On 01/09/2014 12:26 AM, Simo Sorce wrote:
> On Thu, 2013-12-05 at 14:37 +0100, Jan Cholasta wrote:
>> the attached patch fixes <https://fedorahosted.org/freeipa/ticket/3977>.
> See the additional comments on 3977, I think this patch should be NACKed
> with extreme prejudice if it allows setting arbitrary subjectAltNames.
It does not allow them - SANs are being authorized by using the managedBy
attribute on the SAN-ed host/service (i.e. host-add-managedby/service-add-host
But you are right that the authorization part should not be taken lightly and
should be verified before we allow SANs in default profile. I added a comment
in the Trac as well.
Freeipa-devel mailing list