[Freeipa-devel] [PATCH 0052] store user certificates in 'userCertificate; binary' attributes
Jan Cholasta
jcholast at redhat.com
Mon Aug 3 12:46:02 UTC 2015
Dne 3.8.2015 v 14:14 Jan Cholasta napsal(a):
> Hi,
>
> Dne 3.8.2015 v 14:00 Martin Babinsky napsal(a):
>> This patch fixes the inconsistency between storing certificates in
>> 'userCertificate'/'userCertificate;binary' attribute for the user
>> entries: the certificate must be stored in the latter attribute only.
>>
>> Since a more general fix is out of 4.2.1 scope, I have implemented some
>> workarounds in pre/post callbacks of user-* commands in order to enforce
>> this behavior.
>
> 1)
>
> + def convert_usercertificate_pre(self, entry_attrs, **options):
> + if options.get('all', False):
> + return
>
> We don't want to do any renaming when --raw is specified, not --all.
> Same for convert_usercertificate_post.
Actually, the attribute should be always renamed in
convert_usercertificate_pre, otherwise we would modify the wrong
attribute. In convert_usercertificate_post, it should actually be
renamed only when --raw is specified.
>
>
> 2)
>
> + self.obj.convert_usercertificate_pre(entry_attrs, **options)
>
> Rather than calling this directly from user_add, this should be called
> from baseuser.pre_common_callback(), which should be called from
> user_add.post_callback().
>
>
> 3) IMO you should change user_{add,remove}_cert to call
> baseuser.convert_usercertificate_{pre,post} as well, to avoid code
> duplication.
>
>
> Honza
>
--
Jan Cholasta
More information about the Freeipa-devel
mailing list