Re: [Freeipa-devel] [PATCH] 0050 caacl: correctly handle full user principal name

Alexander Bokovoy Sun, 13 Mar 2016 22:21:07 -0700

On Mon, 14 Mar 2016, Fraser Tweedale wrote:

The attached patch fixes
https://fedorahosted.org/freeipa/ticket/5733.  Thanks to Alexander
for finding and reporting.


Cheers,
Fraser

From 9bd7b74d9c928f386bd7dae59588580881ed1a9d Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 14 Mar 2016 14:49:47 +1100
Subject: [PATCH] caacl: correctly handle full user principal name

The caacl HBAC request is correct when just the username is given,
but the full 'user@REALM' form was not handled correctly.

Fixes: https://fedorahosted.org/freeipa/ticket/5733

A context might be helpful here: if you are using certmonger's -K option
to specify a user principal name to add to certificate, the name will
get normalized to include the realm. This is how it gets to caacl check.

ACK.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0050 caacl: correctly handle full user principal name

Reply via email to