[Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN
Rob Crittenden
rcritten at redhat.com
Mon Oct 12 16:00:10 UTC 2015
Jan Orel wrote:
>> Agreed. The corresponding checks for certificate issuance via
>> cert-request, where the bind principal is a host, check that the
>> subject host (and SAN dNSNames) is "managed by" the bind host.
>> This is checked via `ldap.can_write(dn_of_subject_principal)'.
>>
>> 1. retrieve cert
>> 2. read CN
>> 3. ensure CN refers to a known host principal
>> and call ldap.can_write(...) to ensure bind principal
>> manages it.
>>
>
> Thanks for the feedback. Attaching new patch.
>
The restriction was there so that hosts had limited visibility. This
applies that limitation to all users. I think the host check needs to be
re-added.
Also, every host is not guaranteed to have a krbPrincipalAux (it can be
unenrolled). I assume you used this to cover managed services as well,
that's why the broad search base?
rob
More information about the Freeipa-devel
mailing list