Re: [Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN

On 15.10.2015 17:28, Jan Orel wrote: > diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py > index e459320..55f9484 100644 > --- a/ipalib/plugins/cert.py > +++ b/ipalib/plugins/cert.py > @@ -625,9 +625,12 @@ class cert_show(VirtualCommand): > result['md5_fingerprint'] = >

Re: [Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN

> Anything bound to IPA can potentially retrieve a certificate. This code > adds special handling for hosts and probably should cover services as > well now that I think about it. I don't think services could be included > in ACIs when this was originally written. > > The idea was that hosts have

Re: [Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN

2015-10-13 19:26 GMT+02:00 Rob Crittenden : > Jan Orel wrote: >>> The restriction was there so that hosts had limited visibility. This >>> applies that limitation to all users. I think the host check needs to be >>> re-added. >> >> I am confused, correct me if I am wrong, but

Re: [Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN

> The restriction was there so that hosts had limited visibility. This > applies that limitation to all users. I think the host check needs to be > re-added. I am confused, correct me if I am wrong, but the "if hostname:" check seems always redundat because it would raise exception before either

Re: [Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN

Jan Orel wrote: >> The restriction was there so that hosts had limited visibility. This >> applies that limitation to all users. I think the host check needs to be >> re-added. > > I am confused, correct me if I am wrong, but the "if hostname:" check > seems always redundat because it would raise

Re: [Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN

Jan Orel wrote: >> Agreed. The corresponding checks for certificate issuance via >> cert-request, where the bind principal is a host, check that the >> subject host (and SAN dNSNames) is "managed by" the bind host. >> This is checked via `ldap.can_write(dn_of_subject_principal)'. >> >> 1.

Re: [Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN

On Fri, Oct 09, 2015 at 08:39:10AM -0400, Rob Crittenden wrote: > Jan Orel wrote: > > Hello, > > > > this patch removes (IMHO) redundat check in cert_show, which fails when > > host tries to re-submit certificate of different host/service which he > > can manage. > > > > I also reported the bug

Re: [Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN

Jan Orel wrote: > Hello, > > this patch removes (IMHO) redundat check in cert_show, which fails when > host tries to re-submit certificate of different host/service which he > can manage. > > I also reported the bug here: > https://bugzilla.redhat.com/show_bug.cgi?id=1269089 > > I tired to run

Re: [Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN

Christian Heimes wrote: > On 2015-10-09 13:21, Jan Orel wrote: >> Hello, >> >> this patch removes (IMHO) redundat check in cert_show, which fails when >> host tries to re-submit certificate of different host/service which he >> can manage. >> >> I also reported the bug here: >>

Re: [Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN

On 9.10.2015 15:00, Christian Heimes wrote: On 2015-10-09 13:21, Jan Orel wrote: Hello, this patch removes (IMHO) redundat check in cert_show, which fails when host tries to re-submit certificate of different host/service which he can manage. I also reported the bug here:

Re: [Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN

On 2015-10-09 15:11, Jan Cholasta wrote: > On 9.10.2015 15:00, Christian Heimes wrote: >> On 2015-10-09 13:21, Jan Orel wrote: >>> Hello, >>> >>> this patch removes (IMHO) redundat check in cert_show, which fails when >>> host tries to re-submit certificate of different host/service which he >>>