From a7532af44e518994b8124b09e32fb3f494150ba6 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Sun, 9 Aug 2015 03:25:58 -0400 Subject: [PATCH] Allow SAN extension for cert-request self-service Users cannot self-issue a certificate with a subjectAltName extension (e.g. with rfc822Name altNames). Suppress the cert-request "request certificate with subjectaltname" permission check when the bind principal is the target principal (i.e. cert-request self-service). Fixes: https://fedorahosted.org/freeipa/ticket/5190 Reviewed-By: Martin Babinsky --- ipalib/plugins/cert.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index 341bdd01766d50ba18ce7147d4408851e6f95487..d612e9d38da44e4fd4768d286f930e51c71a1031 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -369,7 +369,7 @@ class cert_request(VirtualCommand): error=_("Failure decoding Certificate Signing Request: %s") % e) # host principals may bypass allowed ext check - if bind_principal_type != HOST: + if bind_principal != principal and bind_principal_type != HOST: for ext in extensions: operation = self._allowed_extensions.get(ext) if operation: -- 2.4.3