Issue #5191: cert-request rejects request with correct krb5PrincipalName SAN - freeipa

freeipa

#5191 cert-request rejects request with correct krb5PrincipalName SAN

Closed: Fixed None Opened 8 years ago by ftweedal.

cert-request checks krb5PrincipalName SAN OtherName for match
against the target principal to whom the certificate is being
issued, however, it fails when it should not.

For example, for principal alice in domain IPA.LOCAL, if the
principal is specified on the command line as `alice', the
command fails with message:

ftweedal% ipa cert-request alice-k5pn.req --principal alice
ipa: ERROR: Insufficient access: Principal 'alice@IPA.LOCAL' in subject alt name does not match requested principal

ftweedal commented 8 years ago

attachment
freeipa-ftweedal-0036-Fix-KRB5PrincipalName-UPN-SAN-comparison.patch

mbasti commented 8 years ago

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1252517

mbasti commented 8 years ago

master:

ba7e5df Fix KRB5PrincipalName / UPN SAN comparison

ipa-4-2:

58cf1cd Fix KRB5PrincipalName / UPN SAN comparison

Metadata Update from @ftweedal:
- Issue assigned to ftweedal
- Issue set to the milestone: FreeIPA 4.2.1

7 years ago

Metadata

Assignee

ftweedal

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.2.1

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

Certificate management

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

mbabinsk

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1252517

tester

None

changelog

None

design

None

freeipa

Source Code

#5191 cert-request rejects request with correct krb5PrincipalName SAN Closed: Fixed None Opened 8 years ago by ftweedal.

Metadata

#5191 cert-request rejects request with correct krb5PrincipalName SAN

Closed: Fixed None Opened 8 years ago by ftweedal.