> The restriction was there so that hosts had limited visibility. This
> applies that limitation to all users. I think the host check needs to be
> re-added.

I am confused, correct me if I am wrong, but the "if hostname:" check
seems always redundat because it would raise exception before
either here:

615             if not bind_principal.startswith('host/'):
616                 raise acierr

or in validate_principal()

> Also, every host is not guaranteed to have a krbPrincipalAux (it can be
> unenrolled). I assume you used this to cover managed services as well,
> that's why the broad search base?

Checking it, even host which is not enrolled have objectClass: krbprincipalaux,
but advise me if different search should be used.

thanks, jan

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to