#3477 LDAP upload CA cert sometimes double-encodes the value
Closed: Fixed None Opened 8 years ago by rcritten.

I found a situation where the CA certificate is stored in base64 encoding in a binary attribute, so for example, ldapsearch returns it double-encoded.

To duplicate this:

- Install IPA (I tested with master)
- ldapdelete ... cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com
- ipa-ldap-updater --plugins
- ldapsearch -o  ldif-wrap=no -x -b cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com

This seems to fix it for me:

diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugi
ns/upload_cacrt.py
index d60247b..a82fc36 100644
--- a/ipaserver/install/plugins/upload_cacrt.py
+++ b/ipaserver/install/plugins/upload_cacrt.py
@@ -39,7 +39,6 @@ class update_upload_cacrt(PostUpdate):
         certdb = certs.CertDB(api.env.realm, nssdir=dirname, subject_base=subje
ct_base)

         dercert = certdb.get_cert_from_db(certdb.cacert_name, pem=False)
-        cadercert = base64.b64encode(dercert)

         updates = {}
         dn = DN(('cn', 'CACert'), ('cn', 'ipa'), ('cn','etc'), api.env.basedn)
@@ -47,7 +46,7 @@ class update_upload_cacrt(PostUpdate):
         cacrt_entry = ['objectclass:nsContainer',
                        'objectclass:pkiCA',
                        'cn:CAcert',
-                       'cACertificate;binary:%s' % cadercert,
+                       'cACertificate;binary:%s' % dercert,
                       ]
         updates[dn] = {'dn': dn, 'default': cacrt_entry}

Metadata Update from @rcritten:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 3.2 - 2013/03

4 years ago

Login to comment on this ticket.

Metadata