URL: https://github.com/freeipa/freeipa/pull/227
Title: #227: cert-request: match names against principal aliases
frasertweedale commented:
"""
@martbab
Semantics:
0. *Subject principal* is looked up by `--principal` option, via
`{PRINCIPAL_TYPE}_show` command. If you think this should be extended to allow
`--principal` to use an alias, I am cool with that.
1. For host and service principals, CN must match[dns] (described below) a
principal alias.
2. For host and service principals, SAN dnsNames must match[dns] a principal
alias, **or** match an alternative principal.
3. For all principals, SAN KRB5PrincipalName and UPN values must match[exact] a
principal alias.
**match[dns]**: iterate principal aliases. Matches if: alias has same realm as
`--principal` **and** alias has same service name as `--principal` **and**
alias hostname equals (case insensitively) the SAN dnsName value. (If we
generalise `--principal` to search all aliases then I would recommend
restricting the search to principals with same realm and service name as the
`krbcanonicalname` of the returned principal).
-----
w.r.t. test failure, I cannot reproduce with this patch rebased on latest
master.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/227#issuecomment-261157548
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
