On Mon, 14 Mar 2016, Fraser Tweedale wrote:
The attached patch fixes
https://fedorahosted.org/freeipa/ticket/5733. Thanks to Alexander
for finding and reporting.
From 9bd7b74d9c928f386bd7dae59588580881ed1a9d Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 14 Mar 2016 14:49:47 +1100
Subject: [PATCH] caacl: correctly handle full user principal name
The caacl HBAC request is correct when just the username is given,
but the full 'user@REALM' form was not handled correctly.
A context might be helpful here: if you are using certmonger's -K option
to specify a user principal name to add to certificate, the name will
get normalized to include the realm. This is how it gets to caacl check.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code