[Freeipa-devel] [PATCH 0046] Don't fail in find/show methods if userCertificate is invalid
Fraser Tweedale
ftweedal at redhat.com
Thu Jun 9 14:04:48 UTC 2016
On Thu, Jun 09, 2016 at 03:07:34PM +0200, Martin Basti wrote:
>
>
> On 09.06.2016 15:03, Martin Basti wrote:
> >
> >
> > On 09.06.2016 15:02, Stanislav Laznicka wrote:
> > > On 06/09/2016 02:51 PM, Rob Crittenden wrote:
> > > > Stanislav Laznicka wrote:
> > > > > Hello,
> > > > >
> > > > > Please see the attached patch of
> > > > > https://fedorahosted.org/freeipa/ticket/5797.
> > > > >
> > > > > Standa
> > > > >
> > > > >
> > > > >
> > > >
> > > > Just wondering out loud but should usercertificate be excluded
> > > > from the output if it is unparsable? Is there any value in
> > > > showing that a bogus value is in there?
> > > >
> > > > rob
> > > I think it is a good pointer that something has gone wrong with the
> > > certificate. Another way would be to print 'Invalid certificate'
> > > instead of it similar to what Apache LDAP Browser does.
> > >
> >
> > We can return a warning message that something with certificates is
> > broken.
> >
> > Martin^2
> >
> And you should log it at error log level, because it is error
>
Is the data from LDAP actually invalid? It should not be possible
to store data that is not a syntactically valid X.509 cert in the
userCertificate attribute (if it is, we should file a ticket against
389).
Is there a full traceback for the original error of #5797? What is
the datum that is the immediate cause of the error and what happens
to it between the database and the function that throws?
Could it be a python3 bytes/str problem originating in
x509.normalize_certificate?
Cheers,
Fraser
More information about the Freeipa-devel
mailing list