search

ansible-collections / community.general

Ansible Community General Collection
https://galaxy.ansible.com/ui/repo/published/community/general/
GNU General Public License v3.0
810 stars 1.49k forks source link

ldap_search: userCertificate;binary search results in corrupt / undetectable encoding #4742

Closed walshg3 closed 2 years ago

walshg3 commented 2 years ago

Summary

Thank you for taking the time to read the issue I am experiencing. I have used the ansible ldap_search module on occasion and it works without issues however in this rare case I am experiencing odd behavior and I can not seem to figure out why. When I run a ldap_search on my directory I get back the normal values I would expect. My goal is to query and save certificates stored in the directory. Specifically with the attrs 'userCertificate;binary'. When I query the directory for the userCertificates I get results but they are either encoded weird or corrupt. See below for some of the output (I removed any sensitive data but tried to keep the format in tact by replacing data with 'removed.for.client.security')

I have confirmed from the ldapsearch command in the linux shell that the userCertificate is returned with no issues. I also have python modules that I work with the userCertificates without issues as well. Sometimes I need to convert the certificate from der to cer or pem format but I can't identify the format of the output from the ldap_search ansible module. I have tried to convert to base64, utf-8, and Hex but none seem to match the original certificate that is on the directory server.

Any help or Guidance is appreciated. Thank you again.

Issue Type

Bug Report

Component Name

ldap_search

Ansible Version

$ ansible --version
ansible 2.9.27
  config file = /home/ansible/ansible.cfg
  configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible

Community.general Version

$ ansible-galaxy collection list community.general
usage: ansible-galaxy collection [-h] COLLECTION_ACTION ...
ansible-galaxy collection: error: argument COLLECTION_ACTION: invalid choice: 'list' (choose from 'init', 'build', 'publish', 'install')

Not sure why this didnt work

Configuration

$ ansible-config dump --only-changed
DEFAULT_HOST_LIST(/home/ansible/ansible.cfg) = ['REDACTED']
DEFAULT_ROLES_PATH(/home/ansible/ansible.cfg) = ['REDACTED']
DEFAULT_VAULT_PASSWORD_FILE(/home/ansible/ansible.cfg) = REDACTED
DISPLAY_SKIPPED_HOSTS(/home/ansible/ansible.cfg) = False
HOST_KEY_CHECKING(/home/ansible/ansible.cfg) = False
INTERPRETER_PYTHON(/home/ansible/ansible.cfg) = auto

OS / Environment

RHEL 8

Steps to Reproduce

run an ldap_search on a DS with certificates

Expected Results

output to be in PEM or DER format like whats on the Directory Server

Actual Results

"userCertificate;binary": "0�\u0006�0�\u0005x�\u0003\u0002\u0001\u0002\u0002\u0010TtC\u001c]�y#�}�1�V�0\r\u0006\t*�H��\r\u0001\u0001\u000b\u0005\u00000`1\u000b0\t\u0006\u0003U\u0004\u0006\u0013\u0002US1*0(\u0006\u0003U\u0004\n\u0013!removed.for.client.security1%0#\u0006\u0003U\u0004\u0003\u0013\u001cremoved.for.client.securityCA0\u001e\u0017\r220201000000Z\u0017\r250131235959Z0��1\u000b0\t\u0006\u0003U\u0004\u0006\u0013\u0002US1\u00180\u0016\u0006\u0003U\u0004\n\u0013\u000fremoved.for.client.security1*0(\u0006\u0003U\u0004\u000b\u0013!removed.for.client.security(0&\u0006\u0003U\u0004\u000b\u0013\u001fremoved.for.client.security1!0\u001f\u0006\u0003U\u0004\u000b\u0013\u0018removed.for.client.securitySystem1\f0\n\u0006\u0003U\u0004\u000b\f\u0003IAM1\r0\u000b\u0006\u0003U\u0004\u000b\u0013\u0004deve1\"0\u0006\u0003U\u0004\u0003\u0013\u0019removed.for.client.security0�\u0002\"0\r\u0006\t*�H��\r\u0001\u0001\u0001\u0005\u0000\u0003�\u0002\u000f\u00000�\u0002\n\u0002�\u0002\u0001\u0000ź��\u001fe[��͔}�*��^���7��Bq�b/u0001��\u0001�0�\u0001�0\f\u0006\u0003U\u001d\u0013\u0001\u0001�\u0004\u00020\u00000\u000b\u0006\u0003U\u001d\u000f\u0004\u0004\u0003\u0002\u0005�0\u001d\u0006\u0003U\u001d%\u0004\u00160\u0014\u0006\b+\u0006\u0001\u0005\u0005\u0007\u0003\u0002\u0006\b+\u0006\u0001\u0005\u0005\u0007\u0003\u00010A\u0006\u0003U\u001d\u001f\u0004:0806�4�2�0removed.for.client.security0A\u0006\b+\u0006\u0001\u0005\u0005\u0007\u0001\

Code of Conduct

ansibullbot commented 2 years ago

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot commented 2 years ago

cc @eryx12o45 @jtyr click here for bot help

walshg3 commented 2 years ago

upon further diagnosis I am starting to see this is working as intended. The LDAPSearch module will solely return search results but it is on me to convert the format. I see in older code I load the certificates into crypto.FILETYPE_ASN1 and that is doing the converting. I will have to do more research in how i can convert a ASN1 returned format to a more readable format in ansible. You can consider this issue closed

venkatakarthikbandaru commented 1 year ago

@walshg3 were you able to produce the result from ldap_search in human readble format other than this 3IAM1\r0\u000b\u0006\u0003U\u0004\u000b\u0013\u0004deve1\

felixfontein commented 1 year ago

Please note that there is a new base64_attributes module option (since c.g 7.0.0) which allows you to specify which attributes should be Base64 encoded (https://docs.ansible.com/ansible/latest/collections/community/general/ldap_search_module.html#parameter-base64_attributes).