On Thu, Jul 14, 2016 at 06:01:51PM +1000, Fraser Tweedale wrote: > On Thu, Jul 14, 2016 at 01:05:18PM +0530, Geetika Kapoor wrote: > > > > > > On 07/14/2016 11:38 AM, Geetika Kapoor wrote: > > > > > > > > > On 07/14/2016 10:06 AM, Fraser Tweedale wrote: > > >> On Wed, Jul 13, 2016 at 04:36:26PM +0530, Geetika Kapoor wrote: > > >>> Hi, > > >>> > > >>> Please review this patch.Below is a small summary about this fix and > > >>> what we are trying to achieve. > > >>> > > >>> CLI : pki-server db-upgrade > > >>> > > >>> what it should be doing is if it sees that issuerName doesn't exist,NULL > > >>> it will add it itself. > > >>> > > >>> Operation 1 : Search for the empty cn value for issuerName > > >>> ------------------------------------------------------------------------------- > > >>> > > >>> Current : '(&(objectclass=certificateRecord)(issuerName=*)) -- I > > >>> tried this it didn't show data even if i have record with empty > > >>> issuerName > > >>> > > >> Hi Geetika, > > >> > > >> The current filter is actually: > > >> > > >> '(&(objectclass=certificateRecord)(!(issuerName=*)))', > > >> > > >> This should match entries missing the issuerName attribute. You > > >> talk about an entry with "empty issuerName" but empty strings are > > >> not allowed for the Directory String attribute type. Could you > > >> please clarify exactly what data is in the offending entry/entries > > >> and how it got there? > > > Hi Fraser, > > > > > > If we disable syntax check in ldap dse.ldif , it will accept empty > > > data as well.So if a end user disable syntax check,issuerName can be > > > empty in that case.(a test case that i tried) > > > So in that case db-update will never happen because that condition is > > > not considered.This scenario can be reproduced using below ldif file. > > > > > > <file> > > > > > > dn: cn=106,ou=certificateRepository,ou=ca,o=pkitest-CA > > > objectClass: certificateRecord > > > objectClass: top > > > cn: 106 > > > algorithmId: 1.2.840.113549.1.1.1 > > > autoRenew: ENABLED > > > certStatus: VALID > > > dateOfCreate: 20160712084443Z > > > dateOfModify: 20160712084443Z > > > duration: 1131536000000 > > > issuedBy: geetika20 > > > *issuerName: * > > > metaInfo: requestId:100 > > > notAfter: 20170712084205Z > > > notBefore: 20160712084205Z > > > publicKeyData:: > > > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu0Hlk6SdMnyr0Igq > > > serialno: 100 > > > signingAlgorithmId: 1.2.840.113549.1.1.11 > > > subjectName: CN=CS Administrator,C=US > > > userCertificate;binary:: > > > MIIC6DCCAdCgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBHMSQwIgY > > > version: 2 > > > > > > </file> > > > > > > So in such a case using > > > '(&(objectclass=certificateRecord)(!(issuerName=*)))',will not able to > > > search for such entries.I tried and it gives me empty data .I believe > > > using (&(objectclass=certificateRecord) > > > (!(issuerName=*))(!(issuerName=cn*))) can solve that purpose. > > > > > > Thanks > > > Geetika > > Hi Frazer, > > > > I just did one quick round of testing .If we have > > '(&(objectclass=certificateRecord)(!(issuerName=cn*)))', it will work in > > both cases : > > > > 1. When issuerName doesn't exist. > > 2. When issuserName field exist but has empty value. > > > > Thanks > > Geetika > > > I still disagree that it is the right approach, because it may do > unnecessary work for records that already have an issuerName that > does not start with "cn". > > Is it even necessary to support cases where customer has disabled > syntax checking? Nevertheless, let me disable syntax checking on > one of my instances and see if I can find a better filter. > Please try this filter:
(&(objectclass=certificaterecord)(|(!(issuername=*))(issuername=))) It will find only certificates with missing or empty issuername attribute. Does it work as expected for you, Geetika? > > > >>> Modified : (&(objectclass=certificateRecord)(!(issuerName=cn*)))' -- > > >>> This solves the purpose as it shows all the certs without issuerName > > >>> > > >> This filter is wrong - it does match entries without issuerName (as > > >> intended), but also matches entries with issuerName set but not > > >> starting with "cn". > > >> > > >>> Operation 2 : If we see a empty cn value , we are replacing it with > > >>> value we get from code > > >>> ------------------------------------------------------------------------------------------------------------------ > > >>> < code> > > >>> > > >>> cert = nss.Certificate(bytearray(attr_cert[0])) > > >>> issuer_name = str(cert.issuer) > > >>> > > >>> </code> > > >>> > > >>> Current : we are updating the list it the format as mentioned > > >>> 'issuerName': ['', 'CN=CA Signing Certificate,O=example.com Security > > >>> Domain'] > > >>> > > >>> Do we want to keep this behavior or we want to overwrite it in first > > >>> place? I believe in place of we do it MOD_REPLACE. > > >>> > > >>> <try: > > >>> conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName', > > >>> issuer_name)]) > > >>> Modified : onn.ldap.modify_s(dn, [(ldap.MOD_REPLACE, 'issuerName', > > >>> issuer_name)]) > > >>> > > >> This change is OK. > > > > > _______________________________________________ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel