<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 09/12/2014 02:43 PM, Michael
Lasevich wrote:<br>
</div>
<blockquote
cite="mid:CAAFs98UfaBzfL6J2zmywibCY7VUYntNG2H8Kf6ykx_0rc00Bvg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>That is awesome, but I am clearly missing some insight
as to how this is supposed to work. Can you point me to
some more specific info on how to accomplish this.<br>
<br>
</div>
I tried using the ipa-getcert request with multiple -D's
from the client, but got :<br>
<br>
** Insufficient access: You need to be a member of the
serviceadmin role to add services <br>
<br>
Unless I am missing something, I should probably not add
each host to "serviceadmins" for security reasons. <br>
</div>
</div>
</div>
</blockquote>
<br>
4.0 has a new permissions system this might yet to be another use
case that we might have overlooked.<br>
I will leave to developers to review this situation on Monday
morning.<br>
<br>
<blockquote
cite="mid:CAAFs98UfaBzfL6J2zmywibCY7VUYntNG2H8Kf6ykx_0rc00Bvg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div><br>
So I then I tried generating a csr via openssl with SANs on
the client and then adding it using "ipa cert-request
file.csr --prinicple host/${client_hostname}@DOMAIN" from
ipa server as admin (just to be sure) and got this error
(where <ALIAS> is the first SAN):<br>
<br>
** ipa: ERROR: The service principal for subject alt name
<ALIAS> in certificate request does not exist<br>
<br>
</div>
It sounds like I need to create service principal for each
SAN, but I can't seem to figure out how to do it (only allows
me to create service prinicpals for existing hosts)<br>
<br>
</div>
<div>Any help or pointers would be greatly appreciated<br>
<br>
</div>
<div>-M<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Sep 12, 2014 at 4:12 AM, Dmitri
Pal <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 09/11/2014 09:25 PM, Michael Lasevich wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>If I remember correctly, you could not use
SAN (Subject Alternate Names) for certificates
in FreeIPA 3.0 - is this still the case with
4?<br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</span><a moz-do-not-send="true"
href="https://fedorahosted.org/freeipa/ticket/3977"
target="_blank">https://fedorahosted.org/freeipa/ticket/3977</a>
< 4.0 is able.<span class=""><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div><br>
</div>
I have hosts that automatically receive two
hostnames, a long proper name (like
"service-i-12345678") and a simpler cname based
on an index for ease of access (like
"service-1") - however since OS hostname is the
"proper" one, certs would typically be issued to
that name. I want my users to be able to hit it
via the simplex "index" names. Is that currently
possible (esp given that the cnames are actualy
in a different DNS domain)?<br>
<br>
</div>
Thanks,<br>
<br>
</div>
-M<br>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</span><span class="HOEnZb"><font color="#888888">
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</font></span></div>
<br>
--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a moz-do-not-send="true" href="http://freeipa.org"
target="_blank">http://freeipa.org</a> for more info on
the project<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>