On 03/14/2016 06:18 AM, Alexander Bokovoy wrote:
> On Mon, 14 Mar 2016, Fraser Tweedale wrote:
>> The attached patch fixes
>> https://fedorahosted.org/freeipa/ticket/5733.  Thanks to Alexander
>> for finding and reporting.
>>
>> Cheers,
>> Fraser
> 
>> From 9bd7b74d9c928f386bd7dae59588580881ed1a9d Mon Sep 17 00:00:00 2001
>> From: Fraser Tweedale <ftwee...@redhat.com>
>> Date: Mon, 14 Mar 2016 14:49:47 +1100
>> Subject: [PATCH] caacl: correctly handle full user principal name
>>
>> The caacl HBAC request is correct when just the username is given,
>> but the full 'user@REALM' form was not handled correctly.
>>
>> Fixes: https://fedorahosted.org/freeipa/ticket/5733
> A context might be helpful here: if you are using certmonger's -K option
> to specify a user principal name to add to certificate, the name will
> get normalized to include the realm. This is how it gets to caacl check.
> 
> ACK.

Seeing the patch, I am curious - is the realm validated anywhere pr is it just
dropped and we just assume it is FreeIPA one?

I mean, do we make sure that REALM matches FreeIPA REALM and it is not trusted
AD realm for example?

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to