> The restriction was there so that hosts had limited visibility. This
> applies that limitation to all users. I think the host check needs to be
I am confused, correct me if I am wrong, but the "if hostname:" check
seems always redundat because it would raise exception before
615 if not bind_principal.startswith('host/'):
616 raise acierr
or in validate_principal()
> Also, every host is not guaranteed to have a krbPrincipalAux (it can be
> unenrolled). I assume you used this to cover managed services as well,
> that's why the broad search base?
Checking it, even host which is not enrolled have objectClass: krbprincipalaux,
but advise me if different search should be used.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code