[Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension
frasertweedale
freeipa-github-notification at redhat.com
Tue Nov 29 05:08:21 UTC 2016
URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension
frasertweedale commented:
"""
@tomaskrizek
1. The SAN DN is permitted if it matches the IPA principal's full DN in LDAP. The _certificate_ subject DN need not match the LDAP DN. In fact, by the current behaviour of `ipa cert-request` it cannot, because we expect to see the user name in the CN in the CSR subject DN, whereas in LDAP we use `uid=alice,cn=users,...`. So it is not duplicate info - it names the subject's LDAP DN.
2. In this patch, DirectoryName SAN is accepted for all principal types (as long as it matches their LDAP DN). Existing rules for other SAN name types are not changed (e.g., DNSName is still allowed only for host and service principals).
"""
See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263477676
More information about the Freeipa-devel
mailing list