From be1e3bbfc13aff9a583108376f245b81cc3666fb Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 9 Sep 2021 15:26:55 -0400 Subject: [PATCH] Don't store entries with a usercertificate in the LDAP cache usercertificate often has a subclass and both the plain and subclassed (binary) values are queried. I'm concerned that they are used more or less interchangably in places so not caching these entries is the safest path forward for now until we can dedicate the time to find all usages, determine their safety and/or perhaps handle this gracefully within the cache now. What we see in this bug is that usercertificate;binary holds the first certificate value but a user-mod is done with setattr usercertificate=. Since there is no usercertificate value (remember, it's usercertificate;binary) a replace is done and 389-ds wipes the existing value as we've asked it to. I'm not comfortable with simply treating them the same because in LDAP they are not. https://pagure.io/freeipa/issue/8986 Signed-off-by: Rob Crittenden Reviewed-By: Francois Cami Reviewed-By: Fraser Tweedale --- ipapython/ipaldap.py | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py index f94b784d680f33d026e4d56ec8627d4d2ab87931..ced8f1bd66dc8f1f5c206677d2725d1e72b489f9 100644 --- a/ipapython/ipaldap.py +++ b/ipapython/ipaldap.py @@ -1821,9 +1821,17 @@ class LDAPCache(LDAPClient): entry=None, exception=None): # idnsname - caching prevents delete when mod value to None # cospriority - in a Class of Service object, uncacheable - # TODO - usercertificate was banned at one point and I don't remember - # why... - BANNED_ATTRS = {'idnsname', 'cospriority'} + # usercertificate* - caching subtypes is tricky, trade less + # complexity for performance + # + # TODO: teach the cache about subtypes + + BANNED_ATTRS = { + 'idnsname', + 'cospriority', + 'usercertificate', + 'usercertificate;binary' + } if not self._enable_cache: return -- 2.31.1