I found a situation where the CA certificate is stored in base64 encoding in a binary attribute, so for example, ldapsearch returns it double-encoded.
To duplicate this:
- Install IPA (I tested with master) - ldapdelete ... cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com - ipa-ldap-updater --plugins - ldapsearch -o ldif-wrap=no -x -b cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com
This seems to fix it for me:
diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugi ns/upload_cacrt.py index d60247b..a82fc36 100644 --- a/ipaserver/install/plugins/upload_cacrt.py +++ b/ipaserver/install/plugins/upload_cacrt.py @@ -39,7 +39,6 @@ class update_upload_cacrt(PostUpdate): certdb = certs.CertDB(api.env.realm, nssdir=dirname, subject_base=subje ct_base) dercert = certdb.get_cert_from_db(certdb.cacert_name, pem=False) - cadercert = base64.b64encode(dercert) updates = {} dn = DN(('cn', 'CACert'), ('cn', 'ipa'), ('cn','etc'), api.env.basedn) @@ -47,7 +46,7 @@ class update_upload_cacrt(PostUpdate): cacrt_entry = ['objectclass:nsContainer', 'objectclass:pkiCA', 'cn:CAcert', - 'cACertificate;binary:%s' % cadercert, + 'cACertificate;binary:%s' % dercert, ] updates[dn] = {'dn': dn, 'default': cacrt_entry}
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=918262
attachment freeipa-rcrit-1091-ldapcert.patch
master: f6f8307[[BR]] ipa-3-1: 80b544e
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.2 - 2013/03
Login to comment on this ticket.