Jan Cholasta wrote:
On 26.3.2012 16:15, Rob Crittenden wrote:
Jan Cholasta wrote:
https://fedorahosted.org/freeipa/ticket/2521
Honza
You can still set a custom subject base for selfsign installations so
you need a special case in valid_issuer().
For selfsign installations, the issuer is always "CN=REALM Certificate
Authority", no matter what is set in the subject base, so no special
case is needed.
I wonder if this comparison
should be case insensitive too.
I think the DN class already takes care of this.
It may also be an optimization to cache the base in subject_base(). It
can't change after install time so it should be valid the entire
lifetime of the server.
What if someone does
$ ipa config-mod --setattr ipacertificatesubjectbase='O=Something'
Ok, you're right about the issuer and DN case insensitivity, so we're
good there. I think that caching is still a good idea.
We'll handle the immutable subjectbase as a separate problem. This is
really pretty minor and isn't a show stopper, you just have to revert it
and things work again.
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel