[Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN

[Petr Spacek]

On 13.10.2015 19:26, Rob Crittenden wrote:
> Jan Orel wrote:
>>> The restriction was there so that hosts had limited visibility. This
>>> applies that limitation to all users. I think the host check needs to be
>>> re-added.
>>
>> I am confused, correct me if I am wrong, but the "if hostname:" check
>> seems always redundat because it would raise exception before
>> either here:
>>
>> 615             if not bind_principal.startswith('host/'):
>> 616                 raise acierr
>>
>> or in validate_principal()
> 
> Anything bound to IPA can potentially retrieve a certificate. This code
> adds special handling for hosts and probably should cover services as
> well now that I think about it. I don't think services could be included
> in ACIs when this was originally written.
> 
> The idea was that hosts have no need to be able to query random serial
> numbers so it should be limited to viewing its own. Removing the if
> hostname: applies this logic to ALL retrieval which is by far overkill
> and limits all non-admin entries to only be able to view certs they own
> (or can write) which sort of kills the reason for the 'retrieve
> certificate' permission.
> 
>>
>>> Also, every host is not guaranteed to have a krbPrincipalAux (it can be
>>> unenrolled). I assume you used this to cover managed services as well,
>>> that's why the broad search base?
>>
>> Checking it, even host which is not enrolled have objectClass: krbprincipalaux,
>> but advise me if different search should be used.
> 
> If a host is added with a password (random or otherwise) it won't have
> this objectclass. I'd make the search filter something like
> (|(objectclass=ipahost)(objectclass=ipaservice)).
> 
> rob
> 

Rob, could you or Honza (or somebody else) hand-hold Jan Orel a little bit?

I was talking with boss of the guy and they are still interested in getting
the patch in IPA but need more guidance and patience from us :-)

-- 
Petr^2 Spacek