From b606fa6cca87706730fa20bfa437956194398c82 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Sep 18 2020 18:20:08 +0000 Subject: Duplicate CA CRT: ignore expected cert When search for duplicate CA certs ignore the one expected entry. Related: https://pagure.io/freeipa/issue/7125 Signed-off-by: Christian Heimes Reviewed-By: Florence Blanc-Renaud --- diff --git a/ipaserver/install/plugins/update_fix_duplicate_cacrt_in_ldap.py b/ipaserver/install/plugins/update_fix_duplicate_cacrt_in_ldap.py index 31a1659..40a9e0e 100644 --- a/ipaserver/install/plugins/update_fix_duplicate_cacrt_in_ldap.py +++ b/ipaserver/install/plugins/update_fix_duplicate_cacrt_in_ldap.py @@ -52,13 +52,22 @@ class update_fix_duplicate_cacrt_in_ldap(Updater): ldap, self.api.env.container_ca, self.api.env.basedn) + cacert_nick = get_ca_nickname(self.api.env.realm) # Find if there are other certificates with the same subject # They are duplicates resulting of BZ 1480102 base_dn = DN(('cn', 'certificates'), ('cn', 'ipa'), ('cn', 'etc'), self.api.env.basedn) + filter = ldap.combine_filters( + [ + # all certificates with CA cert subject + ldap.make_filter({'ipaCertSubject': cacert_subject}), + # except the default certificate + ldap.make_filter({'cn': cacert_nick}, rules=ldap.MATCH_NONE), + ], + rules=ldap.MATCH_ALL + ) try: - filter = ldap.make_filter({'ipaCertSubject': cacert_subject}) result, _truncated = ldap.find_entries( base_dn=base_dn, filter=filter, @@ -69,10 +78,7 @@ class update_fix_duplicate_cacrt_in_ldap(Updater): return False, [] logger.debug("Found %d entrie(s) for IPA CA in LDAP", len(result)) - cacert_dn = DN(('cn', get_ca_nickname(self.api.env.realm)), base_dn) for entry in result: - if entry.dn == cacert_dn: - continue # Remove the duplicate try: ldap.delete_entry(entry)