Title: #227: cert-request: match names against principal aliases
Also, the current execution flow of the command is very confusing (retrieving
objects based on intended principal types etc.). As a part of the ticket I was
planning to do a sneaky refactoring of the flow which IMHO should look like
1.) you search entries by krbprincipalname extracted from 'principal' option
(or from bind principal)
2.) If not found, you error out that such entry could not be found
3.) due to syntax overrides in ipaldap, all returned principals will be
converted to Principal objects so *after you retrieve the entry and ensure that
it exists* you can test whether it is service, user, etc.
4.) for values in SAN, you check whether the value is already container in the
entries principals (as you do in this PR). If the principal is not there, you
can try to retrieve the entry from ldap and either error out if not found, or
check CA ACLs against it when present.
5.) if all is OK, forward the request to RA backend and issue the certificate.
Do you think that this would extend the scope of the ticket too much? If yes, I
can open a separate ticket for this cleanup and do it on top of your work.
See the full comment at
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code