URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension

frasertweedale commented:
"""
@tomaskrizek 

1. The SAN DN is permitted if it matches the IPA principal's full DN in LDAP.  
The _certificate_ subject DN need not match the LDAP DN.  In fact, by the 
current behaviour of `ipa cert-request` it cannot, because we expect to see the 
user name in the CN in the CSR subject DN, whereas in LDAP we use 
`uid=alice,cn=users,...`.  So it is not duplicate info - it names the subject's 
LDAP DN. 

2. In this patch, DirectoryName SAN is accepted for all principal types (as 
long as it matches their LDAP DN).  Existing rules for other SAN name types are 
not changed (e.g., DNSName is still allowed only for host and service 
principals).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/228#issuecomment-263477676
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to