Jan Orel wrote:
>> Agreed.  The corresponding checks for certificate issuance via
>> cert-request, where the bind principal is a host, check that the
>> subject host (and SAN dNSNames) is "managed by" the bind host.
>> This is checked via `ldap.can_write(dn_of_subject_principal)'.
>> 1. retrieve cert
>> 2. read CN
>> 3. ensure CN refers to a known host principal
>>    and call ldap.can_write(...) to ensure bind principal
>>    manages it.
> Thanks for the feedback. Attaching new patch.

The restriction was there so that hosts had limited visibility. This
applies that limitation to all users. I think the host check needs to be

Also, every host is not guaranteed to have a krbPrincipalAux (it can be
unenrolled). I assume you used this to cover managed services as well,
that's why the broad search base?


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to