On 03/14/2016 06:18 AM, Alexander Bokovoy wrote: > On Mon, 14 Mar 2016, Fraser Tweedale wrote: >> The attached patch fixes >> https://fedorahosted.org/freeipa/ticket/5733. Thanks to Alexander >> for finding and reporting. >> >> Cheers, >> Fraser > >> From 9bd7b74d9c928f386bd7dae59588580881ed1a9d Mon Sep 17 00:00:00 2001 >> From: Fraser Tweedale <[email protected]> >> Date: Mon, 14 Mar 2016 14:49:47 +1100 >> Subject: [PATCH] caacl: correctly handle full user principal name >> >> The caacl HBAC request is correct when just the username is given, >> but the full 'user@REALM' form was not handled correctly. >> >> Fixes: https://fedorahosted.org/freeipa/ticket/5733 > A context might be helpful here: if you are using certmonger's -K option > to specify a user principal name to add to certificate, the name will > get normalized to include the realm. This is how it gets to caacl check. > > ACK.
Seeing the patch, I am curious - is the realm validated anywhere pr is it just dropped and we just assume it is FreeIPA one? I mean, do we make sure that REALM matches FreeIPA REALM and it is not trusted AD realm for example? -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
