[Freeipa-devel] [PATCH] 72 Fix uses of O=REALM instead of the configured certificate subject base
Rob Crittenden
rcritten at redhat.com
Mon Mar 26 20:17:14 UTC 2012
Jan Cholasta wrote:
> On 26.3.2012 16:15, Rob Crittenden wrote:
>> Jan Cholasta wrote:
>>> https://fedorahosted.org/freeipa/ticket/2521
>>>
>>> Honza
>>
>> You can still set a custom subject base for selfsign installations so
>> you need a special case in valid_issuer().
>
> For selfsign installations, the issuer is always "CN=REALM Certificate
> Authority", no matter what is set in the subject base, so no special
> case is needed.
>
>> I wonder if this comparison
>> should be case insensitive too.
>
> I think the DN class already takes care of this.
>
>>
>> It may also be an optimization to cache the base in subject_base(). It
>> can't change after install time so it should be valid the entire
>> lifetime of the server.
>
> What if someone does
>
> $ ipa config-mod --setattr ipacertificatesubjectbase='O=Something'
Ok, you're right about the issuer and DN case insensitivity, so we're
good there. I think that caching is still a good idea.
We'll handle the immutable subjectbase as a separate problem. This is
really pretty minor and isn't a show stopper, you just have to revert it
and things work again.
rob
More information about the Freeipa-devel
mailing list