 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Thu, 17 Sep 2020 09:55:30 +0200
Subject: [PATCH] Duplicate CA CRT: ignore expected cert

When search for duplicate CA certs ignore the one expected entry.

Related: https://pagure.io/freeipa/issue/7125
Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 .../plugins/update_fix_duplicate_cacrt_in_ldap.py  | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/plugins/update_fix_duplicate_cacrt_in_ldap.py b/ipaserver/install/plugins/update_fix_duplicate_cacrt_in_ldap.py
index 31a16596bb..40a9e0ea95 100644
--- a/ipaserver/install/plugins/update_fix_duplicate_cacrt_in_ldap.py
+++ b/ipaserver/install/plugins/update_fix_duplicate_cacrt_in_ldap.py
@@ -52,13 +52,22 @@ def execute(self, **options):
             ldap,
             self.api.env.container_ca,
             self.api.env.basedn)
+        cacert_nick = get_ca_nickname(self.api.env.realm)
 
         # Find if there are other certificates with the same subject
         # They are duplicates resulting of BZ 1480102
         base_dn = DN(('cn', 'certificates'), ('cn', 'ipa'), ('cn', 'etc'),
                      self.api.env.basedn)
+        filter = ldap.combine_filters(
+            [
+                # all certificates with CA cert subject
+                ldap.make_filter({'ipaCertSubject': cacert_subject}),
+                # except the default certificate
+                ldap.make_filter({'cn': cacert_nick}, rules=ldap.MATCH_NONE),
+            ],
+            rules=ldap.MATCH_ALL
+        )
         try:
-            filter = ldap.make_filter({'ipaCertSubject': cacert_subject})
             result, _truncated = ldap.find_entries(
                 base_dn=base_dn,
                 filter=filter,
@@ -69,10 +78,7 @@ def execute(self, **options):
             return False, []
 
         logger.debug("Found %d entrie(s) for IPA CA in LDAP", len(result))
-        cacert_dn = DN(('cn', get_ca_nickname(self.api.env.realm)), base_dn)
         for entry in result:
-            if entry.dn == cacert_dn:
-                continue
             # Remove the duplicate
             try:
                 ldap.delete_entry(entry)

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org

Reply via email to