Re: [Pki-devel] [PATCH] Added fix for pki-server for db-update

On 07/14/2016 03:02 PM, Geetika Kapoor wrote: > > On 07/14/2016 01:53 PM, Fraser Tweedale wrote: >> On Thu, Jul 14, 2016 at 06:01:51PM +1000, Fraser Tweedale wrote: >>> On Thu, Jul 14, 2016 at 01:05:18PM +0530, Geetika Kapoor wrote: >>>> On 07/14/2016 11:38 AM, Geetika Kapoor wrote: >>>>> On 07/14/2016 10:06 AM, Fraser Tweedale wrote: >>>>>> On Wed, Jul 13, 2016 at 04:36:26PM +0530, Geetika Kapoor wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Please review this patch.Below is a small summary about this fix and >>>>>>> what we are trying to achieve. >>>>>>> >>>>>>> CLI : pki-server db-upgrade >>>>>>> >>>>>>> what it should be doing is if it sees that issuerName doesn't exist,NULL >>>>>>> it will add it itself. >>>>>>> >>>>>>> Operation 1 : Search for the empty cn value for issuerName >>>>>>> ------------------------------------------------------------------------------- >>>>>>> >>>>>>> Current : '(&(objectclass=certificateRecord)(issuerName=*)) -- I >>>>>>> tried this it didn't show data even if i have record with empty issuerName >>>>>>> >>>>>> Hi Geetika, >>>>>> >>>>>> The current filter is actually: >>>>>> >>>>>> '(&(objectclass=certificateRecord)(!(issuerName=*)))', >>>>>> >>>>>> This should match entries missing the issuerName attribute. You >>>>>> talk about an entry with "empty issuerName" but empty strings are >>>>>> not allowed for the Directory String attribute type. Could you >>>>>> please clarify exactly what data is in the offending entry/entries >>>>>> and how it got there? >>>>> Hi Fraser, >>>>> >>>>> If we disable syntax check in ldap dse.ldif , it will accept empty >>>>> data as well.So if a end user disable syntax check,issuerName can be >>>>> empty in that case.(a test case that i tried) >>>>> So in that case db-update will never happen because that condition is >>>>> not considered.This scenario can be reproduced using below ldif file. >>>>> >>>>> <file> >>>>> >>>>> dn: cn=106,ou=certificateRepository,ou=ca,o=pkitest-CA >>>>> objectClass: certificateRecord >>>>> objectClass: top >>>>> cn: 106 >>>>> algorithmId: 1.2.840.113549.1.1.1 >>>>> autoRenew: ENABLED >>>>> certStatus: VALID >>>>> dateOfCreate: 20160712084443Z >>>>> dateOfModify: 20160712084443Z >>>>> duration: 1131536000000 >>>>> issuedBy: geetika20 >>>>> *issuerName: * >>>>> metaInfo: requestId:100 >>>>> notAfter: 20170712084205Z >>>>> notBefore: 20160712084205Z >>>>> publicKeyData:: >>>>> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu0Hlk6SdMnyr0Igq >>>>> serialno: 100 >>>>> signingAlgorithmId: 1.2.840.113549.1.1.11 >>>>> subjectName: CN=CS Administrator,C=US >>>>> userCertificate;binary:: >>>>> MIIC6DCCAdCgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBHMSQwIgY >>>>> version: 2 >>>>> >>>>> </file> >>>>> >>>>> So in such a case using >>>>> '(&(objectclass=certificateRecord)(!(issuerName=*)))',will not able to >>>>> search for such entries.I tried and it gives me empty data .I believe >>>>> using (&(objectclass=certificateRecord) >>>>> (!(issuerName=*))(!(issuerName=cn*))) can solve that purpose. >>>>> >>>>> Thanks >>>>> Geetika >>>> Hi Frazer, >>>> >>>> I just did one quick round of testing .If we have >>>> '(&(objectclass=certificateRecord)(!(issuerName=cn*)))', it will work in >>>> both cases : >>>> >>>> 1. When issuerName doesn't exist. >>>> 2. When issuserName field exist but has empty value. >>>> >>>> Thanks >>>> Geetika >>>> >>> I still disagree that it is the right approach, because it may do >>> unnecessary work for records that already have an issuerName that >>> does not start with "cn". >>> >>> Is it even necessary to support cases where customer has disabled >>> syntax checking? Nevertheless, let me disable syntax checking on >>> one of my instances and see if I can find a better filter. >>> >> Please try this filter: >> >> (&(objectclass=certificaterecord)(|(!(issuername=*))(issuername=))) >> >> It will find only certificates with missing or empty issuername >> attribute. Does it work as expected for you, Geetika? > Let me try Frazer.. > > Thanks Thanks Frazer for helping in giving a better solution .