diff options
author | Jan Cholasta <jcholast@redhat.com> | 2015-08-27 07:23:39 +0200 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-08-27 15:53:42 +0200 |
commit | a3310c3b512c7812b6f658c5bff828d3c8329e48 (patch) | |
tree | d50b755e06fc3543c05e7763f2d7f4b238039f18 | |
parent | f5dcb03a1c003557371be52597aba7900b0ac345 (diff) | |
download | freeipa-a3310c3b512c7812b6f658c5bff828d3c8329e48.tar.gz freeipa-a3310c3b512c7812b6f658c5bff828d3c8329e48.tar.xz freeipa-a3310c3b512c7812b6f658c5bff828d3c8329e48.zip |
cert renewal: Include KRA users in Dogtag LDAP update
https://fedorahosted.org/freeipa/ticket/5253
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-rw-r--r-- | ipaserver/install/cainstance.py | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 5fd3017e1..ecd930003 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1575,7 +1575,7 @@ def update_people_entry(dercert): Returns True or False """ - base_dn = DN(('ou','People'), ('o','ipaca')) + base_dn = DN(('o', 'ipaca')) serial_number = x509.get_serial_number(dercert, datatype=x509.DER) subject = x509.get_subject(dercert, datatype=x509.DER) issuer = x509.get_issuer(dercert, datatype=x509.DER) @@ -1591,9 +1591,14 @@ def update_people_entry(dercert): conn = ldap2.ldap2(api, ldap_uri=dogtag_uri) conn.connect(autobind=True) - db_filter = conn.make_filter( - {'description': ';%s;%s' % (issuer, subject)}, - exact=False, trailing_wildcard=False) + db_filter = conn.combine_filters( + [ + conn.make_filter({'objectClass': 'inetOrgPerson'}), + conn.make_filter( + {'description': ';%s;%s' % (issuer, subject)}, + exact=False, trailing_wildcard=False), + ], + conn.MATCH_ALL) try: entries = conn.get_entries(base_dn, conn.SCOPE_SUBTREE, db_filter) except errors.NotFound: |