[Freeipa-devel] Proposed patch to resolve #828866 [RFE] enhance --subject option for ipa-server-install
Petr Vobornik
pvoborni at redhat.com
Thu Jul 7 14:04:57 UTC 2016
On 07/07/2016 03:16 PM, Rob Crittenden wrote:
> Sebastian Hetze wrote:
>> Hi *
>>
>> attached you find a patch that adds new options --subject_cn and
>> --subject_mail to ipa-server-install that make the CA cert subject CN
>> customizable.
>>
>> This patch has been tested by a customer in a PoC.
>> However, i assume additional testing in different environments is
>> required.
>>
>> It would be greatly appreciated if this patch would find its way into
>> the product very soon.
>
> I don't see the advantage of passing around the subject_rdn along with
> the base. Why not pre-combine them into a DN?
>
> Similarly, I think I'd drop storing the subject base and RDN and just
> store just the DN. I don't think there would be any backwards compat
> issues as this would only apply to new installs.
>
> I think this would explode the number of options as users request
> additional attributes for the subject (OU, C, etc). Might be better to
> make the user pass in a full DN if they want to manage the CA subject. I
> don't know if any validation would be required for dogtag (e.g. is there
> a minimum set of components needed?)
+1, IMO using e.g., --subject="e=mail,cn=Something,O=REALM.NAME" is
better. But IPA should validate it properly to disallow anything not
usable by dogtag.
Adding Fraser for the dogtag part.
>
> rob
>
--
Petr Vobornik
More information about the Freeipa-devel
mailing list