Title: #812: [WIP] Refactoring cert-find to use API call directly instead of
Remember taht you have to use 'exact=False' in the filter to perform substring
search for krbPrincipalName given the fact that (except for services) the
principal is constructed from primary key by appending realm (and prepending
`host/` in the case of hosts). This, however, opens a range of possibilities
for new bug to creep in (considering 'tuser' is the owner but we have 'tuser1'
and 'tuser2' in LDAP, what will your search filter return?).
That's why I think this is not correct solution given we currently reference
owners by primary keys and not by principals (krbPrincipalName != primary key
in most cases except services without krbCanonicalName attribute). I am more
inclined to @HonzaCholasta's solution as it seems cleaner to me. An alternative
is to report principals as cert owners, which will break API, however.
See the full comment at
FreeIPA-devel mailing list -- email@example.com
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org