[Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN
Jan Orel
janorel at gmail.com
Mon Oct 12 15:28:37 UTC 2015
> Agreed. The corresponding checks for certificate issuance via
> cert-request, where the bind principal is a host, check that the
> subject host (and SAN dNSNames) is "managed by" the bind host.
> This is checked via `ldap.can_write(dn_of_subject_principal)'.
>
> 1. retrieve cert
> 2. read CN
> 3. ensure CN refers to a known host principal
> and call ldap.can_write(...) to ensure bind principal
> manages it.
>
Thanks for the feedback. Attaching new patch.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-xorel-0001-2-cert-show-verify-write-access-to-userCertificate.patch
Type: text/x-patch
Size: 2085 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151012/f15fa806/attachment.bin>
More information about the Freeipa-devel
mailing list