On 15.10.2015 17:28, Jan Orel wrote:
> diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
> index e459320..55f9484 100644
> --- a/ipalib/plugins/cert.py
> +++ b/ipalib/plugins/cert.py
> @@ -625,9 +625,12 @@ class cert_show(VirtualCommand):
>          result['md5_fingerprint'] = 
> unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
>          result['sha1_fingerprint'] = 
> unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
>          if hostname:
> -            # If we have a hostname we want to verify that the subject
> -            # of the certificate matches it, otherwise raise an error
> -            if hostname != cert.subject.common_name:    #pylint: 
> disable=E1101
> +            # If we have a hostname we want to verify that we can
> +            # write to the usercertificate attr of the target
> +            ldap = self.api.Backend.ldap2
> +            entry = ldap.find_entry_by_attr("cn", cert.subject.common_name,
> +                    "ipahost", base_dn=api.env.basedn)
> +            if not ldap.can_write(entry.dn, 'usercertificate'):
>                  raise acierr
>  
>          return dict(result=result)

I can't say anything about correctness of the change itself but it would be
good to add explanatory error message to acierr, when you are at it. Something
like 'Insufficient permissions for write to userCertificate attribute of $DN
entry' or so.

Thanks!

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to