URL: https://github.com/freeipa/freeipa/pull/227
Title: #227: cert-request: match names against principal aliases

frasertweedale commented:


0. *Subject principal* is looked up by `--principal` option, via 
`{PRINCIPAL_TYPE}_show` command.  If you think this should be extended to allow 
`--principal` to use an alias, I am cool with that.
1. For host and service principals, CN must match[dns] (described below) a 
principal alias.
2. For host and service principals, SAN dnsNames must match[dns] a principal 
alias, **or** match an alternative principal.
3. For all principals, SAN KRB5PrincipalName and UPN values must match[exact] a 
principal alias.

**match[dns]**: iterate principal aliases.  Matches if: alias has same realm as 
`--principal` **and** alias has same service name as `--principal` **and** 
alias hostname equals (case insensitively) the SAN dnsName value.  (If we 
generalise `--principal` to search all aliases then I would recommend 
restricting the search to principals with same realm and service name as the 
`krbcanonicalname` of the returned principal).


w.r.t. test failure, I cannot reproduce with this patch rebased on latest 

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to