URL: https://github.com/freeipa/freeipa/pull/227
Title: #227: cert-request: match names against principal aliases

martbab commented:
Also, the current execution flow of the command is very confusing (retrieving 
objects based on intended principal types etc.). As a part of the ticket I was 
planning to do a sneaky refactoring of the flow which IMHO should look like 

1.) you search entries by krbprincipalname extracted from 'principal' option 
(or from bind principal)

2.) If not found, you error out that such entry could not be found

3.) due to syntax overrides in ipaldap, all returned principals will be 
converted to Principal objects so *after you retrieve the entry and ensure that 
it exists* you can test whether it is service, user, etc.

4.) for values in SAN, you check whether the value is already container in the 
entries principals (as you do in this PR). If the principal is not there, you 
can try to retrieve the entry from ldap and either error out if not found, or 
check CA ACLs against it when present.

5.) if all is OK, forward the request to RA backend and issue the certificate.

Do you think that this would extend the scope of the ticket too much? If yes, I 
can open a separate ticket for this cleanup and do it on top of your work.

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to