2015-10-13 19:26 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>:
> Jan Orel wrote:
>>> The restriction was there so that hosts had limited visibility. This
>>> applies that limitation to all users. I think the host check needs to be
>>> re-added.
>>
>> I am confused, correct me if I am wrong, but the "if hostname:" check
>> seems always redundat because it would raise exception before
>> either here:
>>
>> 615             if not bind_principal.startswith('host/'):
>> 616                 raise acierr
>>
>> or in validate_principal()
>
> Anything bound to IPA can potentially retrieve a certificate. This code
> adds special handling for hosts and probably should cover services as
> well now that I think about it. I don't think services could be included
> in ACIs when this was originally written.
>
> The idea was that hosts have no need to be able to query random serial
> numbers so it should be limited to viewing its own. Removing the if
> hostname: applies this logic to ALL retrieval which is by far overkill
> and limits all non-admin entries to only be able to view certs they own
> (or can write) which sort of kills the reason for the 'retrieve
> certificate' permission.
>
>>
>>> Also, every host is not guaranteed to have a krbPrincipalAux (it can be
>>> unenrolled). I assume you used this to cover managed services as well,
>>> that's why the broad search base?
>>
>> Checking it, even host which is not enrolled have objectClass: 
>> krbprincipalaux,
>> but advise me if different search should be used.
>
> If a host is added with a password (random or otherwise) it won't have
> this objectclass. I'd make the search filter something like
> (|(objectclass=ipahost)(objectclass=ipaservice)).
>
> rob

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to