URL: https://github.com/freeipa/freeipa/pull/5114 Author: tiran Title: #5114: Duplicate CA CRT: ignore expected cert Action: opened
PR body: """ When search for duplicate CA certs ignore the one expected entry. Related: https://pagure.io/freeipa/issue/7125 Signed-off-by: Christian Heimes <chei...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5114/head:pr5114 git checkout pr5114
From 870ab4ea99f83f6e71587a0fa77ac7938e191f31 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Thu, 17 Sep 2020 09:55:30 +0200 Subject: [PATCH] Duplicate CA CRT: ignore expected cert When search for duplicate CA certs ignore the one expected entry. Related: https://pagure.io/freeipa/issue/7125 Signed-off-by: Christian Heimes <chei...@redhat.com> --- .../plugins/update_fix_duplicate_cacrt_in_ldap.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/plugins/update_fix_duplicate_cacrt_in_ldap.py b/ipaserver/install/plugins/update_fix_duplicate_cacrt_in_ldap.py index 31a16596bb..40a9e0ea95 100644 --- a/ipaserver/install/plugins/update_fix_duplicate_cacrt_in_ldap.py +++ b/ipaserver/install/plugins/update_fix_duplicate_cacrt_in_ldap.py @@ -52,13 +52,22 @@ def execute(self, **options): ldap, self.api.env.container_ca, self.api.env.basedn) + cacert_nick = get_ca_nickname(self.api.env.realm) # Find if there are other certificates with the same subject # They are duplicates resulting of BZ 1480102 base_dn = DN(('cn', 'certificates'), ('cn', 'ipa'), ('cn', 'etc'), self.api.env.basedn) + filter = ldap.combine_filters( + [ + # all certificates with CA cert subject + ldap.make_filter({'ipaCertSubject': cacert_subject}), + # except the default certificate + ldap.make_filter({'cn': cacert_nick}, rules=ldap.MATCH_NONE), + ], + rules=ldap.MATCH_ALL + ) try: - filter = ldap.make_filter({'ipaCertSubject': cacert_subject}) result, _truncated = ldap.find_entries( base_dn=base_dn, filter=filter, @@ -69,10 +78,7 @@ def execute(self, **options): return False, [] logger.debug("Found %d entrie(s) for IPA CA in LDAP", len(result)) - cacert_dn = DN(('cn', get_ca_nickname(self.api.env.realm)), base_dn) for entry in result: - if entry.dn == cacert_dn: - continue # Remove the duplicate try: ldap.delete_entry(entry)
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org