diff options
author | Jan Cholasta <jcholast@redhat.com> | 2016-12-16 14:19:00 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2017-01-05 17:39:57 +0100 |
commit | ceb26f5ac428cdbed8ec1fa89e9ed6f1d903a5a0 (patch) | |
tree | 7f51dcbb1592cc4b8fdec2ab5ca9df341be5d843 /ipaserver/plugins | |
parent | 1e06a5195bafe0224d77371987f2509f5508ca2f (diff) | |
download | freeipa-ceb26f5ac428cdbed8ec1fa89e9ed6f1d903a5a0.tar.gz freeipa-ceb26f5ac428cdbed8ec1fa89e9ed6f1d903a5a0.tar.xz freeipa-ceb26f5ac428cdbed8ec1fa89e9ed6f1d903a5a0.zip |
ca: fix ca-find with --pkey-only
Since commit 32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d, ca-find will fail
with internal error if --pkey-only is specified, because the code to
look up the CA certificate and certificate chain assumes that the ipaCAId
attribute is always present in the result.
Fix this by not attempting to lookup the certificate / chain at all when
--pkey-only is specified.
https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Diffstat (limited to 'ipaserver/plugins')
-rw-r--r-- | ipaserver/plugins/ca.py | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index 2510a7998..f02c1444f 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -162,7 +162,10 @@ class ca(LDAPObject): def set_certificate_attrs(entry, options, want_cert=True): - ca_id = entry['ipacaid'][0] + try: + ca_id = entry['ipacaid'][0] + except KeyError: + return full = options.get('all', False) want_chain = options.get('chain', False) @@ -192,8 +195,9 @@ class ca_find(LDAPSearch): def execute(self, *keys, **options): ca_enabled_check() result = super(ca_find, self).execute(*keys, **options) - for entry in result['result']: - set_certificate_attrs(entry, options, want_cert=False) + if not options.get('pkey_only', False): + for entry in result['result']: + set_certificate_attrs(entry, options, want_cert=False) return result |