New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't store entries with a usercertificate in the LDAP cache #6015
Conversation
f709c95
to
40fb311
Compare
Fixed linter issue. |
40fb311
to
6502eee
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Not Acking formally yet.
Well... actually how 389DS treats the The workaround in this PR looks fine to me. |
Hi @frasertweedale, 389-ds transfers all returned attributes following BER encoding form. Do you mean 389ds should transfert certificates attributes (https://datatracker.ietf.org/doc/html/rfc4523) in DER encoding from ? |
G'day @tbordaz. What I mean is that 389 treats Furthermore, RFC 4522 states:
But 389DS treats |
I agree, the handling ';binary' is not conform. it is a transfer syntax not a subtype. |
@frasertweedale so is that an ack? :-) |
@fcami what do you think? I am not familiar with this new LDAP cache feature, but the patch makes sense to me. |
ACK |
usercertificate often has a subclass and both the plain and subclassed (binary) values are queried. I'm concerned that they are used more or less interchangably in places so not caching these entries is the safest path forward for now until we can dedicate the time to find all usages, determine their safety and/or perhaps handle this gracefully within the cache now. What we see in this bug is that usercertificate;binary holds the first certificate value but a user-mod is done with setattr usercertificate=<new_cert>. Since there is no usercertificate value (remember, it's usercertificate;binary) a replace is done and 389-ds wipes the existing value as we've asked it to. I'm not comfortable with simply treating them the same because in LDAP they are not. https://pagure.io/freeipa/issue/8986 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Prevent regressions in the LDAP cache layer that caused newly issued certificates to overwrite existing ones. https://pagure.io/freeipa/issue/8986 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
6502eee
to
d0f2cde
Compare
temp commit removed |
Don't store entries with a usercertificate in the LDAP cache
usercertificate often has a subclass and both the plain and
subclassed (binary) values are queried. I'm concerned that
they are used more or less interchangably in places so not
caching these entries is the safest path forward for now until
we can dedicate the time to find all usages, determine their
safety and/or perhaps handle this gracefully within the cache
now.
What we see in this bug is that usercertificate;binary holds the
first certificate value but a user-mod is done with
setattr usercertificate=<new_cert>. Since there is no
usercertificate value (remember, it's usercertificate;binary)
a replace is done and 389-ds wipes the existing value as we've
asked it to.
I'm not comfortable with simply treating them the same because
in LDAP they are not.
https://pagure.io/freeipa/issue/8986
Signed-off-by: Rob Crittenden rcritten@redhat.com