Use John's new DN class to verify that the subject base passed into
ipa-server-install is valid.
https://fedorahosted.org/freeipa/ticket/1176
rob
>From e8e74f21f62a5ea6368900a03176d606845488b2 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Thu, 7 Jul 2011 11:55:20 -0400
Subject: [PATCH] Validate that the certificate subject base is in valid DN format.
https://fedorahosted.org/freeipa/ticket/1176
---
install/tools/ipa-server-install | 16 +++++++++++++++-
1 files changed, 15 insertions(+), 1 deletions(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 504da2c61ffcc94f4ea7ca429da22d600c8a9297..8a6634d5a18eb22de6eb5464d69b2e81a6dd2bdf 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -58,6 +58,7 @@ from ipapython.ipautil import *
from ipalib import api, errors, util
from ipalib.parameters import IA5Str
from ipapython.config import IPAOptionParser
+from ipalib.dn import DN
pw_name = None
uninstalling = False
@@ -72,6 +73,18 @@ def zonemgr_callback(option, opt_str, value, parser):
ia._convert_scalar(v)
parser.values.zonemgr = value
+def subject_callback(option, opt_str, value, parser):
+ """
+ Make sure the certificate subject base is a valid DN
+ """
+ name = opt_str.replace('--','')
+ v = unicode(value, 'utf-8')
+ try:
+ dn = DN(v)
+ except ValueError, e:
+ raise ValueError('Invalid subject base format: %s' % str(e))
+ parser.values.subject = value
+
def parse_options():
# Guaranteed to give a random 200k range below the 2G mark (uint32_t limit)
namespace = random.randint(1, 10000) * 200000
@@ -141,7 +154,8 @@ def parse_options():
help="The starting value for the IDs range (default random)")
parser.add_option("--idmax", dest="idmax", default=0, type=int,
help="The max value value for the IDs range (default: idstart+199999)")
- parser.add_option("--subject", dest="subject",
+ parser.add_option("--subject", action="callback", callback=subject_callback,
+ type="string",
help="The certificate subject base (default O=<realm-name>)")
parser.add_option("--no_hbac_allow", dest="hbac_allow", default=False,
action="store_true",
--
1.7.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel