From 896c438f1dd7e4aa316503fbf68fef13963d7463 Mon Sep 17 00:00:00 2001

From: Florence Blanc-Renaud <flo@redhat.com>

Date: Thu, 22 Nov 2018 18:31:38 +0100

Subject: [PATCH] ipaldap.py: fix method creating a ldap filter for

 IPACertificate

ipa user-find --certificate and ipa host-find --certificate

fail to return matching entries, because the method transforming

the attribute into a LDAP filter does not properly handle

IPACertificate objects.

Directory Server logs show a filter with

(usercertificate=ipalib.x509.IPACertificate object at 0x7fc0a5575b90>)

When the attribute contains a cryptography.x509.Certificate,

the method needs to extract the public bytes instead of calling str(value).

Fixes https://pagure.io/freeipa/issue/7770

Reviewed-By: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Christian Heimes <cheimes@redhat.com>

---

 ipapython/ipaldap.py | 3 +++

 1 file changed, 3 insertions(+)

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py

index 53fdf4967868961effea7f3f64dfb3c0edfc75f3..a44246e3ee0de5a78de77a593718ecad1aaa0f67 100644

--- a/ipapython/ipaldap.py

+++ b/ipapython/ipaldap.py

@@ -36,6 +36,7 @@ from six.moves.urllib.parse import urlparse

 # pylint: enable=import-error

 from cryptography import x509 as crypto_x509

+from cryptography.hazmat.primitives import serialization

 import ldap

 import ldap.sasl

@@ -1276,6 +1277,8 @@ class LDAPClient(object):

             ]

             return cls.combine_filters(flts, rules)

         elif value is not None:

+            if isinstance(value, crypto_x509.Certificate):

+                value = value.public_bytes(serialization.Encoding.DER)

             if isinstance(value, bytes):

                 value = binascii.hexlify(value).decode('ascii')

                 # value[-2:0] is empty string for the initial '\\'

-- 

2.17.2