From 896c438f1dd7e4aa316503fbf68fef13963d7463 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Thu, 22 Nov 2018 18:31:38 +0100 Subject: [PATCH] ipaldap.py: fix method creating a ldap filter for IPACertificate ipa user-find --certificate and ipa host-find --certificate fail to return matching entries, because the method transforming the attribute into a LDAP filter does not properly handle IPACertificate objects. Directory Server logs show a filter with (usercertificate=ipalib.x509.IPACertificate object at 0x7fc0a5575b90>) When the attribute contains a cryptography.x509.Certificate, the method needs to extract the public bytes instead of calling str(value). Fixes https://pagure.io/freeipa/issue/7770 Reviewed-By: Christian Heimes Reviewed-By: Christian Heimes --- ipapython/ipaldap.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py index 53fdf4967868961effea7f3f64dfb3c0edfc75f3..a44246e3ee0de5a78de77a593718ecad1aaa0f67 100644 --- a/ipapython/ipaldap.py +++ b/ipapython/ipaldap.py @@ -36,6 +36,7 @@ from six.moves.urllib.parse import urlparse # pylint: enable=import-error from cryptography import x509 as crypto_x509 +from cryptography.hazmat.primitives import serialization import ldap import ldap.sasl @@ -1276,6 +1277,8 @@ class LDAPClient(object): ] return cls.combine_filters(flts, rules) elif value is not None: + if isinstance(value, crypto_x509.Certificate): + value = value.public_bytes(serialization.Encoding.DER) if isinstance(value, bytes): value = binascii.hexlify(value).decode('ascii') # value[-2:0] is empty string for the initial '\\' -- 2.17.2