[Freeipa-devel] [PATCH] 0050 caacl: correctly handle full user principal name
Martin Kosek
mkosek at redhat.com
Mon Mar 14 14:10:55 UTC 2016
On 03/14/2016 06:18 AM, Alexander Bokovoy wrote:
> On Mon, 14 Mar 2016, Fraser Tweedale wrote:
>> The attached patch fixes
>> https://fedorahosted.org/freeipa/ticket/5733. Thanks to Alexander
>> for finding and reporting.
>>
>> Cheers,
>> Fraser
>
>> From 9bd7b74d9c928f386bd7dae59588580881ed1a9d Mon Sep 17 00:00:00 2001
>> From: Fraser Tweedale <ftweedal at redhat.com>
>> Date: Mon, 14 Mar 2016 14:49:47 +1100
>> Subject: [PATCH] caacl: correctly handle full user principal name
>>
>> The caacl HBAC request is correct when just the username is given,
>> but the full 'user at REALM' form was not handled correctly.
>>
>> Fixes: https://fedorahosted.org/freeipa/ticket/5733
> A context might be helpful here: if you are using certmonger's -K option
> to specify a user principal name to add to certificate, the name will
> get normalized to include the realm. This is how it gets to caacl check.
>
> ACK.
Seeing the patch, I am curious - is the realm validated anywhere pr is it just
dropped and we just assume it is FreeIPA one?
I mean, do we make sure that REALM matches FreeIPA REALM and it is not trusted
AD realm for example?
More information about the Freeipa-devel
mailing list