[Freeipa-devel] [PATCH] 0050 caacl: correctly handle full user principal name
Fraser Tweedale
ftweedal at redhat.com
Tue Mar 15 01:31:00 UTC 2016
On Mon, Mar 14, 2016 at 03:10:55PM +0100, Martin Kosek wrote:
> On 03/14/2016 06:18 AM, Alexander Bokovoy wrote:
> > On Mon, 14 Mar 2016, Fraser Tweedale wrote:
> >> The attached patch fixes
> >> https://fedorahosted.org/freeipa/ticket/5733. Thanks to Alexander
> >> for finding and reporting.
> >>
> >> Cheers,
> >> Fraser
> >
> >> From 9bd7b74d9c928f386bd7dae59588580881ed1a9d Mon Sep 17 00:00:00 2001
> >> From: Fraser Tweedale <ftweedal at redhat.com>
> >> Date: Mon, 14 Mar 2016 14:49:47 +1100
> >> Subject: [PATCH] caacl: correctly handle full user principal name
> >>
> >> The caacl HBAC request is correct when just the username is given,
> >> but the full 'user at REALM' form was not handled correctly.
> >>
> >> Fixes: https://fedorahosted.org/freeipa/ticket/5733
> > A context might be helpful here: if you are using certmonger's -K option
> > to specify a user principal name to add to certificate, the name will
> > get normalized to include the realm. This is how it gets to caacl check.
> >
> > ACK.
>
> Seeing the patch, I am curious - is the realm validated anywhere pr is it just
> dropped and we just assume it is FreeIPA one?
>
> I mean, do we make sure that REALM matches FreeIPA REALM and it is not trusted
> AD realm for example?
>
Martin, glad you asked. We catch that situation elsewhere:
ftweedal% ipa cert-request --principal alice at NOTMYDOMAIN.ORG alice.csr
ipa: ERROR: The realm for the principal does not match the realm for this IPA server
Cheers,
Fraser
More information about the Freeipa-devel
mailing list