Jan Orel wrote:
>> Agreed.  The corresponding checks for certificate issuance via
>> cert-request, where the bind principal is a host, check that the
>> subject host (and SAN dNSNames) is "managed by" the bind host.
>> This is checked via `ldap.can_write(dn_of_subject_principal)'.
>>
>> 1. retrieve cert
>> 2. read CN
>> 3. ensure CN refers to a known host principal
>>    and call ldap.can_write(...) to ensure bind principal
>>    manages it.
>>
> 
> Thanks for the feedback. Attaching new patch.
> 

The restriction was there so that hosts had limited visibility. This
applies that limitation to all users. I think the host check needs to be
re-added.

Also, every host is not guaranteed to have a krbPrincipalAux (it can be
unenrolled). I assume you used this to cover managed services as well,
that's why the broad search base?

rob

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to