[Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN
Fraser Tweedale
ftweedal at redhat.com
Mon Oct 12 01:00:36 UTC 2015
On Fri, Oct 09, 2015 at 08:39:10AM -0400, Rob Crittenden wrote:
> Jan Orel wrote:
> > Hello,
> >
> > this patch removes (IMHO) redundat check in cert_show, which fails when
> > host tries to re-submit certificate of different host/service which he
> > can manage.
> >
> > I also reported the bug here:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1269089
> >
> > I tired to run the tests as well and it doesn't seem to break anything.
> > Any feedpack appriciated.
>
> This works around the "Retrieve Certificates from the CA" ACL when done
> as a host.
>
> I guess if the hostname isn't the subject then the host for the subject
> needs to be read and then look to see if hostname is in the managed_by list.
>
> rob
>
Agreed. The corresponding checks for certificate issuance via
cert-request, where the bind principal is a host, check that the
subject host (and SAN dNSNames) is "managed by" the bind host.
This is checked via `ldap.can_write(dn_of_subject_principal)'.
1. retrieve cert
2. read CN
3. ensure CN refers to a known host principal
and call ldap.can_write(...) to ensure bind principal
manages it.
Cheers,
Fraser
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
More information about the Freeipa-devel
mailing list