Hi, the attached patches fix #2742. The first one makes sure we can print the certificate (or any binary attribute, really) safely. We only need to make sure to escape the attribute values before saving them to sysdb, because then ldb guarantees terminating them.
The second just switches the attribute value. I tested using this howto: http://www.freeipa.org/page/V4/User_Certificates#How_to_Test You'll also want to use a recent enough IPA version, one that fixes: https://fedorahosted.org/freeipa/ticket/5173 Then, on the client, call: dbus-send --print-reply \ --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.FindByCertificate \ string:"$( openssl x509 < cert.pem )" The result will be an object path.
>From ac7c546415dad4ae449f1708d8efc53169ab0c9c Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Mon, 10 Aug 2015 12:40:30 +0200 Subject: [PATCH 1/2] LDAP: use ldb_binary_encode when printing attribute values --- src/providers/ldap/sdap_utils.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/providers/ldap/sdap_utils.c b/src/providers/ldap/sdap_utils.c index f5ce8ee54f60a6c4c4cdbd5e50b20d973c175e83..9da46ea70bf80e7f4d12fdfc7d1c97e99de8d000 100644 --- a/src/providers/ldap/sdap_utils.c +++ b/src/providers/ldap/sdap_utils.c @@ -35,6 +35,7 @@ sdap_attrs_add_ldap_attr(struct sysdb_attrs *ldap_attrs, const char *objname = name ?: "object"; const char *desc = attr_desc ?: attr_name; unsigned int num_values, i; + char *printable; ret = sysdb_attrs_get_el(ldap_attrs, attr_name, &el); if (ret) { @@ -50,8 +51,16 @@ sdap_attrs_add_ldap_attr(struct sysdb_attrs *ldap_attrs, } else { num_values = multivalued ? el->num_values : 1; for (i = 0; i < num_values; i++) { + printable = ldb_binary_encode(ldap_attrs, el->values[i]); + if (printable == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "ldb_binary_encode failed..\n"); + continue; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "Adding %s [%s] to attributes " - "of [%s].\n", desc, el->values[i].data, objname); + "of [%s].\n", desc, printable, objname); + + talloc_zfree(printable); ret = sysdb_attrs_add_mem(attrs, attr_name, el->values[i].data, el->values[i].length); -- 2.4.3
>From cf2ef9a8f0f880b0d722d0740952c7bfc3dd1502 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Mon, 10 Aug 2015 12:40:39 +0200 Subject: [PATCH 2/2] IPA: Change the default of ldap_user_certificate to userCertificate;binary This is safe from ldb point of view, because ldb gurantees the data is NULL-terminated. We must be careful before we save the data, though. Resolves: https://fedorahosted.org/sssd/ticket/2742 --- src/man/sssd-ldap.5.xml | 2 +- src/providers/ipa/ipa_opts.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 978fdbe773cddce2d2fc5f78109bf7316b00b0a3..123ac3fac3cb1feaef67ba44be65f98cd0ab8043 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -821,7 +821,7 @@ certificate of the user. </para> <para> - Default: no set in the general case, userCertificate + Default: no set in the general case, userCertificate;binary for IPA </para> </listitem> diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h index 9576228d1bf3424c8867bda058b59c3ca6b2216b..f6c40dddbb58cd8af1079a351137422083e26cfe 100644 --- a/src/providers/ipa/ipa_opts.h +++ b/src/providers/ipa/ipa_opts.h @@ -204,7 +204,7 @@ struct sdap_attr_map ipa_user_map[] = { { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL }, { "ldap_user_ssh_public_key", "ipaSshPubKey", SYSDB_SSH_PUBKEY, NULL }, { "ldap_user_auth_type", "ipaUserAuthType", SYSDB_AUTH_TYPE, NULL }, - { "ldap_user_certificate", "userCertificate", SYSDB_USER_CERT, NULL }, + { "ldap_user_certificate", "userCertificate;binary", SYSDB_USER_CERT, NULL }, SDAP_ATTR_MAP_TERMINATOR }; -- 2.4.3
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel