From a4ea0af1fb74ac9bdf9afe1bee62cddf65f5160e Mon Sep 17 00:00:00 2001

From: Jan Cholasta <jcholast@redhat.com>

Date: Thu, 27 Aug 2015 07:23:39 +0200

Subject: [PATCH] cert renewal: Include KRA users in Dogtag LDAP update

https://fedorahosted.org/freeipa/ticket/5253

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

 ipaserver/install/cainstance.py | 13 +++++++++----

 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py

index 5fd3017e16e0d7ed4b4f8eead0e59266fdaff097..ecd9300036353426097d929918be974cbbb5c69d 100644

--- a/ipaserver/install/cainstance.py

+++ b/ipaserver/install/cainstance.py

@@ -1575,7 +1575,7 @@ def update_people_entry(dercert):

     Returns True or False

     """

-    base_dn = DN(('ou','People'), ('o','ipaca'))

+    base_dn = DN(('o', 'ipaca'))

     serial_number = x509.get_serial_number(dercert, datatype=x509.DER)

     subject = x509.get_subject(dercert, datatype=x509.DER)

     issuer = x509.get_issuer(dercert, datatype=x509.DER)

@@ -1591,9 +1591,14 @@ def update_people_entry(dercert):

             conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)

             conn.connect(autobind=True)

-            db_filter = conn.make_filter(

-                {'description': ';%s;%s' % (issuer, subject)},

-                exact=False, trailing_wildcard=False)

+            db_filter = conn.combine_filters(

+                [

+                    conn.make_filter({'objectClass': 'inetOrgPerson'}),

+                    conn.make_filter(

+                        {'description': ';%s;%s' % (issuer, subject)},

+                        exact=False, trailing_wildcard=False),

+                ],

+                conn.MATCH_ALL)

             try:

                 entries = conn.get_entries(base_dn, conn.SCOPE_SUBTREE, db_filter)

             except errors.NotFound:

-- 

2.5.1