diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-07-22 16:08:17 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2010-08-06 13:12:21 -0400 |
| commit | efa11d3746c8649f5cb42be9e4787a85413b0f6c (patch) | |
| tree | b82464f970a02582074c6f326d7a9482d60e6153 /ipalib | |
| parent | 4ea34d5910f304c50a1a432f43318239b1db8be6 (diff) | |
| download | freeipa-efa11d3746c8649f5cb42be9e4787a85413b0f6c.tar.gz freeipa-efa11d3746c8649f5cb42be9e4787a85413b0f6c.tar.xz freeipa-efa11d3746c8649f5cb42be9e4787a85413b0f6c.zip | |
Fix replacing a certificate in a service.
When a service has a certificate and the CA backend doesn't support
revocation (like selfsign) then we simply drop the old certificate in
preparation for adding a new one. We weren't setting the usercertificate
attribute to None so there was nothing to do in ldap_update().
Added a test case for this situation to ensure that re-issuing a certificate
works.
ticket #88
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/plugins/service.py | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 37de3df42..392ae60eb 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -246,17 +246,20 @@ class service_mod(LDAPUpdate): member_attributes = ['managedby'] def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): - cert = options.get('usercertificate') - if cert: - (dn, entry_attrs_old) = ldap.get_entry(dn, ['usercertificate']) - if 'usercertificate' in entry_attrs_old: - # FIXME: what to do here? do we revoke the old cert? - fmt = 'entry already has a certificate, serial number: %s' % ( - x509.get_serial_number(entry_attrs_old['usercertificate'][0], x509.DER) - ) - raise errors.GenericError(format=fmt) - # FIXME: should be in normalizer; see service_add - entry_attrs['usercertificate'] = base64.b64decode(cert) + if 'usercertificate' in options: + cert = options.get('usercertificate') + if cert: + (dn, entry_attrs_old) = ldap.get_entry(dn, ['usercertificate']) + if 'usercertificate' in entry_attrs_old: + # FIXME: what to do here? do we revoke the old cert? + fmt = 'entry already has a certificate, serial number: %s' % ( + x509.get_serial_number(entry_attrs_old['usercertificate'][0], x509.DER) + ) + raise errors.GenericError(format=fmt) + # FIXME: should be in normalizer; see service_add + entry_attrs['usercertificate'] = base64.b64decode(cert) + else: + entry_attrs['usercertificate'] = None return dn api.register(service_mod) |