Re: [Freeipa-devel] [PATCH] 0050 caacl: correctly handle full user principal name

2016-04-20 Thread Martin Basti 



On 14.03.2016 06:18, Alexander Bokovoy wrote:

On Mon, 14 Mar 2016, Fraser Tweedale wrote:

The attached patch fixes
https://fedorahosted.org/freeipa/ticket/5733.  Thanks to Alexander
for finding and reporting.

Cheers,
Fraser



From 9bd7b74d9c928f386bd7dae59588580881ed1a9d Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Mon, 14 Mar 2016 14:49:47 +1100
Subject: [PATCH] caacl: correctly handle full user principal name

The caacl HBAC request is correct when just the username is given,
but the full 'user@REALM' form was not handled correctly.

Fixes: https://fedorahosted.org/freeipa/ticket/5733

A context might be helpful here: if you are using certmonger's -K option
to specify a user principal name to add to certificate, the name will
get normalized to include the realm. This is how it gets to caacl check.

ACK.


Pushed to:
master: c2b92b57354923a8099a0da446cef63802d2447b
ipa-4-3: 90ca7d4167d25f50b36322a817f1f62930a7ea58
ipa-4-2: 8a8ee89cf738a3cdae848bd9db4d358d94da6d26

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0050 caacl: correctly handle full user principal name

2016-03-14 Thread Fraser Tweedale 
On Mon, Mar 14, 2016 at 03:10:55PM +0100, Martin Kosek wrote:
> On 03/14/2016 06:18 AM, Alexander Bokovoy wrote:
> > On Mon, 14 Mar 2016, Fraser Tweedale wrote:
> >> The attached patch fixes
> >> https://fedorahosted.org/freeipa/ticket/5733.  Thanks to Alexander
> >> for finding and reporting.
> >>
> >> Cheers,
> >> Fraser
> > 
> >> From 9bd7b74d9c928f386bd7dae59588580881ed1a9d Mon Sep 17 00:00:00 2001
> >> From: Fraser Tweedale 
> >> Date: Mon, 14 Mar 2016 14:49:47 +1100
> >> Subject: [PATCH] caacl: correctly handle full user principal name
> >>
> >> The caacl HBAC request is correct when just the username is given,
> >> but the full 'user@REALM' form was not handled correctly.
> >>
> >> Fixes: https://fedorahosted.org/freeipa/ticket/5733
> > A context might be helpful here: if you are using certmonger's -K option
> > to specify a user principal name to add to certificate, the name will
> > get normalized to include the realm. This is how it gets to caacl check.
> > 
> > ACK.
> 
> Seeing the patch, I am curious - is the realm validated anywhere pr is it just
> dropped and we just assume it is FreeIPA one?
> 
> I mean, do we make sure that REALM matches FreeIPA REALM and it is not trusted
> AD realm for example?
>
Martin, glad you asked.  We catch that situation elsewhere:

ftweedal% ipa cert-request --principal al...@notmydomain.org alice.csr
ipa: ERROR: The realm for the principal does not match the realm for this 
IPA server

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0050 caacl: correctly handle full user principal name

2016-03-14 Thread Martin Kosek 
On 03/14/2016 06:18 AM, Alexander Bokovoy wrote:
> On Mon, 14 Mar 2016, Fraser Tweedale wrote:
>> The attached patch fixes
>> https://fedorahosted.org/freeipa/ticket/5733.  Thanks to Alexander
>> for finding and reporting.
>>
>> Cheers,
>> Fraser
> 
>> From 9bd7b74d9c928f386bd7dae59588580881ed1a9d Mon Sep 17 00:00:00 2001
>> From: Fraser Tweedale 
>> Date: Mon, 14 Mar 2016 14:49:47 +1100
>> Subject: [PATCH] caacl: correctly handle full user principal name
>>
>> The caacl HBAC request is correct when just the username is given,
>> but the full 'user@REALM' form was not handled correctly.
>>
>> Fixes: https://fedorahosted.org/freeipa/ticket/5733
> A context might be helpful here: if you are using certmonger's -K option
> to specify a user principal name to add to certificate, the name will
> get normalized to include the realm. This is how it gets to caacl check.
> 
> ACK.

Seeing the patch, I am curious - is the realm validated anywhere pr is it just
dropped and we just assume it is FreeIPA one?

I mean, do we make sure that REALM matches FreeIPA REALM and it is not trusted
AD realm for example?

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0050 caacl: correctly handle full user principal name

2016-03-13 Thread Alexander Bokovoy 

On Mon, 14 Mar 2016, Fraser Tweedale wrote:

The attached patch fixes
https://fedorahosted.org/freeipa/ticket/5733.  Thanks to Alexander
for finding and reporting.

Cheers,
Fraser



From 9bd7b74d9c928f386bd7dae59588580881ed1a9d Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Mon, 14 Mar 2016 14:49:47 +1100
Subject: [PATCH] caacl: correctly handle full user principal name

The caacl HBAC request is correct when just the username is given,
but the full 'user@REALM' form was not handled correctly.

Fixes: https://fedorahosted.org/freeipa/ticket/5733

A context might be helpful here: if you are using certmonger's -K option
to specify a user principal name to add to certificate, the name will
get normalized to include the realm. This is how it gets to caacl check.

ACK.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code