From 896c438f1dd7e4aa316503fbf68fef13963d7463 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 22 Nov 2018 18:31:38 +0100
Subject: [PATCH] ipaldap.py: fix method creating a ldap filter for
 IPACertificate

ipa user-find --certificate and ipa host-find --certificate
fail to return matching entries, because the method transforming
the attribute into a LDAP filter does not properly handle
IPACertificate objects.
Directory Server logs show a filter with
(usercertificate=ipalib.x509.IPACertificate object at 0x7fc0a5575b90>)

When the attribute contains a cryptography.x509.Certificate,
the method needs to extract the public bytes instead of calling str(value).

Fixes https://pagure.io/freeipa/issue/7770

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 ipapython/ipaldap.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 53fdf4967868961effea7f3f64dfb3c0edfc75f3..a44246e3ee0de5a78de77a593718ecad1aaa0f67 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -36,6 +36,7 @@ from six.moves.urllib.parse import urlparse
 # pylint: enable=import-error
 
 from cryptography import x509 as crypto_x509
+from cryptography.hazmat.primitives import serialization
 
 import ldap
 import ldap.sasl
@@ -1276,6 +1277,8 @@ class LDAPClient(object):
             ]
             return cls.combine_filters(flts, rules)
         elif value is not None:
+            if isinstance(value, crypto_x509.Certificate):
+                value = value.public_bytes(serialization.Encoding.DER)
             if isinstance(value, bytes):
                 value = binascii.hexlify(value).decode('ascii')
                 # value[-2:0] is empty string for the initial '\\'
-- 
2.17.2