summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Babinsky <mbabinsk@redhat.com>2016-07-01 11:55:47 +0200
committerJan Cholasta <jcholast@redhat.com>2016-07-01 13:16:23 +0200
commit0ade41abbad324d8c54449f3b1024a7651dc259d (patch)
tree7d134ff48cc9dfe17e9fb04e2a4ca3d3005572f2
parent4c1d737656f117a85845fdcd49cbe71459d392e7 (diff)
downloadfreeipa-0ade41abbad324d8c54449f3b1024a7651dc259d.zip
freeipa-0ade41abbad324d8c54449f3b1024a7651dc259d.tar.gz
freeipa-0ade41abbad324d8c54449f3b1024a7651dc259d.tar.xz
Fix incorrect check for principal type when evaluating CA ACLs
This error prevented hosts to request certificates for themselves. https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: Petr Spacek <pspacek@redhat.com>
-rw-r--r--ipaserver/plugins/caacl.py4
1 files changed, 3 insertions, 1 deletions
diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index 3f813a7..9a60f7e 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -64,8 +64,10 @@ def _acl_make_request(principal_type, principal, ca_id, profile_id):
req = pyhbac.HbacRequest()
req.targethost.name = ca_id
req.service.name = profile_id
- if principal_type == 'user' or principal_type == 'host':
+ if principal_type == 'user':
req.user.name = principal.username
+ elif principal_type == 'host':
+ req.user.name = principal.hostname
elif principal_type == 'service':
req.user.name = unicode(principal)
groups = []