URL: https://github.com/freeipa/freeipa/pull/227 Title: #227: cert-request: match names against principal aliases
martbab commented: """ Also, the current execution flow of the command is very confusing (retrieving objects based on intended principal types etc.). As a part of the ticket I was planning to do a sneaky refactoring of the flow which IMHO should look like this: 1.) you search entries by krbprincipalname extracted from 'principal' option (or from bind principal) 2.) If not found, you error out that such entry could not be found 3.) due to syntax overrides in ipaldap, all returned principals will be converted to Principal objects so *after you retrieve the entry and ensure that it exists* you can test whether it is service, user, etc. 4.) for values in SAN, you check whether the value is already container in the entries principals (as you do in this PR). If the principal is not there, you can try to retrieve the entry from ldap and either error out if not found, or check CA ACLs against it when present. 5.) if all is OK, forward the request to RA backend and issue the certificate. Do you think that this would extend the scope of the ticket too much? If yes, I can open a separate ticket for this cleanup and do it on top of your work. """ See the full comment at https://github.com/freeipa/freeipa/pull/227#issuecomment-260324953
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
