[Freeipa-devel] [PATCH] 72 Fix uses of O=REALM instead of the configured certificate subject base
Jenny Galipeau
jgalipea at redhat.com
Mon Mar 26 15:30:07 UTC 2012
On 03/26/2012 11:28 AM, Jan Cholasta wrote:
> On 26.3.2012 16:15, Rob Crittenden wrote:
>> Jan Cholasta wrote:
>>> https://fedorahosted.org/freeipa/ticket/2521
>>>
>>> Honza
>>
>> You can still set a custom subject base for selfsign installations so
>> you need a special case in valid_issuer().
>
> For selfsign installations, the issuer is always "CN=REALM Certificate
> Authority", no matter what is set in the subject base, so no special
> case is needed.
>
>> I wonder if this comparison
>> should be case insensitive too.
>
> I think the DN class already takes care of this.
>
>>
>> It may also be an optimization to cache the base in subject_base(). It
>> can't change after install time so it should be valid the entire
>> lifetime of the server.
>
> What if someone does
>
> $ ipa config-mod --setattr ipacertificatesubjectbase='O=Something'
>
> ?
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ LOG ] :: ipaconfig-mod_setattr ipacertificatesubjectbase positive
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ PASS ] :: Set ipapwdexpadvnotify to OU=Bogus
:: [ PASS ] :: ipacertificatesubjectbase successfully changed.
:: [ LOG ] :: Duration: 3s
:: [ LOG ] :: Assertions: 2 good, 0 bad
:: [ PASS ] :: RESULT: ipaconfig-mod_setattr ipacertificatesubjectbase positive
It works ... should we be getting an error??
>
>>
>> rob
>
> Honza
>
--
Jenny Galipeau <jgalipea at redhat.com>
Principal Software QA Engineer
Red Hat, Inc. Security Engineering
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
More information about the Freeipa-devel
mailing list