diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2015-08-09 03:25:58 -0400 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-08-11 12:25:51 +0200 |
commit | 0e44568695e22752c250ead17eeb08e7a1561466 (patch) | |
tree | 1f5cc5f9dd01b60ecc0dd99d9443b274f6bcdc65 /ipalib | |
parent | 8cc61cc42c3e3422e79da69c7a2c3e594b5931ca (diff) | |
download | freeipa-0e44568695e22752c250ead17eeb08e7a1561466.tar.gz freeipa-0e44568695e22752c250ead17eeb08e7a1561466.tar.xz freeipa-0e44568695e22752c250ead17eeb08e7a1561466.zip |
Allow SAN extension for cert-request self-service
Users cannot self-issue a certificate with a subjectAltName
extension (e.g. with rfc822Name altNames). Suppress the
cert-request "request certificate with subjectaltname" permission
check when the bind principal is the target principal (i.e.
cert-request self-service).
Fixes: https://fedorahosted.org/freeipa/ticket/5190
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/plugins/cert.py | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index 341bdd017..d612e9d38 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -369,7 +369,7 @@ class cert_request(VirtualCommand): error=_("Failure decoding Certificate Signing Request: %s") % e) # host principals may bypass allowed ext check - if bind_principal_type != HOST: + if bind_principal != principal and bind_principal_type != HOST: for ext in extensions: operation = self._allowed_extensions.get(ext) if operation: |