Jan Orel wrote:
>> Agreed. The corresponding checks for certificate issuance via
>> cert-request, where the bind principal is a host, check that the
>> subject host (and SAN dNSNames) is "managed by" the bind host.
>> This is checked via `ldap.can_write(dn_of_subject_principal)'.
>> 1. retrieve cert
>> 2. read CN
>> 3. ensure CN refers to a known host principal
>> and call ldap.can_write(...) to ensure bind principal
>> manages it.
> Thanks for the feedback. Attaching new patch.
The restriction was there so that hosts had limited visibility. This
applies that limitation to all users. I think the host check needs to be
Also, every host is not guaranteed to have a krbPrincipalAux (it can be
unenrolled). I assume you used this to cover managed services as well,
that's why the broad search base?
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code