On Sun, Aug 09, 2015 at 08:03:47PM +1000, Fraser Tweedale wrote: > The attached patch fixes a bug in KRB5PrincipalName / UPN SAN > validation. > > Thanks, > Fraser
For testing this, the following `openssl req' config will serve as a starting point; customise the names / realm as appropriate. [ req ] prompt = no encrypt_key = no distinguished_name = dn req_extensions = exts [ dn ] commonName = "alice" [ exts ] subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:krb5principal [ krb5principal ] realm = EXPLICIT:0,GeneralString:IPA.LOCAL principalname = EXPLICIT:1,SEQUENCE:principalname [ principalname ] nametype = EXPLICIT:0,INT:0 namestring = EXPLICIT:1,SEQUENCE:namestring [ namestring ] part1 = GeneralString:alice -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code