On Fri, Oct 09, 2015 at 08:39:10AM -0400, Rob Crittenden wrote:
> Jan Orel wrote:
> > Hello,
> > this patch removes (IMHO) redundat check in cert_show, which fails when
> > host tries to re-submit certificate of different host/service which he
> > can manage.
> > I also reported the bug here:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1269089
> > I tired to run the tests as well and it doesn't seem to break anything.
> > Any feedpack appriciated.
> This works around the "Retrieve Certificates from the CA" ACL when done
> as a host.
> I guess if the hostname isn't the subject then the host for the subject
> needs to be read and then look to see if hostname is in the managed_by list.
Agreed. The corresponding checks for certificate issuance via
cert-request, where the bind principal is a host, check that the
subject host (and SAN dNSNames) is "managed by" the bind host.
This is checked via `ldap.can_write(dn_of_subject_principal)'.
1. retrieve cert
2. read CN
3. ensure CN refers to a known host principal
and call ldap.can_write(...) to ensure bind principal
> Manage your subscription for the Freeipa-devel mailing list:
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code