Re: [Freeipa-devel] [PATCH] 0050 caacl: correctly handle full user principal name
On 14.03.2016 06:18, Alexander Bokovoy wrote: On Mon, 14 Mar 2016, Fraser Tweedale wrote: The attached patch fixes https://fedorahosted.org/freeipa/ticket/5733. Thanks to Alexander for finding and reporting. Cheers, Fraser From 9bd7b74d9c928f386bd7dae59588580881ed1a9d Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Mon, 14 Mar 2016 14:49:47 +1100 Subject: [PATCH] caacl: correctly handle full user principal name The caacl HBAC request is correct when just the username is given, but the full 'user@REALM' form was not handled correctly. Fixes: https://fedorahosted.org/freeipa/ticket/5733 A context might be helpful here: if you are using certmonger's -K option to specify a user principal name to add to certificate, the name will get normalized to include the realm. This is how it gets to caacl check. ACK. Pushed to: master: c2b92b57354923a8099a0da446cef63802d2447b ipa-4-3: 90ca7d4167d25f50b36322a817f1f62930a7ea58 ipa-4-2: 8a8ee89cf738a3cdae848bd9db4d358d94da6d26 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0050 caacl: correctly handle full user principal name
On Mon, Mar 14, 2016 at 03:10:55PM +0100, Martin Kosek wrote: > On 03/14/2016 06:18 AM, Alexander Bokovoy wrote: > > On Mon, 14 Mar 2016, Fraser Tweedale wrote: > >> The attached patch fixes > >> https://fedorahosted.org/freeipa/ticket/5733. Thanks to Alexander > >> for finding and reporting. > >> > >> Cheers, > >> Fraser > > > >> From 9bd7b74d9c928f386bd7dae59588580881ed1a9d Mon Sep 17 00:00:00 2001 > >> From: Fraser Tweedale> >> Date: Mon, 14 Mar 2016 14:49:47 +1100 > >> Subject: [PATCH] caacl: correctly handle full user principal name > >> > >> The caacl HBAC request is correct when just the username is given, > >> but the full 'user@REALM' form was not handled correctly. > >> > >> Fixes: https://fedorahosted.org/freeipa/ticket/5733 > > A context might be helpful here: if you are using certmonger's -K option > > to specify a user principal name to add to certificate, the name will > > get normalized to include the realm. This is how it gets to caacl check. > > > > ACK. > > Seeing the patch, I am curious - is the realm validated anywhere pr is it just > dropped and we just assume it is FreeIPA one? > > I mean, do we make sure that REALM matches FreeIPA REALM and it is not trusted > AD realm for example? > Martin, glad you asked. We catch that situation elsewhere: ftweedal% ipa cert-request --principal al...@notmydomain.org alice.csr ipa: ERROR: The realm for the principal does not match the realm for this IPA server Cheers, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0050 caacl: correctly handle full user principal name
On 03/14/2016 06:18 AM, Alexander Bokovoy wrote: > On Mon, 14 Mar 2016, Fraser Tweedale wrote: >> The attached patch fixes >> https://fedorahosted.org/freeipa/ticket/5733. Thanks to Alexander >> for finding and reporting. >> >> Cheers, >> Fraser > >> From 9bd7b74d9c928f386bd7dae59588580881ed1a9d Mon Sep 17 00:00:00 2001 >> From: Fraser Tweedale>> Date: Mon, 14 Mar 2016 14:49:47 +1100 >> Subject: [PATCH] caacl: correctly handle full user principal name >> >> The caacl HBAC request is correct when just the username is given, >> but the full 'user@REALM' form was not handled correctly. >> >> Fixes: https://fedorahosted.org/freeipa/ticket/5733 > A context might be helpful here: if you are using certmonger's -K option > to specify a user principal name to add to certificate, the name will > get normalized to include the realm. This is how it gets to caacl check. > > ACK. Seeing the patch, I am curious - is the realm validated anywhere pr is it just dropped and we just assume it is FreeIPA one? I mean, do we make sure that REALM matches FreeIPA REALM and it is not trusted AD realm for example? -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0050 caacl: correctly handle full user principal name
On Mon, 14 Mar 2016, Fraser Tweedale wrote: The attached patch fixes https://fedorahosted.org/freeipa/ticket/5733. Thanks to Alexander for finding and reporting. Cheers, Fraser From 9bd7b74d9c928f386bd7dae59588580881ed1a9d Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Mon, 14 Mar 2016 14:49:47 +1100 Subject: [PATCH] caacl: correctly handle full user principal name The caacl HBAC request is correct when just the username is given, but the full 'user@REALM' form was not handled correctly. Fixes: https://fedorahosted.org/freeipa/ticket/5733 A context might be helpful here: if you are using certmonger's -K option to specify a user principal name to add to certificate, the name will get normalized to include the realm. This is how it gets to caacl check. ACK. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code