On 03/26/2012 11:28 AM, Jan Cholasta wrote: > On 26.3.2012 16:15, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> https://fedorahosted.org/freeipa/ticket/2521 >>> >>> Honza >> >> You can still set a custom subject base for selfsign installations so >> you need a special case in valid_issuer(). > > For selfsign installations, the issuer is always "CN=REALM Certificate > Authority", no matter what is set in the subject base, so no special > case is needed. > >> I wonder if this comparison >> should be case insensitive too. > > I think the DN class already takes care of this. > >> >> It may also be an optimization to cache the base in subject_base(). It >> can't change after install time so it should be valid the entire >> lifetime of the server. > > What if someone does > > $ ipa config-mod --setattr ipacertificatesubjectbase='O=Something' > > ?
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipaconfig-mod_setattr ipacertificatesubjectbase positive :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Set ipapwdexpadvnotify to OU=Bogus :: [ PASS ] :: ipacertificatesubjectbase successfully changed. :: [ LOG ] :: Duration: 3s :: [ LOG ] :: Assertions: 2 good, 0 bad :: [ PASS ] :: RESULT: ipaconfig-mod_setattr ipacertificatesubjectbase positive It works ... should we be getting an error?? > >> >> rob > > Honza > -- Jenny Galipeau <jgali...@redhat.com> Principal Software QA Engineer Red Hat, Inc. Security Engineering Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel