[Freeipa-devel] [PATCH] 210 Allow SAN in IPA certificate profile
Martin Kosek
mkosek at redhat.com
Thu Jan 9 08:51:28 UTC 2014
On 01/09/2014 12:26 AM, Simo Sorce wrote:
> On Thu, 2013-12-05 at 14:37 +0100, Jan Cholasta wrote:
>> Hi,
>>
>> the attached patch fixes <https://fedorahosted.org/freeipa/ticket/3977>.
>
> See the additional comments on 3977, I think this patch should be NACKed
> with extreme prejudice if it allows setting arbitrary subjectAltNames.
>
> Simo.
>
It does not allow them - SANs are being authorized by using the managedBy
attribute on the SAN-ed host/service (i.e. host-add-managedby/service-add-host
commands).
But you are right that the authorization part should not be taken lightly and
should be verified before we allow SANs in default profile. I added a comment
in the Trac as well.
Martin
More information about the Freeipa-devel
mailing list