[Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN
Petr Spacek
pspacek at redhat.com
Fri Oct 16 08:23:58 UTC 2015
On 15.10.2015 17:28, Jan Orel wrote:
> diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
> index e459320..55f9484 100644
> --- a/ipalib/plugins/cert.py
> +++ b/ipalib/plugins/cert.py
> @@ -625,9 +625,12 @@ class cert_show(VirtualCommand):
> result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
> result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
> if hostname:
> - # If we have a hostname we want to verify that the subject
> - # of the certificate matches it, otherwise raise an error
> - if hostname != cert.subject.common_name: #pylint: disable=E1101
> + # If we have a hostname we want to verify that we can
> + # write to the usercertificate attr of the target
> + ldap = self.api.Backend.ldap2
> + entry = ldap.find_entry_by_attr("cn", cert.subject.common_name,
> + "ipahost", base_dn=api.env.basedn)
> + if not ldap.can_write(entry.dn, 'usercertificate'):
> raise acierr
>
> return dict(result=result)
I can't say anything about correctness of the change itself but it would be
good to add explanatory error message to acierr, when you are at it. Something
like 'Insufficient permissions for write to userCertificate attribute of $DN
entry' or so.
Thanks!
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list