<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> <div class="moz-cite-prefix">On 07/14/2016 10:06 AM, Fraser Tweedale wrote: </div> <blockquote cite="mid:20160714043642.GV10771@dhcp-40-8.bne.redhat.com" type="cite"> <pre wrap="">On Wed, Jul 13, 2016 at 04:36:26PM +0530, Geetika Kapoor wrote: </pre> <blockquote type="cite"> <pre wrap="">Hi, Please review this patch.Below is a small summary about this fix and what we are trying to achieve. CLI : pki-server db-upgrade what it should be doing is if it sees that issuerName doesn't exist,NULL it will add it itself. Operation 1 : Search for the empty cn value for issuerName ------------------------------------------------------------------------------- Current : '(&(objectclass=certificateRecord)(issuerName=*)) -- I tried this it didn't show data even if i have record with empty issuerName </pre> </blockquote> <pre wrap="">Hi Geetika, The current filter is actually: '(&(objectclass=certificateRecord)(!(issuerName=*)))', This should match entries missing the issuerName attribute. You talk about an entry with "empty issuerName" but empty strings are not allowed for the Directory String attribute type. Could you please clarify exactly what data is in the offending entry/entries and how it got there?</pre> </blockquote> Hi Fraser, If we disable syntax check in ldap dse.ldif , it will accept empty data as well.So if a end user disable syntax check,issuerName can be empty in that case.(a test case that i tried) So in that case db-update will never happen because that condition is not considered.This scenario can be reproduced using below ldif file. <file> dn: cn=106,ou=certificateRepository,ou=ca,o=pkitest-CA objectClass: certificateRecord objectClass: top cn: 106 algorithmId: 1.2.840.113549.1.1.1 autoRenew: ENABLED certStatus: VALID dateOfCreate: 20160712084443Z dateOfModify: 20160712084443Z duration: 1131536000000 issuedBy: geetika20 issuerName: metaInfo: requestId:100 notAfter: 20170712084205Z notBefore: 20160712084205Z publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu0Hlk6SdMnyr0Igq serialno: 100 signingAlgorithmId: 1.2.840.113549.1.1.11 subjectName: CN=CS Administrator,C=US userCertificate;binary:: MIIC6DCCAdCgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBHMSQwIgY version: 2 </file> So in such a case using '(&(objectclass=certificateRecord)(!(issuerName=*)))',will not able to search for such entries.I tried and it gives me empty data .I believe using (&(objectclass=certificateRecord) (!(issuerName=*))(!(issuerName=cn*))) can solve that purpose. Thanks Geetika <blockquote cite="mid:20160714043642.GV10771@dhcp-40-8.bne.redhat.com" type="cite"> <pre wrap=""> </pre> <blockquote type="cite"> <pre wrap="">Modified : (&(objectclass=certificateRecord)(!(issuerName=cn*)))' -- This solves the purpose as it shows all the certs without issuerName </pre> </blockquote> <pre wrap="">This filter is wrong - it does match entries without issuerName (as intended), but also matches entries with issuerName set but not starting with "cn". </pre> <blockquote type="cite"> <pre wrap=""> Operation 2 : If we see a empty cn value , we are replacing it with value we get from code ------------------------------------------------------------------------------------------------------------------ < code> cert = nss.Certificate(bytearray(attr_cert[0])) issuer_name = str(cert.issuer) </code> Current : we are updating the list it the format as mentioned 'issuerName': ['', 'CN=CA Signing Certificate,O=example.com Security Domain'] Do we want to keep this behavior or we want to overwrite it in first place? I believe in place of we do it MOD_REPLACE. <try: conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName', issuer_name)]) </pre> <blockquote type="cite"> <pre wrap=""> </pre> </blockquote> <pre wrap=""> Modified : onn.ldap.modify_s(dn, [(ldap.MOD_REPLACE, 'issuerName', issuer_name)]) </pre> </blockquote> <pre wrap="">This change is OK. </pre> </blockquote> </body> </html>