[Freeipa-devel] [PATCH] 72 Fix uses of O=REALM instead of the configured certificate subject base
Rob Crittenden
rcritten at redhat.com
Tue Mar 27 14:02:43 UTC 2012
Jan Cholasta wrote:
> On 26.3.2012 22:17, Rob Crittenden wrote:
>> Jan Cholasta wrote:
>>> On 26.3.2012 16:15, Rob Crittenden wrote:
>>>> Jan Cholasta wrote:
>>>>> https://fedorahosted.org/freeipa/ticket/2521
>>>>>
>>>>> Honza
>>>>
>>>> You can still set a custom subject base for selfsign installations so
>>>> you need a special case in valid_issuer().
>>>
>>> For selfsign installations, the issuer is always "CN=REALM Certificate
>>> Authority", no matter what is set in the subject base, so no special
>>> case is needed.
>>>
>>>> I wonder if this comparison
>>>> should be case insensitive too.
>>>
>>> I think the DN class already takes care of this.
>>>
>>>>
>>>> It may also be an optimization to cache the base in subject_base(). It
>>>> can't change after install time so it should be valid the entire
>>>> lifetime of the server.
>>>
>>> What if someone does
>>>
>>> $ ipa config-mod --setattr ipacertificatesubjectbase='O=Something'
>>
>> Ok, you're right about the issuer and DN case insensitivity, so we're
>> good there. I think that caching is still a good idea.
>>
>> We'll handle the immutable subjectbase as a separate problem. This is
>> really pretty minor and isn't a show stopper, you just have to revert it
>> and things work again.
>>
>> rob
>
> Updated patch attached. Added caching and fixed one more occurence of
> O=REALM, in make-testcert.
>
> Honza
>
ACK, pushed to master and ipa-2-2
More information about the Freeipa-devel
mailing list