Jenny Galipeau wrote:
On 03/26/2012 11:28 AM, Jan Cholasta wrote:
On 26.3.2012 16:15, Rob Crittenden wrote:
Jan Cholasta wrote:
https://fedorahosted.org/freeipa/ticket/2521

Honza

You can still set a custom subject base for selfsign installations so
you need a special case in valid_issuer().

For selfsign installations, the issuer is always "CN=REALM Certificate
Authority", no matter what is set in the subject base, so no special
case is needed.

I wonder if this comparison
should be case insensitive too.

I think the DN class already takes care of this.


It may also be an optimization to cache the base in subject_base(). It
can't change after install time so it should be valid the entire
lifetime of the server.

What if someone does

$ ipa config-mod --setattr ipacertificatesubjectbase='O=Something'

?

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipaconfig-mod_setattr ipacertificatesubjectbase positive
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Set ipapwdexpadvnotify to OU=Bogus
:: [   PASS   ] :: ipacertificatesubjectbase successfully changed.
:: [   LOG    ] :: Duration: 3s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: ipaconfig-mod_setattr ipacertificatesubjectbase 
positive


It works ... should we be getting an error??

Yes, it should fail. I thought there was already a bug open on it, though maybe we just removed the option from -mod.

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to