From d5af6b5e3ee50f97db730a4097c46baf07e09002 Mon Sep 17 00:00:00 2001

From: Felipe Volpone <felipevolpone@gmail.com>

Date: Thu, 1 Jun 2017 16:53:11 -0300

Subject: [PATCH] Changing cert-find to do not use only primary key to search

 in LDAP.

In service.py the primary key is krbCanonicalName, which we

don't want to use to do searchs. Now, cert-find uses primary

key or a specified attribute to do searches in LDAP, instead

of using only a primary key.

https://pagure.io/freeipa/issue/6948

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>

---

 ipaserver/plugins/cert.py | 27 +++++++++++++++++----------

 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py

index 68402679cf0320e9c664ea89276f6c4332730a15..bb11713317abad55577b1c280253ab5d6d68c508 100644

--- a/ipaserver/plugins/cert.py

+++ b/ipaserver/plugins/cert.py

@@ -981,8 +981,8 @@ class cert(BaseCertObject):

                 param = param.clone(flags=param.flags - {'no_search'})

             yield param

-        for owner in self._owners():

-            yield owner.primary_key.clone_rename(

+        for owner, search_key in self._owners():

+            yield search_key.clone_rename(

                 'owner_{0}'.format(owner.name),

                 required=False,

                 multivalue=True,

@@ -992,15 +992,22 @@ class cert(BaseCertObject):

             )

     def _owners(self):

-        for name in ('user', 'host', 'service'):

-            yield self.api.Object[name]

+        for obj_name, search_key in [('user', None),

+                                     ('host', None),

+                                     ('service', 'krbprincipalname')]:

+            obj = self.api.Object[obj_name]

+            if search_key is None:

+                pkey = obj.primary_key

+            else:

+                pkey = obj.params[search_key]

+            yield obj, pkey

     def _fill_owners(self, obj):

         dns = obj.pop('owner', None)

         if dns is None:

             return

-        for owner in self._owners():

+        for owner, _search_key in self._owners():

             container_dn = DN(owner.container_dn, self.api.env.basedn)

             name = 'owner_' + owner.name

             for dn in dns:

@@ -1264,8 +1271,8 @@ class cert_find(Search, CertMethod):

                 option = option.clone(default=None, autofill=None)

             yield option

-        for owner in self.obj._owners():

-            yield owner.primary_key.clone_rename(

+        for owner, search_key in self.obj._owners():

+            yield search_key.clone_rename(

                 '{0}'.format(owner.name),

                 required=False,

                 multivalue=True,

@@ -1276,7 +1283,7 @@ class cert_find(Search, CertMethod):

                      owner.object_name_plural),

                 label=owner.object_name,

             )

-            yield owner.primary_key.clone_rename(

+            yield search_key.clone_rename(

                 'no_{0}'.format(owner.name),

                 required=False,

                 multivalue=True,

@@ -1395,7 +1402,7 @@ class cert_find(Search, CertMethod):

         ldap = self.api.Backend.ldap2

         filters = []

-        for owner in self.obj._owners():

+        for owner, search_key in self.obj._owners():

             for prefix, rule in (('', ldap.MATCH_ALL),

                                  ('no_', ldap.MATCH_NONE)):

                 try:

@@ -1411,7 +1418,7 @@ class cert_find(Search, CertMethod):

                     filters.append(filter)

                 filter = ldap.make_filter_from_attr(

-                    owner.primary_key.name,

+                    search_key.name,

                     value,

                     rule)

                 filters.append(filter)

-- 

2.9.4