[Freeipa-devel] [PATCH 0046] Don't fail in find/show methods if userCertificate is invalid
Martin Basti
mbasti at redhat.com
Thu Jun 9 14:17:15 UTC 2016
On 09.06.2016 16:04, Fraser Tweedale wrote:
> On Thu, Jun 09, 2016 at 03:07:34PM +0200, Martin Basti wrote:
>>
>> On 09.06.2016 15:03, Martin Basti wrote:
>>>
>>> On 09.06.2016 15:02, Stanislav Laznicka wrote:
>>>> On 06/09/2016 02:51 PM, Rob Crittenden wrote:
>>>>> Stanislav Laznicka wrote:
>>>>>> Hello,
>>>>>>
>>>>>> Please see the attached patch of
>>>>>> https://fedorahosted.org/freeipa/ticket/5797.
>>>>>>
>>>>>> Standa
>>>>>>
>>>>>>
>>>>>>
>>>>> Just wondering out loud but should usercertificate be excluded
>>>>> from the output if it is unparsable? Is there any value in
>>>>> showing that a bogus value is in there?
>>>>>
>>>>> rob
>>>> I think it is a good pointer that something has gone wrong with the
>>>> certificate. Another way would be to print 'Invalid certificate'
>>>> instead of it similar to what Apache LDAP Browser does.
>>>>
>>> We can return a warning message that something with certificates is
>>> broken.
>>>
>>> Martin^2
>>>
>> And you should log it at error log level, because it is error
>>
> Is the data from LDAP actually invalid? It should not be possible
> to store data that is not a syntactically valid X.509 cert in the
> userCertificate attribute (if it is, we should file a ticket against
> 389).
>
> Is there a full traceback for the original error of #5797? What is
> the datum that is the immediate cause of the error and what happens
> to it between the database and the function that throws?
>
> Could it be a python3 bytes/str problem originating in
> x509.normalize_certificate?
>
> Cheers,
> Fraser
I was able to put an invalid certificate data there using ldif and ldapadd
I can try reproduce later or next week
Martin^2
More information about the Freeipa-devel
mailing list