URL: https://github.com/freeipa/freeipa/pull/227 Title: #227: cert-request: match names against principal aliases
frasertweedale commented: """ @martbab Semantics: 0. *Subject principal* is looked up by `--principal` option, via `{PRINCIPAL_TYPE}_show` command. If you think this should be extended to allow `--principal` to use an alias, I am cool with that. 1. For host and service principals, CN must match[dns] (described below) a principal alias. 2. For host and service principals, SAN dnsNames must match[dns] a principal alias, **or** match an alternative principal. 3. For all principals, SAN KRB5PrincipalName and UPN values must match[exact] a principal alias. **match[dns]**: iterate principal aliases. Matches if: alias has same realm as `--principal` **and** alias has same service name as `--principal` **and** alias hostname equals (case insensitively) the SAN dnsName value. (If we generalise `--principal` to search all aliases then I would recommend restricting the search to principals with same realm and service name as the `krbcanonicalname` of the returned principal). ----- w.r.t. test failure, I cannot reproduce with this patch rebased on latest master. """ See the full comment at https://github.com/freeipa/freeipa/pull/227#issuecomment-261157548
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code