[Freeipa-devel] [PATCH] 72 Fix uses of O=REALM instead of the configured certificate subject base

Jenny Galipeau jgalipea at redhat.com
Mon Mar 26 19:04:10 UTC 2012 

On 03/26/2012 01:40 PM, Rob Crittenden wrote:
> Jenny Galipeau wrote:
>> On 03/26/2012 11:28 AM, Jan Cholasta wrote:
>>> On 26.3.2012 16:15, Rob Crittenden wrote:
>>>> Jan Cholasta wrote:
>>>>> https://fedorahosted.org/freeipa/ticket/2521
>>>>>
>>>>> Honza
>>>>
>>>> You can still set a custom subject base for selfsign installations so
>>>> you need a special case in valid_issuer().
>>>
>>> For selfsign installations, the issuer is always "CN=REALM Certificate
>>> Authority", no matter what is set in the subject base, so no special
>>> case is needed.
>>>
>>>> I wonder if this comparison
>>>> should be case insensitive too.
>>>
>>> I think the DN class already takes care of this.
>>>
>>>>
>>>> It may also be an optimization to cache the base in subject_base(). It
>>>> can't change after install time so it should be valid the entire
>>>> lifetime of the server.
>>>
>>> What if someone does
>>>
>>> $ ipa config-mod --setattr ipacertificatesubjectbase='O=Something'
>>>
>>> ?
>>
>> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>>
>> :: [   LOG    ] :: ipaconfig-mod_setattr ipacertificatesubjectbase
>> positive
>> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>>
>>
>> :: [   PASS   ] :: Set ipapwdexpadvnotify to OU=Bogus
>> :: [   PASS   ] :: ipacertificatesubjectbase successfully changed.
>> :: [   LOG    ] :: Duration: 3s
>> :: [   LOG    ] :: Assertions: 2 good, 0 bad
>> :: [   PASS   ] :: RESULT: ipaconfig-mod_setattr
>> ipacertificatesubjectbase positive
>>
>>
>> It works ... should we be getting an error??
>
> Yes, it should fail. I thought there was already a bug open on it,
> though maybe we just removed the option from -mod.
>
> rob
>

Okay, I will log a bug.  Will we are on this subject ... :-)   Why is
there option --certificate for host-add and service-add?  You can not
add a certificate if it doesn't match the expected issuer and assume you
are doing that by checking issuer DN, based on the errror message.  You
can't add a service unless the host exists ...  I am just not seeing the
use case(s) for this!


-- 
Jenny Galipeau <jgalipea at redhat.com>
Principal Software QA Engineer
Red Hat, Inc. Security Engineering

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/

More information about the Freeipa-devel mailing list