Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Backport][ipa-4-9] Don't store entries with a usercertificate in the LDAP cache #6024

Closed
wants to merge 2 commits into from
Closed

[Backport][ipa-4-9] Don't store entries with a usercertificate in the LDAP cache #6024

wants to merge 2 commits into from

Conversation

rcritten
Copy link
Contributor

This PR was opened automatically because PR #6015 was pushed to master and backport to ipa-4-9 is required.

@rcritten
Don't store entries with a usercertificate in the LDAP cache
5699e02 
usercertificate often has a subclass and both the plain and
subclassed (binary) values are queried. I'm concerned that
they are used more or less interchangably in places so not
caching these entries is the safest path forward for now until
we can dedicate the time to find all usages, determine their
safety and/or perhaps handle this gracefully within the cache
now.

What we see in this bug is that usercertificate;binary holds the
first certificate value but a user-mod is done with
setattr usercertificate=<new_cert>. Since there is no
usercertificate value (remember, it's usercertificate;binary)
a replace is done and 389-ds wipes the existing value as we've
asked it to.

I'm not comfortable with simply treating them the same because
in LDAP they are not.

https://pagure.io/freeipa/issue/8986

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
@rcritten
ipatests: Test that a user can be issued multiple certificates
dc0ac3d 
Prevent regressions in the LDAP cache layer that caused newly
issued certificates to overwrite existing ones.

https://pagure.io/freeipa/issue/8986

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
@rcritten
Copy link
Contributor Author

PR was ACKed automatically because this is backport of PR #6015. Wait for CI to finish before pushing. In case of questions or problems contact @rcritten who is author of the original PR.

@rcritten rcritten added ack Pull Request approved, can be merged pushed Pull Request has already been pushed labels Sep 16, 2021
@rcritten
Copy link
Contributor Author

ipa-4-9:

  • be1e3bb Don't store entries with a usercertificate in the LDAP cache
  • 8658864 ipatests: Test that a user can be issued multiple certificates

@rcritten rcritten closed this Sep 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
1 participant
@rcritten