diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2016-07-01 11:55:47 +0200 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2016-07-01 13:16:23 +0200 |
commit | 0ade41abbad324d8c54449f3b1024a7651dc259d (patch) | |
tree | 7d134ff48cc9dfe17e9fb04e2a4ca3d3005572f2 /ipaserver/plugins/caacl.py | |
parent | 4c1d737656f117a85845fdcd49cbe71459d392e7 (diff) | |
download | freeipa-0ade41abbad324d8c54449f3b1024a7651dc259d.tar.gz freeipa-0ade41abbad324d8c54449f3b1024a7651dc259d.tar.xz freeipa-0ade41abbad324d8c54449f3b1024a7651dc259d.zip |
Fix incorrect check for principal type when evaluating CA ACLs
This error prevented hosts to request certificates for themselves.
https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Diffstat (limited to 'ipaserver/plugins/caacl.py')
-rw-r--r-- | ipaserver/plugins/caacl.py | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py index 3f813a7ef..9a60f7e27 100644 --- a/ipaserver/plugins/caacl.py +++ b/ipaserver/plugins/caacl.py @@ -64,8 +64,10 @@ def _acl_make_request(principal_type, principal, ca_id, profile_id): req = pyhbac.HbacRequest() req.targethost.name = ca_id req.service.name = profile_id - if principal_type == 'user' or principal_type == 'host': + if principal_type == 'user': req.user.name = principal.username + elif principal_type == 'host': + req.user.name = principal.hostname elif principal_type == 'service': req.user.name = unicode(principal) groups = [] |