On Mon, Mar 14, 2016 at 03:10:55PM +0100, Martin Kosek wrote: > On 03/14/2016 06:18 AM, Alexander Bokovoy wrote: > > On Mon, 14 Mar 2016, Fraser Tweedale wrote: > >> The attached patch fixes > >> https://fedorahosted.org/freeipa/ticket/5733. Thanks to Alexander > >> for finding and reporting. > >> > >> Cheers, > >> Fraser > > > >> From 9bd7b74d9c928f386bd7dae59588580881ed1a9d Mon Sep 17 00:00:00 2001 > >> From: Fraser Tweedale <ftwee...@redhat.com> > >> Date: Mon, 14 Mar 2016 14:49:47 +1100 > >> Subject: [PATCH] caacl: correctly handle full user principal name > >> > >> The caacl HBAC request is correct when just the username is given, > >> but the full 'user@REALM' form was not handled correctly. > >> > >> Fixes: https://fedorahosted.org/freeipa/ticket/5733 > > A context might be helpful here: if you are using certmonger's -K option > > to specify a user principal name to add to certificate, the name will > > get normalized to include the realm. This is how it gets to caacl check. > > > > ACK. > > Seeing the patch, I am curious - is the realm validated anywhere pr is it just > dropped and we just assume it is FreeIPA one? > > I mean, do we make sure that REALM matches FreeIPA REALM and it is not trusted > AD realm for example? > Martin, glad you asked. We catch that situation elsewhere:
ftweedal% ipa cert-request --principal al...@notmydomain.org alice.csr ipa: ERROR: The realm for the principal does not match the realm for this IPA server Cheers, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code