[Freeipa-devel] [freeipa PR#227][comment] cert-request: match names against principal aliases
frasertweedale
freeipa-github-notification at redhat.com
Thu Nov 17 05:15:17 UTC 2016
URL: https://github.com/freeipa/freeipa/pull/227
Title: #227: cert-request: match names against principal aliases
frasertweedale commented:
"""
@martbab
Semantics:
0. *Subject principal* is looked up by `--principal` option, via `{PRINCIPAL_TYPE}_show` command. If you think this should be extended to allow `--principal` to use an alias, I am cool with that.
1. For host and service principals, CN must match[dns] (described below) a principal alias.
2. For host and service principals, SAN dnsNames must match[dns] a principal alias, **or** match an alternative principal.
3. For all principals, SAN KRB5PrincipalName and UPN values must match[exact] a principal alias.
**match[dns]**: iterate principal aliases. Matches if: alias has same realm as `--principal` **and** alias has same service name as `--principal` **and** alias hostname equals (case insensitively) the SAN dnsName value. (If we generalise `--principal` to search all aliases then I would recommend restricting the search to principals with same realm and service name as the `krbcanonicalname` of the returned principal).
-----
w.r.t. test failure, I cannot reproduce with this patch rebased on latest master.
"""
See the full comment at https://github.com/freeipa/freeipa/pull/227#issuecomment-261157548
More information about the Freeipa-devel
mailing list