On 10.8.2015 12:59, Jakub Hrozek wrote:
> the attached patches fix #2742. The first one makes sure we can print
> the certificate (or any binary attribute, really) safely. We only need
> to make sure to escape the attribute values before saving them to sysdb,
> because then ldb guarantees terminating them.
> The second just switches the attribute value. I tested using this howto:
> You'll also want to use a recent enough IPA version, one that fixes:
> Then, on the client, call:
> dbus-send --print-reply \
> --system \
> --dest=org.freedesktop.sssd.infopipe \
> /org/freedesktop/sssd/infopipe/Users \
> org.freedesktop.sssd.infopipe.Users.FindByCertificate \
> string:"$( openssl x509 < cert.pem )"
> The result will be an object path.
LGTM, but I would think userCertificate;binary should be the default
everywhere, i.e. generic LDAP, as that is the correct attribute name
according to RFC 4523. IMHO when someone uses the standard name in
generic LDAP, they should not be forced to change SSSD configuration
because of it.