mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
check that the master requesting PKINIT cert has KDC enabled
https://pagure.io/freeipa/issue/6739 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
parent
069948466e
commit
8f4abf7bc1
@ -215,11 +215,23 @@ def caacl_check(principal, ca, profile_id):
|
|||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
def ca_kdc_check(ldap, hostname):
|
def ca_kdc_check(api_instance, hostname):
|
||||||
result = api.Command.config_show()['result']
|
master_dn = api_instance.Object.server.get_dn(unicode(hostname))
|
||||||
if hostname not in result['ipa_master_server']:
|
kdc_dn = DN(('cn', 'KDC'), master_dn)
|
||||||
|
|
||||||
|
try:
|
||||||
|
kdc_entry = api_instance.Backend.ldap2.get_entry(
|
||||||
|
kdc_dn, ['ipaConfigString'])
|
||||||
|
|
||||||
|
ipaconfigstring = {val.lower() for val in kdc_entry['ipaConfigString']}
|
||||||
|
|
||||||
|
if 'enabledservice' not in ipaconfigstring:
|
||||||
|
raise errors.NotFound()
|
||||||
|
|
||||||
|
except errors.NotFound:
|
||||||
raise errors.ACIError(info=_(
|
raise errors.ACIError(info=_(
|
||||||
"Host '%(hostname)s' is not a KDC") % dict(hostname=hostname))
|
"Host '%(hostname)s' is not an active KDC")
|
||||||
|
% dict(hostname=hostname))
|
||||||
|
|
||||||
|
|
||||||
def validate_certificate(value):
|
def validate_certificate(value):
|
||||||
@ -604,7 +616,7 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
|
|||||||
|
|
||||||
if not bypass_caacl:
|
if not bypass_caacl:
|
||||||
if principal_type == KRBTGT:
|
if principal_type == KRBTGT:
|
||||||
ca_kdc_check(ldap, bind_principal.hostname)
|
ca_kdc_check(self.api, bind_principal.hostname)
|
||||||
else:
|
else:
|
||||||
caacl_check(principal, ca, profile_id)
|
caacl_check(principal, ca, profile_id)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user