diff options
| -rw-r--r-- | install/updates/40-delegation.update | 15 | ||||
| -rw-r--r-- | ipaserver/plugins/cert.py | 6 | ||||
| -rw-r--r-- | ipatests/test_xmlrpc/test_permission_plugin.py | 2 |
3 files changed, 1 insertions, 22 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 259cbdbda..f48d23a93 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -133,21 +133,6 @@ default:objectClass: top default:objectClass: nsContainer default:cn: certificate remove hold -dn: cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX -default:objectClass: top -default:objectClass: nsContainer -default:cn: request certificate with subjectaltname - -dn: cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX -default:objectClass: top -default:objectClass: groupofnames -default:objectClass: ipapermission -default:cn: Request Certificate with SubjectAltName -default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX - -dn: $SUFFIX -add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate with SubjectAltName"; allow (write) groupdn = "ldap:///cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX";) - dn: cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX default:objectClass: top default:objectClass: nsContainer diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 81872cffd..4c1248f93 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -620,12 +620,6 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): except cryptography.x509.extensions.ExtensionNotFound: ext_san = None - # self-service and host principals may bypass SAN permission check - if (bind_principal_string != principal_string - and bind_principal_type != HOST): - if ext_san is not None: - self.check_access('request certificate with subjectaltname') - dn = None principal_obj = None # See if the service exists and punt if it doesn't and we aren't diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py index 6336df7c1..7582b24a4 100644 --- a/ipatests/test_xmlrpc/test_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_permission_plugin.py @@ -3125,7 +3125,7 @@ def check_legacy_results(results): legacy_permissions = [p for p in results if not p.get('ipapermissiontype')] print(legacy_permissions) - assert len(legacy_permissions) == 9, len(legacy_permissions) + assert len(legacy_permissions) == 8, len(legacy_permissions) return True |