[Freeipa-devel] [PATCH] 72 Fix uses of O=REALM instead of the configured certificate subject base
Rob Crittenden
rcritten at redhat.com
Mon Mar 26 17:40:37 UTC 2012
Jenny Galipeau wrote:
> On 03/26/2012 11:28 AM, Jan Cholasta wrote:
>> On 26.3.2012 16:15, Rob Crittenden wrote:
>>> Jan Cholasta wrote:
>>>> https://fedorahosted.org/freeipa/ticket/2521
>>>>
>>>> Honza
>>>
>>> You can still set a custom subject base for selfsign installations so
>>> you need a special case in valid_issuer().
>>
>> For selfsign installations, the issuer is always "CN=REALM Certificate
>> Authority", no matter what is set in the subject base, so no special
>> case is needed.
>>
>>> I wonder if this comparison
>>> should be case insensitive too.
>>
>> I think the DN class already takes care of this.
>>
>>>
>>> It may also be an optimization to cache the base in subject_base(). It
>>> can't change after install time so it should be valid the entire
>>> lifetime of the server.
>>
>> What if someone does
>>
>> $ ipa config-mod --setattr ipacertificatesubjectbase='O=Something'
>>
>> ?
>
> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
> :: [ LOG ] :: ipaconfig-mod_setattr ipacertificatesubjectbase positive
> ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
>
> :: [ PASS ] :: Set ipapwdexpadvnotify to OU=Bogus
> :: [ PASS ] :: ipacertificatesubjectbase successfully changed.
> :: [ LOG ] :: Duration: 3s
> :: [ LOG ] :: Assertions: 2 good, 0 bad
> :: [ PASS ] :: RESULT: ipaconfig-mod_setattr ipacertificatesubjectbase positive
>
>
> It works ... should we be getting an error??
Yes, it should fail. I thought there was already a bug open on it,
though maybe we just removed the option from -mod.
rob
More information about the Freeipa-devel
mailing list