On 01/09/2014 12:26 AM, Simo Sorce wrote: > On Thu, 2013-12-05 at 14:37 +0100, Jan Cholasta wrote: >> Hi, >> >> the attached patch fixes <https://fedorahosted.org/freeipa/ticket/3977>. > > See the additional comments on 3977, I think this patch should be NACKed > with extreme prejudice if it allows setting arbitrary subjectAltNames. > > Simo. >
It does not allow them - SANs are being authorized by using the managedBy attribute on the SAN-ed host/service (i.e. host-add-managedby/service-add-host commands). But you are right that the authorization part should not be taken lightly and should be verified before we allow SANs in default profile. I added a comment in the Trac as well. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel