[Freeipa-devel] [PATCH] 0050 caacl: correctly handle full user principal name
Alexander Bokovoy
abokovoy at redhat.com
Mon Mar 14 05:18:24 UTC 2016
On Mon, 14 Mar 2016, Fraser Tweedale wrote:
>The attached patch fixes
>https://fedorahosted.org/freeipa/ticket/5733. Thanks to Alexander
>for finding and reporting.
>
>Cheers,
>Fraser
>From 9bd7b74d9c928f386bd7dae59588580881ed1a9d Mon Sep 17 00:00:00 2001
>From: Fraser Tweedale <ftweedal at redhat.com>
>Date: Mon, 14 Mar 2016 14:49:47 +1100
>Subject: [PATCH] caacl: correctly handle full user principal name
>
>The caacl HBAC request is correct when just the username is given,
>but the full 'user at REALM' form was not handled correctly.
>
>Fixes: https://fedorahosted.org/freeipa/ticket/5733
A context might be helpful here: if you are using certmonger's -K option
to specify a user principal name to add to certificate, the name will
get normalized to include the realm. This is how it gets to caacl check.
ACK.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list