[Freeipa-devel] [PATCH] 72 Fix uses of O=REALM instead of the configured certificate subject base
Jan Cholasta
jcholast at redhat.com
Mon Mar 26 15:28:52 UTC 2012
On 26.3.2012 16:15, Rob Crittenden wrote:
> Jan Cholasta wrote:
>> https://fedorahosted.org/freeipa/ticket/2521
>>
>> Honza
>
> You can still set a custom subject base for selfsign installations so
> you need a special case in valid_issuer().
For selfsign installations, the issuer is always "CN=REALM Certificate
Authority", no matter what is set in the subject base, so no special
case is needed.
> I wonder if this comparison
> should be case insensitive too.
I think the DN class already takes care of this.
>
> It may also be an optimization to cache the base in subject_base(). It
> can't change after install time so it should be valid the entire
> lifetime of the server.
What if someone does
$ ipa config-mod --setattr ipacertificatesubjectbase='O=Something'
?
>
> rob
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list