diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2016-12-01 14:28:03 +1000 |
|---|---|---|
| committer | Martin Babinsky <mbabinsk@redhat.com> | 2016-12-21 17:04:18 +0100 |
| commit | bdbb1c34a2f5ef864cd3a943dcd047cde20de681 (patch) | |
| tree | 64fd9f24c65d76237ab2c2d0d46fc0859556784e /install | |
| parent | 2bc01ec5b4a91a805912bdada429a91ab08ed196 (diff) | |
Remove "Request Certificate with SubjectAltName" permission
subjectAltName is required or relevant in most certificate use cases
(esp. TLS, where carrying DNS name in Subject DN CN attribute is
deprecated). Therefore it does not really make sense to have a
special permission for this, over and above "request certificate"
permission.
Furthermore, we already do rigorously validate SAN contents again
the subject principal, and the permission is waived for self-service
requests or if the operator is a host principal.
So remove the permission, the associated virtual operation, and the
associated code in cert_request.
Fixes: https://fedorahosted.org/freeipa/ticket/6526
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'install')
| -rw-r--r-- | install/updates/40-delegation.update | 15 |
1 files changed, 0 insertions, 15 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 259cbdbda..f48d23a93 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -133,21 +133,6 @@ default:objectClass: top default:objectClass: nsContainer default:cn: certificate remove hold -dn: cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX -default:objectClass: top -default:objectClass: nsContainer -default:cn: request certificate with subjectaltname - -dn: cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX -default:objectClass: top -default:objectClass: groupofnames -default:objectClass: ipapermission -default:cn: Request Certificate with SubjectAltName -default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX - -dn: $SUFFIX -add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate with SubjectAltName"; allow (write) groupdn = "ldap:///cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX";) - dn: cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX default:objectClass: top default:objectClass: nsContainer |