IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

First pass at enforcing certificates be requested from same host

Browse Source 
We want to only allow a machine to request a certificate for itself, not for
other machines. I've added a new taksgroup which will allow this.

The requesting IP is resolved and compared to the subject of the CSR to
determine if they are the same host. The same is done with the service
principal. Subject alt names are not queried yet.

This does not yet grant machines actual permission to request certificates
yet, that is still limited to the taskgroup request_certs.
This commit is contained in:
Rob Crittenden
2009-10-20 11:59:07 -04:00
committed by Jason Gerard DeRose
parent aa2183578c
commit 453a19fcac
6 changed files with 131 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ipalib/backend.py
View File

@@ -97,10 +97,15 @@ class Executioner(Backend):
def create_context(self, ccache=None, client_ip=None):
"""
client_ip: The IP address of the remote client.
"""
if self.env.in_server:
self.Backend.ldap2.connect(ccache=ccache)
else:
self.Backend.xmlclient.connect()
if client_ip is not None:
setattr(context, "client_ip", client_ip)
def destroy_context(self):
destroy_context()