LDAP: always store the certificate from the request

Store the certificate used to lookup a user as mapped attribute in the
cached user object.

Related to https://pagure.io/SSSD/sssd/issue/3050

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

2 files changed, 3 insertions, 2 deletions

diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 098f47f91..3db22b368 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -139,6 +139,7 @@
 
 #define SYSDB_AUTH_TYPE "authType"
 #define SYSDB_USER_CERT "userCertificate"
+#define SYSDB_USER_MAPPED_CERT "userMappedCertificate"
 #define SYSDB_USER_EMAIL "mail"
 
 #define SYSDB_SUBDOMAIN_REALM "realmName"
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 6c2254df2..8ae257644 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -4660,7 +4660,7 @@ errno_t sysdb_search_object_by_cert(TALLOC_CTX *mem_ctx,
     int ret;
     char *user_filter;
 
-    ret = sss_cert_derb64_to_ldap_filter(mem_ctx, cert, SYSDB_USER_CERT,
+    ret = sss_cert_derb64_to_ldap_filter(mem_ctx, cert, SYSDB_USER_MAPPED_CERT,
                                          &user_filter);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, "sss_cert_derb64_to_ldap_filter failed.\n");
@@ -4749,7 +4749,7 @@ errno_t sysdb_remove_mapped_data(struct sss_domain_info *domain,
 errno_t sysdb_remove_cert(struct sss_domain_info *domain,
                           const char *cert)
 {
-    struct ldb_message_element el = { 0, SYSDB_USER_CERT, 0, NULL };
+    struct ldb_message_element el = { 0, SYSDB_USER_MAPPED_CERT, 0, NULL };
     struct sysdb_attrs del_attrs = { 1, &el };
     const char *attrs[] = {SYSDB_NAME, NULL};
     struct ldb_result *res = NULL;