URL: https://github.com/freeipa/freeipa/pull/812
Title: #812: [WIP] Refactoring cert-find to use API call directly instead of 

martbab commented:
Remember taht you have to use 'exact=False' in the filter to perform substring 
search for krbPrincipalName given the fact that (except for services) the 
principal is constructed from primary key by appending realm (and prepending 
`host/` in the case of hosts). This, however, opens a range of possibilities 
for new bug to creep in (considering 'tuser' is the owner but we have 'tuser1' 
and 'tuser2' in LDAP, what will your search filter return?).

That's why I think this is not correct solution given we currently reference 
owners by primary keys and not by principals (krbPrincipalName != primary key 
in most cases except services without krbCanonicalName attribute). I am more 
inclined to @HonzaCholasta's solution as it seems cleaner to me. An alternative 
is to report principals as cert owners, which will break API, however.

See the full comment at 
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to