On 15.10.2015 17:28, Jan Orel wrote:
> diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
> index e459320..55f9484 100644
> --- a/ipalib/plugins/cert.py
> +++ b/ipalib/plugins/cert.py
> @@ -625,9 +625,12 @@ class cert_show(VirtualCommand):
> result['md5_fingerprint'] =
>
> Anything bound to IPA can potentially retrieve a certificate. This code
> adds special handling for hosts and probably should cover services as
> well now that I think about it. I don't think services could be included
> in ACIs when this was originally written.
>
> The idea was that hosts have
2015-10-13 19:26 GMT+02:00 Rob Crittenden :
> Jan Orel wrote:
>>> The restriction was there so that hosts had limited visibility. This
>>> applies that limitation to all users. I think the host check needs to be
>>> re-added.
>>
>> I am confused, correct me if I am wrong, but
> The restriction was there so that hosts had limited visibility. This
> applies that limitation to all users. I think the host check needs to be
> re-added.
I am confused, correct me if I am wrong, but the "if hostname:" check
seems always redundat because it would raise exception before
either
Jan Orel wrote:
>> The restriction was there so that hosts had limited visibility. This
>> applies that limitation to all users. I think the host check needs to be
>> re-added.
>
> I am confused, correct me if I am wrong, but the "if hostname:" check
> seems always redundat because it would raise
Jan Orel wrote:
>> Agreed. The corresponding checks for certificate issuance via
>> cert-request, where the bind principal is a host, check that the
>> subject host (and SAN dNSNames) is "managed by" the bind host.
>> This is checked via `ldap.can_write(dn_of_subject_principal)'.
>>
>> 1.
On Fri, Oct 09, 2015 at 08:39:10AM -0400, Rob Crittenden wrote:
> Jan Orel wrote:
> > Hello,
> >
> > this patch removes (IMHO) redundat check in cert_show, which fails when
> > host tries to re-submit certificate of different host/service which he
> > can manage.
> >
> > I also reported the bug
Jan Orel wrote:
> Hello,
>
> this patch removes (IMHO) redundat check in cert_show, which fails when
> host tries to re-submit certificate of different host/service which he
> can manage.
>
> I also reported the bug here:
> https://bugzilla.redhat.com/show_bug.cgi?id=1269089
>
> I tired to run
Christian Heimes wrote:
> On 2015-10-09 13:21, Jan Orel wrote:
>> Hello,
>>
>> this patch removes (IMHO) redundat check in cert_show, which fails when
>> host tries to re-submit certificate of different host/service which he
>> can manage.
>>
>> I also reported the bug here:
>>
On 9.10.2015 15:00, Christian Heimes wrote:
On 2015-10-09 13:21, Jan Orel wrote:
Hello,
this patch removes (IMHO) redundat check in cert_show, which fails when
host tries to re-submit certificate of different host/service which he
can manage.
I also reported the bug here:
On 2015-10-09 15:11, Jan Cholasta wrote:
> On 9.10.2015 15:00, Christian Heimes wrote:
>> On 2015-10-09 13:21, Jan Orel wrote:
>>> Hello,
>>>
>>> this patch removes (IMHO) redundat check in cert_show, which fails when
>>> host tries to re-submit certificate of different host/service which he
>>>
11 matches
Mail list logo