Jan Orel wrote:
>> The restriction was there so that hosts had limited visibility. This
>> applies that limitation to all users. I think the host check needs to be
>> re-added.
> 
> I am confused, correct me if I am wrong, but the "if hostname:" check
> seems always redundat because it would raise exception before
> either here:
> 
> 615             if not bind_principal.startswith('host/'):
> 616                 raise acierr
> 
> or in validate_principal()

Anything bound to IPA can potentially retrieve a certificate. This code
adds special handling for hosts and probably should cover services as
well now that I think about it. I don't think services could be included
in ACIs when this was originally written.

The idea was that hosts have no need to be able to query random serial
numbers so it should be limited to viewing its own. Removing the if
hostname: applies this logic to ALL retrieval which is by far overkill
and limits all non-admin entries to only be able to view certs they own
(or can write) which sort of kills the reason for the 'retrieve
certificate' permission.

> 
>> Also, every host is not guaranteed to have a krbPrincipalAux (it can be
>> unenrolled). I assume you used this to cover managed services as well,
>> that's why the broad search base?
> 
> Checking it, even host which is not enrolled have objectClass: 
> krbprincipalaux,
> but advise me if different search should be used.

If a host is added with a password (random or otherwise) it won't have
this objectclass. I'd make the search filter something like
(|(objectclass=ipahost)(objectclass=ipaservice)).

rob

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to