717b817b82
- Resolves: rhbz#2010701 ipa-server-install fails while 'configuring certificate server instance'
- Resolves: rhbz#2005864 ipa cert-request replaces user certificate instead of adding
- Resolves: rhbz#2003005 AVC denied { read } comm="ipa-custodia" on aarch64 during installation of ipa-server
- Resolves: rhbz#2003004 extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT
- Resolves: rhbz#2003003 subid: subid-match displays the DN of the owner, not its UID.
- Resolves: rhbz#2013116 ipa migrate-ds command fails to warn when compat plugin is enabled
61 lines
2.2 KiB
Diff
61 lines
2.2 KiB
Diff
From be1e3bbfc13aff9a583108376f245b81cc3666fb Mon Sep 17 00:00:00 2001
|
|
From: Rob Crittenden <rcritten@redhat.com>
|
|
Date: Thu, 9 Sep 2021 15:26:55 -0400
|
|
Subject: [PATCH] Don't store entries with a usercertificate in the LDAP cache
|
|
|
|
usercertificate often has a subclass and both the plain and
|
|
subclassed (binary) values are queried. I'm concerned that
|
|
they are used more or less interchangably in places so not
|
|
caching these entries is the safest path forward for now until
|
|
we can dedicate the time to find all usages, determine their
|
|
safety and/or perhaps handle this gracefully within the cache
|
|
now.
|
|
|
|
What we see in this bug is that usercertificate;binary holds the
|
|
first certificate value but a user-mod is done with
|
|
setattr usercertificate=<new_cert>. Since there is no
|
|
usercertificate value (remember, it's usercertificate;binary)
|
|
a replace is done and 389-ds wipes the existing value as we've
|
|
asked it to.
|
|
|
|
I'm not comfortable with simply treating them the same because
|
|
in LDAP they are not.
|
|
|
|
https://pagure.io/freeipa/issue/8986
|
|
|
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
Reviewed-By: Francois Cami <fcami@redhat.com>
|
|
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
|
---
|
|
ipapython/ipaldap.py | 14 +++++++++++---
|
|
1 file changed, 11 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
|
|
index f94b784d680f33d026e4d56ec8627d4d2ab87931..ced8f1bd66dc8f1f5c206677d2725d1e72b489f9 100644
|
|
--- a/ipapython/ipaldap.py
|
|
+++ b/ipapython/ipaldap.py
|
|
@@ -1821,9 +1821,17 @@ class LDAPCache(LDAPClient):
|
|
entry=None, exception=None):
|
|
# idnsname - caching prevents delete when mod value to None
|
|
# cospriority - in a Class of Service object, uncacheable
|
|
- # TODO - usercertificate was banned at one point and I don't remember
|
|
- # why...
|
|
- BANNED_ATTRS = {'idnsname', 'cospriority'}
|
|
+ # usercertificate* - caching subtypes is tricky, trade less
|
|
+ # complexity for performance
|
|
+ #
|
|
+ # TODO: teach the cache about subtypes
|
|
+
|
|
+ BANNED_ATTRS = {
|
|
+ 'idnsname',
|
|
+ 'cospriority',
|
|
+ 'usercertificate',
|
|
+ 'usercertificate;binary'
|
|
+ }
|
|
if not self._enable_cache:
|
|
return
|
|
|
|
--
|
|
2.31.1
|
|
|