Hi, On 10.8.2015 12:59, Jakub Hrozek wrote:
Hi,the attached patches fix #2742. The first one makes sure we can print the certificate (or any binary attribute, really) safely. We only need to make sure to escape the attribute values before saving them to sysdb, because then ldb guarantees terminating them. The second just switches the attribute value. I tested using this howto: http://www.freeipa.org/page/V4/User_Certificates#How_to_Test You'll also want to use a recent enough IPA version, one that fixes: https://fedorahosted.org/freeipa/ticket/5173 Then, on the client, call: dbus-send --print-reply \ --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.FindByCertificate \ string:"$( openssl x509 < cert.pem )" The result will be an object path.
LGTM, but I would think userCertificate;binary should be the default everywhere, i.e. generic LDAP, as that is the correct attribute name according to RFC 4523. IMHO when someone uses the standard name in generic LDAP, they should not be forced to change SSSD configuration because of it.
Honza -- Jan Cholasta _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
