URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension

frasertweedale commented:

1. The SAN DN is permitted if it matches the IPA principal's full DN in LDAP.  
The _certificate_ subject DN need not match the LDAP DN.  In fact, by the 
current behaviour of `ipa cert-request` it cannot, because we expect to see the 
user name in the CN in the CSR subject DN, whereas in LDAP we use 
`uid=alice,cn=users,...`.  So it is not duplicate info - it names the subject's 

2. In this patch, DirectoryName SAN is accepted for all principal types (as 
long as it matches their LDAP DN).  Existing rules for other SAN name types are 
not changed (e.g., DNSName is still allowed only for host and service 

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to