[Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN
Jan Orel
janorel at gmail.com
Tue Oct 13 16:22:37 UTC 2015
> The restriction was there so that hosts had limited visibility. This
> applies that limitation to all users. I think the host check needs to be
> re-added.
I am confused, correct me if I am wrong, but the "if hostname:" check
seems always redundat because it would raise exception before
either here:
615 if not bind_principal.startswith('host/'):
616 raise acierr
or in validate_principal()
> Also, every host is not guaranteed to have a krbPrincipalAux (it can be
> unenrolled). I assume you used this to cover managed services as well,
> that's why the broad search base?
Checking it, even host which is not enrolled have objectClass: krbprincipalaux,
but advise me if different search should be used.
thanks, jan
More information about the Freeipa-devel
mailing list