URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension

jcholast commented:
@frasertweedale, if the subject DN need not match the LDAP DN, then DN SANs 
need not match it as well - both the subject DN and DN SANs are supposed to 
identify the subject in the directory, and for us the directory is LDAP. There 
should be no special casing one way or the other, if something is allowed for 
the subject DN it must be allowed for DN SANs and vice-versa (with the 
exception of the special handling of the most specific CN in subject DN of 
server certificates). The fact that we currently require a non-LDAP subject DN 
in `cert-request` is a different issue. All I'm asking for is consistency. If 
we first allowed the subject DN to match the LDAP DN I would be perfectly happy 
with this PR.

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to