From 0ade41abbad324d8c54449f3b1024a7651dc259d Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 1 Jul 2016 11:55:47 +0200 Subject: Fix incorrect check for principal type when evaluating CA ACLs This error prevented hosts to request certificates for themselves. https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: Petr Spacek --- ipaserver/plugins/caacl.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'ipaserver/plugins/caacl.py') diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py index 3f813a7ef..9a60f7e27 100644 --- a/ipaserver/plugins/caacl.py +++ b/ipaserver/plugins/caacl.py @@ -64,8 +64,10 @@ def _acl_make_request(principal_type, principal, ca_id, profile_id): req = pyhbac.HbacRequest() req.targethost.name = ca_id req.service.name = profile_id - if principal_type == 'user' or principal_type == 'host': + if principal_type == 'user': req.user.name = principal.username + elif principal_type == 'host': + req.user.name = principal.hostname elif principal_type == 'service': req.user.name = unicode(principal) groups = [] -- cgit