freeipa

Clone
Source Code
GIT

68ada5f fix iPAddress cert issuance for >1 host/service

Authored and Committed by ftweedal 3 years ago
raw patch tree parent
2 files changed. 61 lines added. 7 lines removed.
ipaserver/plugins/cert.py
file modified
+3 -3
ipatests/test_xmlrpc/test_cert_request_ip_address.py
file modified
+58 -4 
    fix iPAddress cert issuance for >1 host/service
    
    The 'cert_request' command accumulates DNS names from the CSR,
    before checking that all IP addresses in the CSR are reachable from
    those DNS names.  Before adding a DNS name to the set, we check that
    that it corresponds to the FQDN of a known host/service principal
    (including principal aliases).  When a DNS name maps to a
    "alternative" principal (i.e.  not the one given via the 'principal'
    argument), this check was not being performed correctly.
    Specifically, we were looking for the 'krbprincipalname' field on
    the RPC response object directly, instead of its 'result' field.
    
    To resolve the issue, dereference the RPC response to its 'result'
    field before invoking the '_dns_name_matches_principal' subroutine.
    
    Fixes: https://pagure.io/freeipa/issue/8368
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
file modified
+3 -3
file modified
+58 -4
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.