On 13.10.2015 19:26, Rob Crittenden wrote:
> Jan Orel wrote:
>>> The restriction was there so that hosts had limited visibility. This
>>> applies that limitation to all users. I think the host check needs to be
>>> re-added.
>> I am confused, correct me if I am wrong, but the "if hostname:" check
>> seems always redundat because it would raise exception before
>> either here:
>> 615             if not bind_principal.startswith('host/'):
>> 616                 raise acierr
>> or in validate_principal()
> Anything bound to IPA can potentially retrieve a certificate. This code
> adds special handling for hosts and probably should cover services as
> well now that I think about it. I don't think services could be included
> in ACIs when this was originally written.
> The idea was that hosts have no need to be able to query random serial
> numbers so it should be limited to viewing its own. Removing the if
> hostname: applies this logic to ALL retrieval which is by far overkill
> and limits all non-admin entries to only be able to view certs they own
> (or can write) which sort of kills the reason for the 'retrieve
> certificate' permission.
>>> Also, every host is not guaranteed to have a krbPrincipalAux (it can be
>>> unenrolled). I assume you used this to cover managed services as well,
>>> that's why the broad search base?
>> Checking it, even host which is not enrolled have objectClass: 
>> krbprincipalaux,
>> but advise me if different search should be used.
> If a host is added with a password (random or otherwise) it won't have
> this objectclass. I'd make the search filter something like
> (|(objectclass=ipahost)(objectclass=ipaservice)).
> rob

Rob, could you or Honza (or somebody else) hand-hold Jan Orel a little bit?

I was talking with boss of the guy and they are still interested in getting
the patch in IPA but need more guidance and patience from us :-)

Petr^2 Spacek

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to